Data Protection in the UAE – What you need to know
Panelists:
Suzanna, Waystone Compliance Solutions
Sayid Madar, Office of the Data Protection Commissioner in the ADGM
Lori Baker, Office of the Commissioner of Data Protection in the DIFC
Moderator:
Nigel Paesa, Waystone Compliance Solutions
Welcome, ladies and gentlemen. My name is Nigel Pasea, and I’m the managing director of Waystone Compliance Solutions in the Middle East, a market for whom we’ve been providing compliance, risk, and corporate governance services since 2006. Today, it’s my absolute pleasure to host this data protection webinar as it is a topic which has become increasingly important both locally and globally. Many participants will recall the significant changes that were introduced in 2018, with the introduction of GDPR in the EU, and of course, many other jurisdictions updated their equivalent legislation in recent years. Of course, data protection legislation is not new in either the DIFC or the ADGM and has been in place since those financial free zones were first created. But all participants will be aware that, in both the DIFC and the ADGM, the data protection regimes have been significantly updated in the past two years.
So in that regard, I’m delighted to be able to introduce a distinguished panel of three respected experts in this field who will tackle a range of topics on the subject, including implementation, data transfers across borders, experience to date, and fines and breaches. On the panel, we have Lori Baker, VP legal and director of data protection for the Office of the Commission of Data Protection in the DIFC, Sayid Madar, head of operations for the Office of the Data Protection Commissioner in the ADGM, and last but not least, Suzanna Ballabás, head of data protection for Waystone Compliance Solutions, Middle East, and who will moderate the discussion today.
Before I hand it over to Suzanna, just a reminder that if we are unable to address any specific topic or issue that you may have due to time constraints, please do feel free to contact us at Waystone Compliance Solutions, and we will be delighted to assist. And with that, over to you, Suzanna.
Navigating Data Protection in the UAE
By way of introduction to the topic, the UAE has recently taken a huge leap into the ever-increasingly complex world of data protection. It’s the start of a global movement seen in most jurisdictions such as Europe, China, India, Singapore, Saudi, and the U.S.A., to name just a few, which is great. The UAE is ahead of the game. However, for our attendees new to data protection, that can often mean navigating difficult processing routes to ensure smooth and efficient use of personal data and a whole lot of law and regulation to understand. Today, we hope to clarify the UAE’s part in this ever-increasing puzzle.
In recent years, the DIFC released the DIFC Law No. 5 of 2020. This has now been subject to amendments in March of this year. The ADGM released its Data Protection Regulation 2021, and the UAE has announced its Federal Law in Decree-Law No. 45 of 2021. The UAE Federal Law is pending its support and regulations. So until we have those, it’s a little bit difficult to guide you on the topic, but I’d be happy to provide an overview once we have the full story. So without further ado, let’s dive into the DIFC and ADGM regimes.
Our first question.
Both the ADGM and the DIFC have recently updated their laws and regulation on personal data. If you can summarize the core features of your regime, what would they be?
I’ll hand that to Lori first.
Core Features of the DIFC
Thanks, Suzanna, and thank you for having us here to discuss these important issues. So the DIFC watched and waited after the enforceability of the GDPR came into effect in May of 2018 to get a sense of what would make most sense for our regime here. And we didn’t want to massively deviate from what we already had, because it was quite closely based on what was happening in Europe anyway, and at that time, you know, before the sort of springing up of hundreds of data protection laws all around the world, you know, it’s one of the guiding principles. So we stayed the course. We wanted to ensure that companies in the DIFC wouldn’t struggle with an additional compliance burden and aligned with many of the elements that we already had, including data protection principles, international transfers, data subjects rights, breach reporting, and so on. But we brought it up to speed not only with the GDPR at the time but other data protection laws around the world. We incorporated bits and pieces from California, from other regimes that we thought were getting it right, and we developed a few things of our own that we thought would make sense for the innovation hub-type entities, tech entities, and so on, that would balance both transparency and accountability with flexibility for developing that kind of really important technology that would, in fact, basically, benefit the data subjects that would be using that technology from the DIFC or anywhere else they’re based.
So we wanted to ensure that there was compatibility but a bit of forward-thinking woven into the overall result. And I think what we got is a really good balance of all of those things and has been well received. So you know, we’re being assessed for adequacy recognition by the UK at this point, because a lot of things have changed over the last four years since we started on this journey. You know, we’re happy to have the opportunity to do so and demonstrate that the laws in this region are on the same footing with international best practice in the rest of the world. So that was our aim.
