The Abu Dhabi Global Market (ADGM) announced this week that it has enacted the highly anticipated new Data Protection Regulations 2021 (“DPR2021”). The ADGM, which was established in 2015, is an international financial centre located on Al Maryah Island in the capital of the United Arab Emirates. For those readers less familiar with the Gulf region, the ADGM is a financial services free zone much like the Dubai International Financial Centre (DIFC). The two jurisdictions have, to their credit, collaborated closely in the development of their respective data protection regimes. This welcome level of supervisory alignment will certainly facilitate adoption and offer an easier glidepath towards data protection maturity for many businesses in the region.
Although the ADGM has acknowledged the positive influence of the UK’s Data Protection Act 2018, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+) and the DIFC’s Data Protection Law No.5 of 2020 (DPL 2020), the ADGM has been very transparent about their decision to base their regulatory update on the European Union’s General Data Protection Regulation (GDPR) as an internationally accepted best practice and benchmark. Like the GDPR, the DPR2021 has 7 key privacy principles (section 4), 8 individual data subjects rights (Part 3), and strong similarities in relation to governance (DPO and supervisory authority), breach notification (without undue delay, and within 72 hours) and data transfers (must provide an adequate level of protection).
The ADGM has deliberately positioned the GDPR as a high-water mark for data protection regulation. In adopting this strong alignment with GDPR, they also hope that organisations established in the ADGM will benefit commercially from the growing alignment of GDPR-inspired data protection laws worldwide. The ADGM also intends to leverage the EU’s operational experience as a supervisory authority in creating future best practices for the ADGM.
The new DPR2021, which was previously based on the OECD Privacy Guidelines and the European Data Protection Directive (95/46/EC), results in significant changes to the ADGM’s existing data protection regime. The new regulations introduce several additional responsibilities for both data controllers and data processors, and enhanced data subject rights for data subjects.
In this article our objective is to discuss selected elements of the new regulation which we believe are particularly relevant for decisionmakers who are not dedicated privacy professionals. This is likely to be a common scenario in the region. At the same time, we hope that privacy professionals will also find the update useful. Our intention is then to follow up with another article which offers suggested “next steps” guidance for any organisation who may be starting their data protection journey and/or is deciding on how best to tackle maturing their privacy programme to ensure compliance with DPR2021.
Privacy professionals will be aware that the GDPR has an extra-territorial scope and consequently applies to data processing activities conducted by any organisation established in the EU, with the term “establishment” very broadly interpreted – i.e., it is sufficient that a data controller operates a website from outside the EU that is directed at a specific audience or EU member state. The GDPR therefore extends its territorial reach to businesses offering goods or services to data subjects situated in the EU, or to the monitoring of the behaviour of such data subjects. This is also not restricted to EU citizens.
The new ADGM regulations also apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the ADGM, regardless of whether the processing takes place in ADGM or not. The regulations apply to natural persons whatever their nationality or place of residence. The ADGM has however indicated during public consultations that because of their relative size (a jurisdiction of 114 hectares) and the limitations imposed by ADGM’s legislative powers, that the new DPR2021 will not have the same extensive territorial scope as the GDPR.
The DPR2021 will only seek to cover personal data processed in the context of an establishment within the ADGM. It would likely include a situation where a business is established in the ADGM and it processes data through another establishment outside ADGM, but only where that processing is inextricably linked to the business carried on inside the ADGM. However, where a data controller is only connected to ADGM because it uses a data processor located inside ADGM, it would seem (subject to forthcoming guidelines) that the DPR2021 would not apply to the data controller. In this scenario, the data processor would however be subject to the DPR2021.
Conditions for consent
Because there have historically not been comprehensive “European-style” data protection laws in the Middle East (until recently), personal data have typically been lawfully collected and processed in accordance with local penal codes or cybercrime laws, which, as a generalisation, required the consent of the data subject. It means there is a strong reliance (or legacy) in the region on seeking consent for the lawful processing of personal data. As GDPR-like data protection laws are implemented across the region, this will pose challenges for local organisations who are often operating across various countries in the Middle East where a mix of data protection laws and penal codes exist. Similar difficulties may be faced by organisations operating in financial free zones like the ADGM, and then “onshore” in the UAE.
