UAE Mainland Jurisdiction: Physical Location/Residency of Data Subject in Jurisdiction

The factor of Physical Location/Residency of the Data Subject is explicitly used in the UAE's Federal Personal Data Protection Law (PDPL) to determine the law's applicability. The law applies to the processing of personal data of individuals who are physically present in the UAE, even if the data controller or processor is located outside the country.

Text of Relevant Provisions

Federal PDPL Art.2(1)(c):

"1. The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by:c. any Controller or Processor located outside the State who carries out the activities of Processing Personal Data of Data Subjects inside the State."

Original (Arabic):

"1. تسري أحكام هذا المرسوم بقانون على معالجة البيانات الشخصية سواء كلها أو جزء منها عن طريق وسائل الأنظمة الإلكترونية التي تعمل بشكل تلقائي وآلي، أو غيرها من الوسائل الأخرى، وذلك من قبل:ج. كل متحكم أو معالج متواجد خارج الدولة يقوم مبزاولة أنشطة معالجة البيانات الشخصية ألصحاب البيانات يف الدولة"

Analysis of Provisions

• Article 2(1)(c) of the UAE Federal PDPL extends the law's applicability to include any data processing activities conducted by controllers or processors located outside the UAE, provided that the processing concerns the personal data of individuals who are within the UAE. This provision is crucial in ensuring that the privacy rights of individuals physically present in the UAE are protected, regardless of where the entity processing their data is located.
• The law's scope, therefore, is not limited to data controllers or processors operating within the UAE but also encompasses foreign entities that engage in processing activities related to data subjects in the UAE. This extraterritorial application of the PDPL is designed to prevent foreign companies from circumventing UAE data protection laws simply by operating outside the country's borders.
• The inclusion of this factor reflects a broader trend in global data protection legislation, similar to the GDPR, where the focus is on the location of the data subject rather than the location of the data controller or processor. This approach ensures comprehensive protection for individuals within the jurisdiction, regardless of where the data processing activities physically occur.

Implications

• For businesses, particularly those operating internationally, this means that they must comply with UAE data protection laws if they process the personal data of individuals who are physically present in the UAE, even if the company itself is based outside the country. This includes entities offering goods or services to UAE residents or monitoring their behavior online.
• An example of this would be a foreign e-commerce platform that sells products to consumers in the UAE. Even though the platform operates outside the UAE, it must adhere to the PDPL when processing the personal data of its UAE customers.
• Companies involved in activities such as online advertising, behavioral tracking, or profiling that target individuals in the UAE must also ensure compliance with the PDPL. Failure to do so could result in legal actions or penalties under UAE law, even if the company has no physical presence in the UAE.