Thank you, Lori. And, Sayid, for ADGM.
Core Features of the ADGM
Thank you, Suzanna, and thank you for having me. So we followed a similar approach, actually, to what Lori just said. And in ADGM, you know, our law was enhanced. And we enhanced the standards, but we also, you know, wanted to make sure that we continue to align with international best practice. And that was looking at, you know, the GDPR, which came into effect, as Lori said, in May 2018, but we also looked at the new Council of Europe’s Convention 108 +. But some of the core features, I guess, and what was included from our 2015 regulations to 2021 was, for example, the extra-territoriality, where the context of the activities is of the establishment in ADGM, but we also looked at, you know, enhancing individual rights and the new principles such as, you know, the accountability principle. And what accountability really introduced was ensuring, you know, that entities have to demonstrate how they comply with the principles, and that adds a new level of, a new dimension really to our regime, because it puts the responsibility on data controllers to show, you know, how they comply with not just the regulations but also how they look at individual rights and the processes within their organization.
And also, in terms of enhancement of individual rights, you know, we introduced what was the automated decision making and processing, you know, that individuals have a right not to be subject to solely automated decisions. And of course, that’s come on the back of tech startups, and we’re focusing really on the growth of technology in our jurisdiction and how we can make sure that individual rights are still considered and enhanced within our law. Of course, there’s also additional powers that were given to the commission on ADGM. We are able to issue fines of up to $28 million for the most serious contraventions. But we also would be looking at adding exemptions for small businesses and small companies in ADGM, such as, in some cases, the removal of fees or the requirement to not appoint a DPO if you’re under a certain number of employees. So really we looked at it from a comprehensive approach, and not just to enhance the rights of individuals but look at how we can support businesses in ADGM, because as regulators, we also want to make sure that, you know, we continue to support innovation but done in an ethical and pragmatic way as well. So really that’s the key and core changes within the new 2021 regulations.
That’s great. Thank you very much. So on to the next question. We’ve seen an increase of firms being fined in relation to data protection.
Are there any reoccurring areas of weaknesses that our firms should focus on?
Sayid, if you’d take that one first.
The ADGM Perspective
Yeah, sure. So we’ve seen an increase in, for example, breach reporting and notifications, and something, of course, all businesses need to be aware of is that data breaches are, of course, inevitable. They will occur, whether, you know…the fact that the breach has occurred is not the issue from our regulatory point of view, but it’s more of how you’ve managed that and how you looked at the areas of weakness within your businesses. So a data breach could be, for example, email sending error as a blind CC or CC on to, you know, more cyber risks or, you know, ransomware, and other type of attacks. But you know, the key thing is there should be processes and procedures in place to manage and mitigate the risk, and you’re looking at it from the perspective of the rights of individuals, you know, making sure that you mitigate the impact to them. And that’s what we look at.
So for organizations, I think one of the key areas you should be looking and focusing activities on is, what happens when an incident occurs, you know? Do you have policies and procedures? It doesn’t necessarily have to be formed, but at least you should have a process in place that looks at how has this occurred, how can you mitigate this, with an emphasis of, you know, individual rights. So we’ve seen an increase in that. Since the enactment of our new regulations, we are receiving breach notifications, and I think one of the areas I’m finding and we’re identifying gaps is awareness of staff, training around staff, making sure that staff know the organization…they know how data should be used within the organization, right? You shouldn’t assume that, you know, the member staff should not have taken their laptop that is unencrypted with them. You need to be putting processes in place.
So I think that’s an area that ADGM companies should be looking at and are making sure that you know when a breach happens, because a data breach is inevitable. And if you think your organization doesn’t have, you know, data breaches at all, then I would strongly recommend you look at your process and make sure that, you know, you’re identifying that there is a data breach when it occurs. And just stress testing the processes, you know, doing desktop exercises, and validating, you know, that your controls work in the way that you think it should work.
That’s really interesting, Sayid, because I think, a lot of the time, employee error gets missed on notifications, and it tends to be the big cyber-attacks that get reported. And like you say, it comes down to training to make employees aware that that is also a breach as well, and it could be, if not, more dangerous, with the amount of information, the type of information that they have. So, Lori, do you have anything to add from the DIFC perspective?
