This issue is filled with great insights and expert commentary on areas that are relevant to the legal landscape and highlight how the business community is embracing technology, media and telecommunications. There are various topics covered, from new ways of working and digital transformation in the finance sector to data protection regulatory updates and guidance. We also have a series of articles that focus on e-commerce across a number of jurisdictions.
You will also find insights from our lawyers around real estate analytics, tech trends, and data centres.
We hope this edition of Law Update provides some useful food for thought – enjoy the read!Take a read of the edition
The new ADGM Data Protections Regulations 2021 (the “New Regulations”) were enacted on 11 February 2021 and published on 14 February 2021 thereby replacing the 2015 Data Protection Regulations (“Old Regulations”). The New Regulations will come into effect for existing entities on 14 February 2022 and for new entities (established after the New Regulations were published) on 14 August 2021. The New Regulations which are closely modelled on the EU’s General Data Protection Regulation (“GDPR”) set a new, stringent threshold for data protection in ADGM. The adoption comes only months after the DIFC, another financial free zone in the UAE enacted its own GDPR style data protection rules under DIFC Law No. 5 of 2020.
Capitalised terms used in this article are as defined under the New Regulations.
Similar to the GDPR, the New Regulations have introduced standalone principles of processing Personal Data such as lawfulness, fairness, and transparency, although existed under the Old Regulations, have been dealt with in detail. Additionally, the New Regulations includes heightened data protection obligations, greater transparency and accountability requirements, concepts of data protection by design and default, high risk processing activities, data protection impact assessments and appointment of data protection officer. The implementation of the New Regulations helps take ADGM one-step closer to achieving ‘adequacy status’ under the GDPR.
The New Regulations replace some of the broader basis for processing Special Categories of Personal Data, referred to as (“Sensitive Personal Data”) in the Old Regulations with more specific grounds for processing. For instance, the New Regulations allow for processing Special Categories of Personal Data “where it is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the Data Subject in the field of employment law”. Mirroring the language of the GDPR, the New Regulations create a basis for processing of Special Categories of Personal Data where it is necessary for reasons of “public interest in the area of public health, such as protecting against serious threats to health…”, or “pursuant to a contract with a health professional”. This basis is in addition to what was provided under the Old Regulations which covered “the purposes of preventive medicine or medical diagnosis or the provision of care or treatment or the management of healthcare services”.
The New Regulations also provides “substantive public interest” as a basis for processing of Special Categories of Personal Data. Examples of this include equality of opportunity, diversity at senior levels of organisation, the prevention of fraud, disclosures to public authorities regarding suspected terrorist financing, or suspected money laundering. It is important to note that the New Regulations completely remove the option of Processing Special Categories of Personal Data by way of obtaining a permit from the regulator.
A unique provision in the New Regulations, is the explicit requirement to have an “appropriate policy document” in place when processing Special Categories of Personal Data for the following purposes: (i) in the field of employment law; and (ii) on the basis of a substantive public interest.
The Appropriate Policy Document (which may incorporate other documents by reference) should explain:
Further, Appropriate Policy must be retained (until 6 months after the Controller carries out such processing), reviewed, updated and made available to the Commissioner on request.
Given the breath of what may come under the scope of “employment law” or “substantive public interest’, as defined under the New Regulations, we anticipate that in order to achieve full compliance under the New Regulations, companies will not only be required to update their privacy policies, but will also need to update their fraud policies, diversity and inclusion policies, employment policies, anti-money laundering policies, and any other policies falling within this scope.
The New Regulations provide enhanced data subject rights. In addition to rights to access, erasure, blocking of data and right to object to processing provided under the Old Regulations, the New Regulations include: right to withdraw consent, right to the restriction of processing, right to data portability and right not to be subject to decisions made solely on automated processing, including profiling.
Further, the existing rights have been expanded such as the New Regulations provide two-month timeframe for responding to Data Subject’s access requests. This initial period is further extendable by another one month. Where the erasure or rectification of Personal Data is not feasible for technical reasons, the Controller is required to inform the data subject at the time of collecting their Personal Data.
Controller must provide Data Subjects with information for meeting their transparency requirements:
Data subject rights provided under the New Regulations are similar to those provided under the GDPR and to an extent with the DIFC data protection laws.
