When Someone Withdraws Consent After Publication: A Practical UAE Playbook for Media, Brands, and Content Teams
1) Start with the core distinction: “withdrawal of consent” vs “right to erasure”
These two concepts are often confused, but they are not the same.
In simple terms: withdrawal of consent means “stop using my data going forward,” while erasure means “delete my data (if the law requires).
A) Withdrawing consent
Under the UAE Personal Data Protection Law (PDPL), a person can withdraw consent at any time. Importantly, the withdrawal does not affect the legality of processing that took place before the withdrawal.
In plain English: if your article was lawful at the time of publication because you had valid consent, the person’s later change of mind does not automatically make the original publication unlawful.
B) The “right to erasure”
Separately, the PDPL gives data subjects a right to request erasure of personal data in certain cases, including where consent is withdrawn.
But that right is not absolute. The PDPL frames the erasure right as being “without prejudice” to other UAE legislation and to “what is required for the public interest”.
Public interest means a genuine wider societal interest that makes processing and retaining personal data necessary and justified. As a result, deletion or restriction rights may be limited where keeping the data serves that wider interest.
2) Why this matters for journalism and archives: “public interest” is built into the PDPL
The PDPL contains multiple points where public interest can, in certain circumstances, limit or outweigh individual data rights:
Personal data may be processed without consent where processing is necessary to protect public interest.
Even where a person seeks restriction of processing, the controller may be able to proceed without consent if needed to protect public interest.
And the erasure right itself is expressly subject to public interest.
The PDPL does not fully define “public interest” in a way that cleanly answers “does this include journalism?”, but the legal structure clearly anticipates public-interest exceptions.
Separately, freedom of expression is constitutionally recognised in the UAE (including expressing opinion “in writing” or “by any other means”).
At the same time, UAE media/content standards also emphasise respecting privacy.
The real-world outcome: you should treat these requests as a balancing exercise, not an automatic takedown.
3) Where the PDPL’s implementation mechanics matter (and why you should prepare now)
The PDPL is in force (it came into effect on 2 January 2022).
It also contemplates:
- Executive Regulations to be issued by the Council of Ministers, and
- a short regularisation window (controllers/processors must regularise compliance within 6 months from the date the Executive Regulations are issued, with a possible extension).
As of writing, the Executive Regulations have not been publicly issued.
Regardless of where implementation sits operationally, the smart operational move for media and content-heavy organisations is to put a repeatable process in place now because once your volume grows, these requests become constant.
4) A practical decision framework you can use (and document)
Here’s a FAIP-style framework that balances legal risk, editorial integrity, and operational reality.
Step 1: Triage the request (quickly)
Ask: what are they actually requesting?
- Correction (something is inaccurate)
- Update (something has changed since publication)
- Removal/erasure (delete the piece, delete the photo, delete the quote)
- Anonymisation (remove name, blur/replace image, remove identifiers)
- Reduced discoverability (de-index from internal search, adjust SEO, limit access)
Why this matters: PDPL rights differ depending on the nature of the request (erasure vs correction vs restriction).
Step 2: Verify your lawful basis and your consent record
If you relied on consent, check whether your consent was “clean”:
- Can you prove consent?
- Was it clear, accessible, and unambiguous?
- Did it include the right to withdraw easily?
If consent is weak or poorly documented, your risk profile changes fast.
Step 3: Separate “lawfulness then” from “availability now”
Even if the initial publication remains lawful (because withdrawal doesn’t retroactively invalidate prior processing), you still need to evaluate whether continued online availability creates a different risk picture (accessibility, amplification, searchability, etc.).
Step 4: Run a “public interest vs privacy impact” balancing test
A helpful reference point (not UAE law, but useful guidance) is the European Court of Human Rights Grand Chamber approach in Hurbain v. Belgium (4 July 2023), which considered whether a publisher could be required to anonymise a name in an online newspaper archive.
That decision highlights factors such as:
- the nature and sensitivity of the archived information
- how much time has passed since the events and /publication
- whether there is still a contemporary public interest in the information
- whether the person is well known and their conduct since the events
- the real negative impact of continued availability
- how accessible/searchable the material is in digital archives
- the impact of the measure on freedom of expression and press freedom
How to use this in the UAE: treat these factors as a structured internal checklist, while grounding your final decision in PDPL principles (including public interest, purpose limitation, and correction/erasure rules).
Step 5: Choose a proportionate remedy (options ranked from least to most intrusive)
Option A: Do nothing (but respond formally)
Appropriate where:
- content is accurate, consent was valid, and public interest is strong
- request is reputational discomfort rather than a true legal issue
Option B: Add an editor’s note/update (preserve the record)
Use where:
- facts have changed (new role, updated position), but the historical record remains legitimate
- you can preserve integrity while reducing unfairness
Option C: Correct inaccuracies
If something is wrong, fix it. This is usually the cleanest legal and editorial solution.
Option D: Anonymise limited identifiers (surgical change)
Examples: remove last name, remove unique identifiers, replace a photo, remove a personal email/phone.
This can reduce harm while keeping the record intact.
Option E: Reduce accessibility (without altering the archive)
Examples: limit internal search, change indexing rules, place behind subscriber wall (where appropriate).
This is often a practical middle ground when the real harm is “Google discoverability”.
Option F: Remove/erase
Reserve for cases like: clear unlawfulness, serious privacy breach, legal prohibition, or an overriding justification under PDPL erasure grounds that outweighs public interest.
5) What to put in your consent forms (and what not to do)
Don’t rely on “no-withdrawal waivers”
Because the PDPL explicitly says consent must be withdrawable, and withdrawal must be possible at any time.
A clause that tries to prevent withdrawal is high risk and often counterproductive.
Do use consent wording that sets expectations (without pretending withdrawal is impossible)
Instead, add language along these lines (adapt to your format):
- Consent is withdrawable at any time (and how to do it)
- Withdrawal does not affect processing before withdrawal
- The organisation may retain published material where necessary for legitimate editorial/public-interest reasons, including preserving archive integrity subject to applicable law and a case-by-case assessment
Also: ensure you can evidence consent and keep it accessible and unambiguous.
6) A “ready-to-implement” internal policy (simple version)
If you want fewer headaches, adopt a short internal policy with:
- Single intake channel (email/webform) and identity verification
- Classification: correction vs update vs erasure vs anonymisation vs de-indexing
- Evidence pack: consent record, publication date, public interest rationale, archive rationale
- Decision template: the balancing checklist (privacy impact vs public interest)
- Outcome menu: A–F remedies above
- Response templates (polite, firm, consistent)
- Escalation triggers: minors, sensitive data, safety threats, court orders, regulator complaints
The PDPL also anticipates clear ways for a data subject to contact the controller to exercise rights so having a clean process is not just good practice; it’s aligned with the statute’s design.
Closing note (FAIP perspective)
Requests to “take it down” are rarely about law alone. They’re usually about reputation, discoverability, and discomfort often long after the fact. The PDPL gives individuals meaningful rights, but it also clearly leaves room for public interest and proportionate outcomes rather than automatic erasure.
If you operate a newsroom, corporate comms function, or a content platform in the UAE, the best risk control is consistency: documented consent, a clear intake process, and a defensible balancing test.
If you’d like support implementing this in practice, FAIP can help you design a defensible intake-and-review workflow, tighten consent language, and assess specific requests in a way that balances privacy risk with public interest and record integrity. Please reach out to Maher El Bilbeisi at
melbilbeisi@atterehip.ae.