The DIFC Perspective
Yes. I mean, in addition to breaches, you know, we’ve seen an increase in those as well, but we see a lot of general questions now, actually, about, “Oh, there’s a data protection law that we have to comply with,” you know. So it’s something that I think is much more prevalent, whether that’s because of events happening in the world, news, headlines, things like that, or if it’s part of our communications and an outreach process, or both. It’s definitely coming to the fore that, you know, there is a compliance obligation, and you know, many, many companies in the DIFC do have to consider whether or not they are required to notify, for example. So we’ve done a huge amount of work with respect to having companies understand their notification obligations. We did an entire thematic assessment around retail companies, for example, that have told us that they don’t use personal data, and you know, we can’t tell them exactly what to do, but we sort of told them what to do in a lot of ways, you know, just saying, “Look, you know, it’s impossible that you don’t process personal data, and we’re going to explain to you why.” And it’s really good to engage that way, you know.
So that is part of the learning for us as well, is just how much more we can engage directly with our companies, get them to build that privacy culture that we’re trying to achieve in the DIFC and the UAE, generally. We also see a lot more individual rights requests. Like Sayid said, we also, you know, added some of those GDPR-like, kind of, individual rights matters such as automated processing. We’ve added a bit around non-discrimination when it comes to exercising data subjects rights. So we see a lot more of those complaints coming in, not necessarily requests to us for our data but complaints about unlawful processing or not meeting their compliance requirements or the response requirements under individual rights kinds of requests, so either no response, whatsoever, or you know, not an adequate response. People seem to feel that they’re entitled to a lot more information, and it’s been actually quite a good learning process with that as well to help people understand the difference between, for example, a subject access request and discovery in the courts and what you’re going to obtain through one access or information gathering process versus the other.
And we’ve actually, then, translated everything that we learn every time through these assessments or these experiences of complaints, or what have you, breach notifications, etc., into updating our guidance. So our guidance is constantly being updated, reviewed, updated, reviewed, and our website now is laid out in such a way that, when the guidance changes, you don’t have to go find a whole new link. We basically have provided you with, you know, sort of headers around certain topic matters so that you can just constantly go back and check that header about what, you know, guidance you’re seeking. We’ve also provided a lot of assessment tools. So we’re seeing a huge uptake in using those tools as well. I just had somebody send me the other day what our statistics are on sort of access to a particular set of tools that we have on our website for basic assessments, “Does the law apply to me? Do I have to notify? Do I have to point to data protection officer? What do I have to do for transferring data outside of the DIFC?” These assessments are literally three to four questions long each, and if you answer basic responses, you get a very simple straightforward set of guidance.
And I think, you know, one of the things that I think we’re seeing a lot too is just interest. People are really trying to get hold of this and embrace their new compliance obligations without the fear, necessarily, of, you know, massive fines or what have you. I mean, we’re kind of a petri dish here for experimentation around this and learning so that, you know, both between ADGM and DIFC, we can be more of an enabler, not only of business but of understanding and of a privacy culture to make sure that, you know, everybody that’s working in our jurisdictions gets what their obligations are and apply them appropriately.
Yeah, that’s great. Thank you, Lori. You actually touched on our next big topic, which is transfers. Data transfers and restrictions to such transfers are a big concern with our attendees. I think, again, it comes down to the fact that, you know, Europe, there’s a lot in the news about transfers to the U.S.A. So, can you provide some guidance on the best way to manage international transfers? Lori, if you could take this one.
What is the Best Way to Manage International Transfers?
Managing International Transfers with the DIFC
That’s a big topic to cover in a couple of minutes, but I’ll try. You know, I guess the starting point, and maybe this sounds a little bit counterintuitive, is if you don’t have to transfer, don’t, quite frankly, or if you can keep it within your jurisdiction, but you do have to be mindful of what onward transfers might look like if you do send to just another ADGM company or another DIFC company. You know, there will be onward transfers, and to say don’t transfer is almost an impossibility these days. But I mean that sincerely. Think about it. Think about what you do have to transfer. Think about what you don’t have to transfer. And if you don’t have to transfer something outside of your jurisdiction, don’t do it. It creates risk for you. And that goes back to even just making sure that what you do have in your systems is exactly what you need for the purposes that you need it so that, when you do transfer data, you’re reducing the risk every time by, you know, sort of limiting the dataset to what is absolutely necessary and proportionate to your requirements.
