Is Data Deletion a Right to be Forgotten in the UAE Like in the EU?

Introduction 

The "Right to Be Forgotten" (RTBF) is a legal concept that has gained significant prominence in the digital age, particularly in the European Union (EU) under the General Data Protection Regulation (GDPR). It grants individuals the right to request the removal of personal data from online platforms under certain circumstances. As the UAE continues to advance its data protection framework, it is essential to examine the extent to which the RTBF is recognized and enforced under UAE law.

Understanding the Right to Be Forgotten Under EU Law 

The RTBF was formally established by the Court of Justice of the European Union (CJEU) in the landmark case Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014). The ruling held that search engines could be required to remove links to personal information upon request, provided the information is no longer relevant, excessive, or in the public interest.

Under Article 17 of the GDPR, individuals have the right to request data erasure from data controllers when:

• The data is no longer necessary for the original purpose.
• Consent has been withdrawn.
• The data was unlawfully processed.
• The individual objects to data processing, and there are no overriding legitimate grounds.

However, this right is not absolute and is subject to exceptions, including freedom of expression, legal obligations, and public interest considerations.

Data Protection and Privacy Laws in the UAE 

The UAE has developed a robust regulatory framework for data protection and privacy. The key laws governing personal data in the UAE include:

• Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
• Federal Decree-Law No. 34 of 2021 on Combatting Rumors and Cybercrimes
• Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020
• Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021

These laws aim to align the UAE’s data protection regime with global standards, including elements of the GDPR.

The Right to Be Forgotten in the UAE Legal Framework 

Although the UAE does not explicitly enshrine the RTBF in the same manner as the GDPR, various provisions within its legal framework provide mechanisms for data erasure and privacy protection.

1. Federal Personal Data Protection Law (PDPL)

2. • Article 14 of the PDPL allows individuals to request the deletion of their personal data if it is no longer necessary for the original purpose, if consent is withdrawn, or if the data is unlawfully processed.
   • Article 18 requires organizations to implement technical measures to erase data upon request.

3. DIFC and ADGM Regulations

4. • Both free zones recognize a version of the RTBF, allowing individuals to request data deletion under specific conditions.

5. Cybercrime Law and Defamation Protections

6. • The Cybercrime Law criminalizes the unauthorized publication of personal information, providing a legal basis for individuals to seek data removal in certain cases.

7. Consumer and Digital Rights

8. • Various sectoral regulations, including those governing telecom and financial services, require businesses to respect consumer privacy and provide options for data erasure.

Challenges and Considerations in the UAE 

Despite these legal provisions, implementing the RTBF in the UAE poses certain challenges:

• Absence of a Specific RTBF Clause: Unlike the GDPR, UAE law does not explicitly define the RTBF, leading to varied interpretations.
• Balancing Privacy with Public Interest: Courts and regulatory authorities must weigh privacy rights against legitimate public interest considerations.
• Jurisdictional Conflicts: Given the UAE’s position as a global business hub, multinational companies operating within its jurisdiction may face compliance challenges when balancing EU and UAE data protection requirements.
• Enforcement Mechanisms: The UAE’s data protection laws are still evolving, and the enforcement of deletion requests may vary across jurisdictions.

Conclusion 

While the UAE does not explicitly codify the RTBF in the same way as the GDPR, existing laws provide similar mechanisms for individuals to request data deletion under specific conditions. As the UAE continues to enhance its data protection framework, further clarifications and legal precedents may strengthen the applicability of the RTBF. Businesses operating in the UAE should ensure compliance with local data privacy laws while remaining mindful of international obligations, particularly when handling cross-border data deletion requests.

For individuals and businesses seeking legal guidance on data protection and privacy rights in the UAE, consulting with experienced legal professionals is essential to navigating the evolving regulatory landscape.

For more information or legal assistance, contact Al Safar and Partners today on +971.4.4221944 - reception@alsafarpartners.com -   https://www.alsafarpartners.com/ 

Written By:

Mrs. Kavitha Panicker - Managing Partner at Al Safar and Partners Law Firm.