Although expected soon, the UAE currently has no federal data protection law. The Federal Law No. 3 of 1987 Promulgating the Penal Code (“UAE Penal Code”) and the Federal Decree by Law No. 5 of 2012 On Combating Cyber Crime (“Cyber Crimes Law”) apply. There are also certain industry-specific regulations, particularly in relation to healthcare and telecommunications. Articles 379 and 380 (bis) of the UAE Penal Code provide that it is illegal to disclose or use a secret to your advantage, or to distribute or provide data, unless this is permitted by law or you do so with consent of the data subject.
Like the GDPR, the DPR2021 trend is towards giving data subjects an increasing ability to control and manage their own personal data. The DPR2021 empowers data subjects with certain rights. What is important is that data subjects are becoming increasing aware of these legal rights and we should expect to see data subjects invoking them. This has obvious implications for controllers and processors who rely almost exclusively on consent.
In the DPR2021, consent (section 6) now needs to be “a freely given, specific, informed and unambiguous indication of the data subject’s wishes” through a clear affirmative action. Pre-ticked boxes or inactivity no longer constitute consent, and to be informed, the data subject should a) be aware of the identity of the controller and b) the purposes for which it is intended their personal data will be processed. The controller must also be able to demonstrate that the data subject has consented and maintain an evergreen register of that valid consent.
In addition, the data subject now also has the right to withdraw their consent at any time and it must be as easy to withdraw consent as it is to give consent. Pause and consider that for a moment. Consider the consequences of the various requirements set out above. For example, if you have previously shared that personal data with various processors before these requirements existed. Consider how your website collects consent to deploy cookies, or the consent mechanism being used by customers to opt in or opt out of marketing communications.
And finally, to be “freely given” the data controller must consider whether the data subject has a genuine or free choice or is unable to refuse or withdraw. With the DPR2021, in the employer/employee relationship, consent has now become a legal basis that needs thorough consideration due to the intrinsic imbalance of employer/employee relationships. The move by the ADGM is to be applauded, but this makes the use of consent as a lawful basis increasingly challenging. Alternative lawful bases for processing of personal data, like performance of a contract or the controller’s legitimate interest, may now become more suitable.
Data subject rights and requests
Part 3 of the DPR2021 includes 8 individual data subjects rights. The new regime introduces certain new rights for data subjects such as the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects that person. This is particularly relevant to the ADGM which has created a thriving FinTech Hub (Hub71) and actively champions the development of a sustainable and vibrant FinTech ecosystem. Although many of these companies will be start-ups or small and medium size enterprises (“SMEs”), a good proportion of them will be employing new technologies like AI and ML that potentially introduce automated processing.
The DPR2021 also introduces the right to data portability i.e., to receive the personal data that is held by the controller in a structured, commonly used and machine-readable format and the right to have that controller transmit the data in question to another controller (potentially your competitor) without hindrance from the controller. In an era where financial services regulators are increasingly concerned about technology concentration risk and seeking to reduce vendor lock-in risks, the data subject right of data portability is likely to be become increasingly relevant for controllers.
The controller must also, on request, provide a copy of the data subject’s data to them in a concise, transparent, intelligible, and easily accessible form, in writing, electronically or, if requested by the data subject, even orally provided the data subject has provided proof of their identity. This should happen without undue delay or within 2 months of receipt of the request. An extension of 1 month is then permitted. Note how this differs slightly from GDPR, which requires 1 month with the possibility to extend to 2 additional months. In a pragmatic move which takes the volume and importance of SMEs in the ADGM into consideration, the ADGM grants a more practical 2 months as the initial period, with the possibility to extend by 1 additional month.
Accountability and governance
The DPR2021 replicates the core requirements of accountability and governance from the GDPR in the new ADGM data protection regulations. These were not present in the previous regulations, and – being central to GDPR – will likely become important as part of any future adequacy assessments. The ADGM does however intentionally provide less detail than you would see in the GDPR. Our understanding, based on information shared during the public consultation process, is that this is to allow the supervisory authority an added level of flexibility to offer their own detailed guidance in future, particularly as new technologies evolve.
The DPR2021 includes key accountability and governance elements from the GDPR, such as data protection by design and by default, the requirement for data controllers to create records of their data processing activities (which the supervisory authority may request to see to confirm compliance), and the requirement for Data Protection Impact Assessments (“DPIAs”) as a mechanism for data controllers to consider and document high risk processing activities that pose a high risk to the rights of data subjects.
Like the GDPR, the DPR2021 compels data controllers to appoint a Data Protection Officer (DPO) in certain cases. The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and with the ability to fulfil the tasks referred to in section 37.