But otherwise, you know, just think practically about what it is that you’re doing in the course of the transfer, who will probably end up with it, where will it come to rest as it were, how many times, and what do those jurisdictions look like in terms of not only data protection laws but other types of laws and certifications, codes, whatever, anything that might protect the data more suitably or, in the opposite, may not protect it at all, might open it or expose it to more risk. And secondly, don’t just look at the jurisdiction. I know I just said to look at the jurisdictions where it will end up, but look at the company that you’re transferring it to and ask them hard questions. Don’t just say, “We’ll sign the model clauses,” or the DIFC clauses, or the ADGM clauses, and that’ll be that. Read what they say, figure out what you have to do, what your obligations are, and get an understanding of whether the company that you’re transferring data to, and there’s chain of processors or code controllers, what have you, actually get it. It sounds like a lot of work, but again, through a few simple questions, you know, you can get a lot of information that will help you make sure that your transfer is going to be, at least, compliant with our laws, if not with, you know, other international laws and best practice.
Yeah, such a good point. I think a lot of firms are looking at it at the moment and looking at a checkpoint exercise, and they don’t actually know what’s happening, and they don’t know what the organization is doing. And some companies are saying, “Yeah, we comply,” but they don’t really comply at all. So that’s a really good point. So the next question goes to Sayid and sort of follow-up to that question. Do you have any advice for transferring to UAE onshore, which is currently not deemed an adequate jurisdiction by both the ADGM and DIFC? Obviously, that may change. But a lot of our firms have issues with implementing model clauses or standard contractual clauses. Do you have any advice for them?
Managing International Transfers with the ADGM
So, firstly, I think it’s important to note that, you know, transfer provisions are included within our law and DIFC’s law, you know, to facilitate the free flow of data. So the purpose we have transfer provisions is to ensure, you know, that the rights and obligations follow the data, irrespective of where it goes, right? So you know, it’s there to support businesses, you know, allowing them to do their work, and if they need to transfer, then, of course, the law allows that. But of course, the key thing we wanted to highlight is that, you know, in terms of UAE onshore, why is it not deemed adequate? There are other mechanisms, right? It is not the only mechanism for transferring personal data. And whilst adequacy decision itself is, you know, the gold standard in terms of easy business between two jurisdictions, it’s not the be-all, end-all, right?
So of course, one of the measures you talked about is standard contractual clauses, which may be difficult, you said, to implement. Just look at, as I said, just look at the reason that you are transferring the data really and understand, do you need to transfer the data? And secondly, you know, if you are transferring data, can it be done…does it have to be, you know, personal data? You have to think of it from that perspective. Could you do it where it doesn’t meet the criteria of being personal data? If it doesn’t, then it wouldn’t be considered a transfer. It wouldn’t be personal data, right? But if, for example, you’re saying, for whatever reason standard contractual clauses may be difficult to implement, I mean, it’s important to look at the way we’ve done it, especially in ADGM, is we’ve…given guided notes, you are able to just include…we’ve put notes for each section, allowing them very much to just follow our guidance and apply where it’s appropriate. But if the transfer is not, you know, a core activity or it’s done on an ad hoc basis or, you know, it’s infrequent, then I would recommend you look at the derogation and see if any of them apply. For example, you know, can you use consent? Is it necessary for the performance of a contract? Is it necessary in the interest of the data subject? It doesn’t have to be a subcontract with the data subject itself, it could be between two entities for the interest of the data subject.
So there are various mechanisms to transfer data, and I think you should look at for that purpose. For UAE onshore, I guess, you have to go back to what is your reason for transferring data. And if you can rely on derogation, then rely on derogation. It’s not there to…that there isn’t a…we don’t consider, you know, a transfer under adequacy versus a transfer under a standard contractual clause or derogation any less insecure, as long as you’ve done your assessment, you’ve looked at the reason of transferring data, and whether, you know, it’s necessary for your transfer. So we take a pragmatic approach, and the same way the DIFC as well. Really just understand the reason you’re transferring data, and if you do, then just look at the safeguards and other measures if you can’t rely on adequacy.
That’s brilliant. Thank you. So, I mean, we’re really running out of time, so I’m so sorry. I wish we had more time. But just to close off the session, let’s talk about the future of your regimes. So, what does the future look like in the DIFC? Lori, if you could take it first.
The Future of the DIFC
Yeah. You know, we’re hoping that we will see some additional regulations around emerging technology, around not just specific technology but kind of the jurisdiction in technology, I suppose. It’s a little bit hard to describe, but you know, we’d like to see development of, you know, standards and regulations that are keeping up to date with what’s happening in the world today. You know, we see it happening in Europe, for example, and in other places like Vietnam, Singapore, what have you, where, you know, really key principles and regulations or draft regulations are coming out to help support the privacy aspects of developing and using technology. So that’s one key piece, I think, that everybody’s going to have to look at, at some point or another.
