Dubai’s new data law – tapping a new well
If data is the new oil, then the Dubai Government is keen to tap the well. Dubai’s recently issued “Dubai Data Law” (the Law) is a one of the latest examples of the progress being made by the Dubai Government to diversify and “future-proof” its economy and society – a strategy brought into even greater focus given the recent backdrop of plummeting oil prices.
It is hoped that the Law will unleash a wave of freely available data about the emirate, and encourage greater innovation by both businesses and individuals.
Perhaps the most interesting feature of the Law is that businesses, and indeed individuals, that produce, own, publish or exchange any data related to the emirate of Dubai, may be required to make that data available freely, or at least exchange that data with other “Data Providers“.
This creates a myriad of challenges and opportunities for companies operating in Dubai, that if properly understood and managed, may assist in positioning the business for future success, but which may also bring with it new complexity and compliance costs.
Below we take a look at the new law in further detail and explore the likely impact on businesses operating in Dubai.
It is no secret that the Dubai Government has significant ambitions for the emirate. High on the agenda is its ambition for Dubai to be one of the smartest, if not the smartest, cities in the world. The Government recently unveiled its vision and strategy for the creation of ‘Smart Dubai’ at www.smartdubai.ae, a site that provides valuable information on various initiatives being undertaken across the emirate.
The Dubai Data Law is one such initiative. Among the Law’s stated objectives is the desire to establish a culture of creativity and innovation in the emirate, enhance transparency and raise the efficiency of services provided by UAE Federal and Dubai government bodies.
Open Data plus?
The Dubai Data Law establishes an Open Data regime and a Shared Data regime.
Open Data has been described and defined in various ways around the world, but the Dubai Data Law simply defines it as “Dubai Data that, freely or subject to a minimum limit determined by the Competent Authority, may be published”. Shared Data on the other hand is “Dubai Data that is exchanged between Data Providers, according to terms and conditions specified by the Competent Authority”.
A number of cities around the world have implemented Open Data regimes, and these are traditionally concerned with making government held information freely available; but what is unique about the Dubai Data Law is that it goes beyond the collection and dissemination of data that is held by the city government and its departments and allows what the Law calls the “Competent Authority” to designate non-governmental bodies as “Data Providers“.
Subject to further guidance by the Competent Authority, designated private Data Providers will have to comply with the Dubai Data Law, for example, by making available and publishing Dubai Data they hold which is determined to be Open Data, or exchanging with other Data Providers the Dubai Data they hold which is determined to be Shared Data.
We believe this is the first regime in the world that may potentially require private bodies to make certain data they hold Open Data or Shared Data, and emphasises the vital importance that the Government foresees Open Data and Shared Data will have on the future economy.
What is Dubai Data?
The phrase “Dubai Data” is not defined in the law, but “Data” is defined. The phrase “Dubai Data“, and its application, may therefore be far reaching. For instance the Dubai Data Law applies to Federal Government Bodies that have any data related to the Emirate, to Local (Dubai) Government Bodies and to “Persons who produce, own, publish or exchange any Data related to the Emirate”. However, this latter category does not seem absolute, as it still requires that such Persons are selected by the Competent Authority, from individuals, institutions or companies that exist in the emirate of Dubai, including those in special development areas and free zones; the Law specifically mentions the Dubai International Financial Centre as such a free zone.
How might this new Law affect you?
The new Dubai Data Law could affect both individuals and businesses in two obvious ways – the first way is as a beneficiary of the new Law and the Open Data it should unleash; and the second way is as a Data Provider. We explore the latter in further detail, below.
If you are an individual, business or government entity existing in Dubai you may find yourself identified as being a Data Provider by the Competent Authority. If so, a number of obligations may be triggered for you to collect Dubai Data, store it, share it and/or publish it.
The criteria for the selection of such private sector Data Providers has not yet been made available.
The Law does indicate that there will be limits placed upon the publication or exchange of Dubai Data as either Open Data or Shared Data. These will include a requirement on Data Providers to not breach rules of data privacy and intellectual property rights. Just how the Law will interact with these rules and rights however remains to be seen, particularly as the UAE and the emirate of Dubai do not have data protection laws per se (although there are privacy laws in various legislations, and there is a Data Protection Act and Regulation in the DIFC, one of the free zones specifically mentioned in the Dubai Data Law).
The Dubai Data Law also indicates that a number of policies will be published, including policies relating to the protection of Data Providers’ confidential data, intellectual property rights, classification of information, use and re-use of information and technical standards for information systems and networks as well as information cyber-security.
Whilst the Dubai Data Law was issued in December, there are a number of steps that still need to be undertaken for it to be fully effective. These include the establishment of the Competent Authority and the publication of an executive resolution by the Chairman of the Executive Council of the Dubai Government.
As noted above, the Competent Authority is expected to issue or approve a number of other policies regarding data protection, intellectual property and data standards.