The DPR2021 (section 36) also introduces the same level of protection of the DPO as the GDPR, and requires the controller and the processor to ensure that the DPO:
- Is involved, properly and in a timely manner, in all issues which relate to the protection of personal data;
- Is provided with sufficient resources, access to personal data and processing operations to carry out the role;
- Is not dismissed or penalised for performing the tasks referred to in section 36; and
- Reports directly to the highest level of management in the controller or processor.
Organisations in the ADGM may leverage their global DPO role and the DPO does not need to be present or resident in ADGM or be an employee of the data controller. To reduce compliance costs, the DPO may also hold multiple roles in a business and/or operate in respect of multiple businesses provided no other role conflicts with that individual’s obligations as DPO. The DPO role may therefore be outsourced to a third-party professional services firm in what is now referred to as DPO-as-a-Service, or simply DPOaaS. For more information on White Label Consultancy’s DPOaaS offering, please check our service section on our webpage.
Exceptions for small and medium enterprises
The ADGM’s objective has been to create an updated regulation that delivers robust data protection standards and best practices, but which is also proportionate and business friendly. In keeping with this goal, the ADGM has acknowledged the importance of the accountability obligations, but in recognition of the burdens faced by SME data controllers, the ADGM has included an exception for SMEs. Those with fewer than 5 employees in the ADGM and which perform processing of personal data, which is low volume and low risk, are exempt from:
- record keeping; and
- the DPO obligations
It is important for start-ups and SMEs to appreciate that although their employee numbers may be low, they might well be processing large volumes of data or be engaged in what are classified as high-risk processing activities on a systematic and regular basis. The European Article 29 Working Party has advised that the following would be regarded as high-risk processing activities: evaluation or scoring, automated-decision making, systematic monitoring, sensitive data like special categories of personal data and data processed on a large scale.
More information in this regard is expected as ADGM data protection guidelines are released.
International data transfers
International transfers of data are a hot topic in the Middle East. This is not only because of the unfolding implications of the now infamous European Schrems II case, but because many organisations in the Middle East are faced with evolving data sovereignty or data residency challenges at a national or industry level, particularly in relation to hyperscale public cloud adoption.
Section 41 of the DPR2021 states that the transfer of personal data outside the ADGM, or to an international organisation, may take place where the Commissioner of Data Protection has decided that the receiving jurisdiction, or one or more specified sectors within that jurisdiction, or the international organisation in question, ensures an adequate level of protection of personal data. Such a transfer will not require any specific authorisation. The following is a list of the 43 countries or jurisdictions that are currently deemed adequate from a data privacy and protection perspective by the ADGM.
Section 42 of the DPR2021 states that in the absence of an adequacy decision, a controller or processor may transfer personal data outside the ADGM only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. These typically tend to be either standard contractual clauses or binding corporate rules.
The previous ADGM data protection regulations included an intragroup transfer mechanism similar to the EU concept of binding corporate rules (“EU BCRs”), but the DPR2021 (section 43) has now introduced a mechanism which is more strongly aligned to the EU BCRs and supports an ability for the supervisory authority to fast-track approval for EU BCRs.
The DPR2021 also incorporate the most recently updated European standard contractual clauses. It means that multinational businesses will be able to adopt a single form of data transfer agreement for use across multiple jurisdictions, including the ADGM. Subject to the authorisation from the Commissioner of Data Protection, the appropriate safeguards referred to in section 42 may also be provided for by contractual clauses between the controller or processor and the controller and recipient of the personal data outside the ADGM.
There are also derogations from restrictions on international transfers for specific situations. These are set out in section 44.
Transition period for ADGM data protection regulations
The ADGM has confirmed the following transition period to help organisations become compliant with the new ADGM data protection regulations:
- a 12-month transition period for existing establishments and,
- a 6-month period for any new business registered after the new regulations came into effect.
Remedies and penalties
Section 55 of the DPR2021 empowers the ADGM to impose an administrative fine of up to USD $28 million for an act that is prohibited or which the controller or processor has omitted to do. In comparison, under the GDPR a supervisory authority can issue fines of up to EUR 20 million or 4% of the company’s global annual revenue.
When deciding on the amount of the fine, various factors will be considered, such as the nature, gravity and duration of the contravention, the intentional or negligent character of the contravention and any action taken by the controller or processor to mitigate the damage suffered by data subjects. These considerations are set out in section 55 (3).
These fines are in addition of data subjects’ rights to claim compensation if they have suffered material or non-material damage as a result of a contravention of these regulations. The data subject may then be entitled to compensation from the controller or processor for the damage suffered, with a case brought in court.