You know, we amended our law ever so slightly with respect to even further solidifying data subjects rights. So with respect to that, we have put in place a register requirement, for example, when data subjects rights are not responded to or, you know, deemed by a company to be unfounded or excessive, or what have you. They have to actually say why. So you know, we’re finding ways like that to drill down into what companies’ accountability requirements are, and I think that’s got to be a huge, huge part of it. And we’re also looking very much at still transfers, you know, to stay on that topic, you know, coming up with a more universal way to be able to quickly, but with certain accuracy and confidence, assess a jurisdiction but also provide a tool that companies can then use to quickly and accurately assess the company that they’re sending to or the chain of companies involved in a transfer situation. So that, you know, like Sayid said, just making it a little bit easier, making a little bit more practical and understandable to navigate what’s already a very, very difficult area, you know, especially given EU case law of data transfers.
You know, we’ve come up with our version of the standard contractual clauses as well, which eliminate the need for choosing any modules, whatsoever, you know, anything we can do together between our jurisdictions and other jurisdictions in the GCC. We’re very much looking at that sort of work as well, coming together and trying to come up with some sort of regional way of thinking about this, but also, just pragmatically, giving tools and developing further compliance requirements that will, hopefully, make it easier for companies to act in the DIFC and ADGM.
That’s great. Thank you, Lori. And, Sayid, how about the ADGM?
The Future of the ADGM
So, yes. Data protection, of course, is an ever-evolving area, right? It’s fast-paced, and that’s one of the excitement of being in the field, so. But we’ll continue to, of course, look at development in many areas and issue guidance, you know, where it is necessary. For example, especially in the region, we’re seeing a rise of new tech companies and adoption of technologies, such as, you know, crypto companies, other technologies, you know, you’ve heard the metaverse. And we will, of course, ensure that, you know, individual rights are safeguarded, that data protection laws are complied with. But you know, we’re adapting our law and adapting our guidance, at least, to take into account, you know, how the innovations that we’re seeing in the region.
Of course, these raised questions such as how do we ensure principles and rights are reflecting these new technologies, blockchain, for example, where one of the queries we do get, actually, from some of the tech companies, crypto companies we have here, is around the publication of the register and how that would…the basis and the use of that personal data that’s used in the register, of course, how individual address is also looked at in these new technologies, but also how to conduct privacy impact assessments where the risks are not fully understood, like in AI and machine learning, how…because one of the requirements in our law is around notification. We get notified where there is a PIA and involves a high risk or they haven’t fully understood the risk.
So it’s an interesting area there to be in, and in terms of development in our regime, you know, we are continuing to adapt. We’re looking at, potentially, amendments where we feel that they could be a way to enhance the need for enhanced businesses, enhanced innovation. For example, we’re looking at the exemptions and seeing if it really is suitable, whether it can be applied in a better way. It’s also looking at, you know, the intersection between consumer law and privacy, because that’s an area we’re seeing a lot outside of our jurisdiction and how consumer rights organizations are working with data protection offices and how we can work together on that. So, well, as I said, it’s an exciting time to be in data protection and to be a practitioner in the field, and yeah, we look forward to what the future holds for data protection in the region.
That’s great. Thank you so much, Sayid. And thank you to both of you. I’m really sorry we’re out of time now. So it’s been a pleasure to speak to you. I can speak to you all day about this. We do have some more questions that we’ve not been able to get to today. So what we’ll do is we’ll address them separately. Just as by way of a reminder, Lori and Sayid are both available. Both their email addresses are on their websites. You can also access their guidance notes, which are really, really useful when you’re looking at implementation and what to do first. If you do need any further help, you can always come to us. We also have some free guidance documents that you can download from our website, or you can drop me a message on LinkedIn or by email, and we can discuss a little bit further about the needs. And we’ll come back to you separately on your questions. So thank you very much. Thank you to both of you, and we’ll speak soon.
Thanks very much to the panellists today and to Nigel for moderating. It was great to have everyone on board. And just to recap from Suzanna’s message earlier, you know, following the webinar, we will be sending follow-ups to everyone from the ease of access in terms of contact details and follow-up collateral. Thanks, everyone, for joining.