This article explores the differences and similarities in how data deletion rights are perceived in the UAE and EU, focusing on the ‘Right to Be Forgotten‘ (RTBF) concept under GDPR in the EU and its application under UAE laws.
- The RTBF under EU law allows removal of personal data from platforms under certain circumstances, impacting how organizations handle data erasure.
- The UAE, while developing its data protection laws, does not explicitly codify RTBF like the EU, though it offers mechanisms for data erasure.
- Federal Decree-Laws in the UAE align with global data protection standards, incorporating elements similar to GDPR, but challenges remain in implementation.
- Navigating these laws is complex for multinationals operating in the UAE, especially when balancing compliance with both EU and UAE regulations.
The ‘Right to Be Forgotten’ (RTBF) has become a crucial legal principle in the EU, largely influenced by the landmark 2014 ruling by the Court of Justice of the European Union in the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González. This ruling underscored the rights of individuals to request removal of personal data from internet search results when the data is deemed irrelevant or excessive. Under Article 17 of the General Data Protection Regulation (GDPR), individuals can seek data erasure for reasons such as withdrawal of consent and unlawful data processing. However, this right is not absolute and has limitations tied to freedom of expression, legal obligations, and public interests.
Contrastingly, the UAE has its unique stance on data protection, demonstrated through various legislative actions, though it lacks a direct equivalent to the RTBF as enshrined in the GDPR. Laws such as the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, aim to elevate the UAE’s data protection framework to international standards. Articles within this law, like Article 14, permit data deletion requests under particular circumstances such as the withdrawal of consent or unlawful data processing. Similarly, Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) regulations also recognize the need for data erasure, providing legal routes albeit not as explicitly as the GDPR.
The UAE legal system’s approach, while comparable, introduces a range of complexities. The absence of a specific RTBF clause results in varied interpretations and the potential for jurisdictional discrepancies, especially given the UAE’s status as an international business hub. For organizations operating within this territory, aligning compliance protocols with both local and international standards remains a delicate balancing act.
In parallel, enforcement of these data protection laws varies across the UAE’s regions, reflecting an evolving legal landscape. The UAE criminalizes unauthorized publication of personal information under its Cybercrime Law, thereby reinforcing privacy rights indirectly akin to the RTBF. Sector-specific regulations further enforce consumer privacy obligations, yet the UAE’s broader legal framework on data deletion is still developing, posing challenges for businesses and legal practitioners alike.
While the UAE’s legal framework for data deletion does not mirror the EU’s rigor, it is progressively aligning with international standards, requiring ongoing adaptations from businesses and legal entities operating within its borders.
