Data Protection Report - Norton Rose Fulbright

Dubai has issued a new law regulating the dissemination and exchange of data in the Emirate. This is one of the first open data initiatives in the Middle East and is being promoted by the Prime Minister’s office as a significant step forward in Dubai’s cyber legislation and smart city ambitions.

What is the law and when did it come into force?

Dubai Law No.26 of 2015 (the Open Data Law) was formally published in the Official Gazette of the Government of Dubai on 27 December 2015 after being announced earlier in the year. It came into force on the date of publication.

What does it cover?

The Open Data Law regulates the use and sharing of “Dubai Data”, which is defined as any data related to the Emirate of Dubai and available to data providers.

For these purposes, “data” means any set of organised or unorganised information, facts, concepts, instructions, observations or measurements in any form that are collected, produced or processed through data providers. A “data provider” is any UAE federal government entity, Dubai government entity (including authorities supervising special development zones and free zones) or any other person specified by the competent authority (see also ‘Who will enforce the Open Data Law?’ below).

Who does it affect?

The Open Data Law is stated to apply to UAE federal government entities in possession of data relating to Dubai, local (i.e. Dubai) government entities and any other persons specified by the competent authority that produce, own, publish or exchange data relating to Dubai.

Accordingly, the potential application could be very wide depending on the competent authority’s approach to classifying entities as “data providers”. Article 3(3) states that specified persons may include individuals, establishments or companies existing anywhere in Dubai, including Dubai International Financial Centre and other free zones.

What are the key implications of the Dubai Open Data Law?

According to Article 15, Dubai Data is deemed to form part of the assets of Dubai Government. Dubai Data cannot be disposed of by data providers or users other than in accordance with the Open Data Law and any supporting regulations. This is potentially very significant for commercial entities that are deemed to be data providers by the competent authority as they will be required to classify their data as “open” or “shared” (see below) and to meet the other requirements on data providers relating to the sharing of this data.

UAE government ministries and departments will become obliged to make certain data sets available. The stated intentions of the Law include helping Dubai to achieve its vision of becoming a smart city, enhancing transparency, increasing the efficiency of government services and consolidating a culture of creativity and innovation. Other open data programmes around the world have focused on similar objectives and it will be interesting to monitor how the Open Data Law increases the availability of government datasets for personal, academic and commercial re-use.

The means through which Dubai Data will be made available will be determined by the competent authority. The Open Data Law envisages dissemination and exchange of the data via an electronic platform, bulletins, reports and other methods. The authority will approve policies for the provision of data and establish criteria and rules regarding data sharing, including technical protocols.

Article 10 states that data providers must supply the “fundamental infrastructure” specified by the competent authority for the sharing of Dubai Data, including IT systems, data protection and security measures, and links to the electronic platform and other systems specified by the competent authority. This may place an immediate burden on certain data providers to upgrade their systems to meet the authority’s requirements and the costs will presumably be borne by the data providers. The Open Data Law does not refer to any sharing of costs between providers and the authority or government.

Local government entities in Dubai must commit to a number of detailed obligations including classifying their data according to the Dubai Data Directory (to be published by the competent authority), preparing a data sharing plan and timetable to be approved by the authority, adopting all measures necessary for data sharing according to the authority’s policies, identifying potential constraints to data sharing, ensuring data quality, and providing the authority with information or reports upon request.

Other data providers (i.e. federal government entities and corporates or individuals identified by the authority) will have different – and presumably less onerous – compliance requirements. These are to be specified by the competent authority.

Another key feature of the Open Data Law is the power given to the authority to specify certain “reference records” and to determine the entities who will be responsible for the same. A “reference record” is any record identified by the authority that contains a specific and consistent type of Dubai Data. It appears that the intention of this part of the law is to create a single reliable source for certain information, which would be consistent with the objectives of increasing the efficiency of government services and supporting government decision making. It may also assist other users by reducing duplication and inconsistency across datasets.

How will Dubai Data be classified?

Dubai Data will be classified into one of two categories:

  1. Open Data: information that may be published without restriction or with the minimum restrictions specified by the competent authority.
  2. Shared Data: information that may be exchange between data providers according to conditions and criteria specified by the competent authority.

It is difficult to assess the impact of these classifications until the relevant restrictions, criteria and supporting policies are published by the authority. However, it is notable that the Open Data Law suggests that any information deemed to be “Dubai Data” will either be made open or available for sharing; there is nothing in the law that appears to allow data providers to refuse to make available any information that they produce or collate information concerning the Emirate if they are deemed data providers by the authority.

Article 9 does acknowledge that data providers should not prejudice any rules of confidentiality or intellectual property rights, which may provide a route for commercial providers to retain some control over certain datasets. This issue will need to be assessed once the relevant supporting guidance is published and the competent authority begins to enforce the new law.

Article 13 relates to the protection of data subjects. It states that the provisions of the Dubai Open Data Law shall not contravene the legal protection granted under applicable data legislation and that data providers should take all necessary measures to maintain the confidentiality and privacy of users’ data throughout the data sharing process. This is an important recognition of personal rights. Although the UAE does not currently have a federal data privacy law, there are criminal laws preventing the unauthorised disclosure of certain information and free zone regulations that protect certain data types. It appears that the Open Data Law is not intended to override these personal rights.

Who will enforce the Open Data Law?

Transitional provisions state that the Dubai Open Data Committee will have the powers and obligations of the competent authority under the Open Data Law until such time as a permanent authority is established. The Committee was established in 2014 and comprises representatives from a number of government entities in Dubai. It was originally tasked with guaranteeing ease of information flow and data security in the Emirate, as well as coordinating with concerned entities in Dubai to define the scope of an open data programme.

The Open Data Law notes that officials of the competent authority have the capacity of judicial officers in policing the law and will be entitled to produce violation reports and coordinate with police officials for assistance in enforcing its provisions.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.