While the Old Regulations include provisions as to the Controller’s duty to ensure “security of processing”, the New Regulations align with the GDPR, and introduce more rigorous and detailed obligations on both Controllers and Processors. Notably, the New Regulations impose an explicit duty on both Controllers and Processors to take into account the “state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks posed” when implementing technical and organisational measures. Examples of appropriate technical and organisational measures specified in the New Regulations include pseudonymisation and encryption of Personal Data, and the ability to restore access to Personal Data.
Further, the New Regulations introduce the GDPR principle of “Data Protection by design and by default” on Controllers, which had been absent from the Old Regulations. Essentially, “Data Protection by design” means that appropriate safeguards for Data Protection principles must be embedded into the complete life cycle of an organization’s products, services, applications, business and technical procedures from the outset, when deciding on the means for processing, rather than through a reactive approach. Data Protection by default, in contrast, requires that only Personal Data which is necessary for each specific purpose of processing is processed, and for Personal Data to not be made accessible to an indefinite number of persons without the Data Subject’s intervention.
The New Regulations restricts data transfers to jurisdictions outside ADGM (i.e. third countries), as they often do not have the same level of stringency in data protection standards. Transfers to third countries is permitted under the New Regulations where: a) the ADGM Office of Data Protection has granted the third country with adequacy status, or an appropriate safeguard is in place. In the absence of an adequacy decision, one of the following safeguards must be in place: (a) standard contractual clauses (SCCs), as adopted by the ADGM Commissioner may be adopted. Note that the ADGM Commissioner has a fast-track procedure for approving the then current SCCs approved by the European Union; (b) legally binding, enforceable instrument between public authorities; (c) an approved code of conduct together with binding and enforceable commitments; (d) an approved certification mechanism together with binding and enforceable commitments; (e) Binding Corporate Rules to facilitate the transfer of Personal Data between members of a corporate group (reviewed and approved by the Commissioner); (f) Contractual clauses between Controller or Processor and Controller, Processor and Recipient of Personal Data or administrative arrangement.
Further, adequacy decisions granted by the ADGM Office of Date Protection are based on: (a) the rule of law, respect of individuals’ rights, relevant legislation; (b) the existence and effective functioning of one or more independent supervisory authorities in the country receiving the data; (c) the international commitments of the countries receiving the data. Note the list of jurisdictions providing adequate level of protection under the Old Regulations hold good with the exclusion of USA after the Schrems II judgement.
The Data Breach notification period under the New Regulations is the same as the Old Regulations (i.e. requirement to notify the Commissioner within 72 hours), if the notification of a breach was not made within 72 hours, reasons of delay must be stated to the Commissioner. Additionally the New Regulations include a duty to communicate Personal Data breach to the Data Subject where it is likely to result in a high risk to the rights of “natural persons” and to notify the Controller without undue delay after becoming aware of a Personal Data Breach.
The breach notifications to the Commissioner/data subject should include the following information:
In aligning with the GDPR, and the DIFC DP Law, the New Regulations introduce the concept of High Risk Processing Activities, which include an obligation on the Controller to conduct a Data Protection Impact Assessment.
Whilst the term is undefined within the GDPR, the New Regulations provide a similar definition of High Risk Processing Activities to that found in the DIFC DP Law. Accordingly, High Risk Processing occurs where processing involves (i) a considerable volume of Personal Data, (ii) Processing which is likely to result in a high risk to the rights of Data Subjects, and (iii) where there is a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling and (iv) the Processing includes Special Categories of Personal Data, except where Processing of such data is required by Applicable Law. In contrast to the definition found under the DIFC Data Protection Law, the New Regulations exclude processing of Special Categories of Data where required by Applicable Law from the definition of High Risk Processing Activities.
The New Regulations imposes significant fines for data breach, with a strict cap not exceeding exceed USD 28 million. The administrative fines apply to both Controllers and Processors. In addition, Commissioner may issue a fixed penalty for non-payment of the Data Protection Fee on the Controller. The fine is up to 150% of the Data Protection Fee, or Renewal Fee, in addition to the Data Protection Fee or Renewal Fee. The fines are in addition of Data Subjects’ rights to claim compensation.