Recent European Court of Justice decision could affect personal data processing activities in the GCC
The European Court of Justice’s recent “Schrems II” decision (case C-311/18) has attracted a lot of attention in data protection circles. One of the key outcomes of the decision is that it removes one of the grounds upon which European entities could legitimately transfer personal data to certain entities in the United States. So, what relevance does a European court decision, relating to Europe’s General Data Protection Regulation and an arrangement between the EU and the US Department of Commerce, have on personal data processing operations in the GCC?
With regard to the Schrems II decision in particular, data controllers who are subject to the data protection requirements of ADGM in Abu Dhabi, DIFC in Dubai, and QFC in Qatar, should review the basis upon which they have been justifying the transfer of personal data to the US. If the Privacy Shield played any role, then it may be necessary to identify alternative grounds in order for further transfers to be compliant.
In general, the concept of data protection is relatively new to the Gulf Cooperation Council countries. Only Bahrain and Qatar have nationally applicable data protection laws of general application, while two free zones in the UAE (ADGM and DIFC), and the QFC licensing authority in Qatar, also have modern data protection regimes.
In Kuwait, Oman, Saudi Arabia, and ‘mainland’ UAE, there are not currently any modern data protection laws of general application. As a result, data controllers in these jurisdictions would not have been relying on the Privacy Shield as the legal basis for personal data transfers to recipients in the US – so the Schrems II decision has no material effect.
In contrast, in Bahrain, Qatar, ADGM, DIFC, and QFC, the respective laws and regulations generally prohibit the transfer of personal data to jurisdictions not considered to provide an adequate level of protection to personal data, unless a specific derogation applies. We briefly discuss the impact of the Schrems II decision on these jurisdictions.
Bahrain and Qatar
For Bahrain and Qatar, the respective data protection laws contemplate the issuance of lists of jurisdictions deemed to be adequate. Despite this, at the time of writing, no such lists have been issued. As such, Schrems II is of no real consequence; no one in Bahrain or Qatar has been able to rely on the Privacy Shield as a legal basis of personal data transfers to the US.
Abu Dhabi Global Market
ADGM’s Personal Data Regulation 2015 specifically contemplates the application of the Privacy Shield as a mechanism for justifying the transfer of personal data to recipients in the US. The US is listed in ADGM’s list of jurisdictions deemed to provide an adequate level of personal data protection, with the note, ‘subject to compliance with the terms of the EU-US Privacy Shield’.
In our view, as Schrems II has rejected the legitimacy of the Privacy Shield, it would be not be correct for the same mechanism to continue to be recognised by ADGM. The wording of the note in the ADGM regulation itself is sufficient to conclude that, as the Privacy Shield was rejected by the ECJ, it is no longer a legitimate basis for personal data transfers from ADGM to the US pursuant to the ADGM Data Protection Regulation 2015.
Dubai International Financial Centre
In the new DIFC Data Protection Law 2020 (which came into law on 1 July 2020), the application of the Privacy Shield was specifically excluded. Against this background, Schrems II should have no effect on data controllers subject to the DIFC Data Protection Law 2020. Such data controllers were not able to rely on the Privacy Shield from the outset. Any data controllers that have (erroneously) been transferring personal data to the US in reliance on the Privacy Shield mechanism should promptly review their personal data processing activities. (The same can be said for those who may still think that the old ‘Safe Harbor’ mechanism applies.)
Qatar Financial Centre
QFC is in a slightly different position to both ADGM and DIFC. The QFC Data Protection Regulation 2005 contemplates a distinction between transfers to jurisdictions that ensure an adequate level of protection of personal data, and transfers to jurisdictions that do not. Despite this, it does not actually maintain a list of such ‘adequate’ jurisdictions.
The QFC approach could be understood as involving something of a ‘self-assessment’ on the part of the data controller. Data controllers need to assess all the circumstances surrounding personal data transfer operations, including: the nature of the data; the purpose and duration of the proposed processing; the origin and final destination of the personal data; and any relevant laws to which the recipient is subject, including professional rules and security measures. Taking this into account, they may reach a conclusion of adequacy in respect of the recipient’s jurisdiction.
Now, following Schrems II, those QFC data controllers who considered the Privacy Shield as part of their self-assessment will need to reconsider whether all the other circumstances around their personal data transfers to the US will still support a conclusion of adequacy in respect of the recipient’s jurisdiction.
The data protection landscape in the GCC continues to develop, and it is important to keep monitoring it. With regard to the Schrems II decision in particular, data controllers who are subject to the data protection requirements of ADGM in Abu Dhabi, DIFC in Dubai, and QFC in Qatar, will be well advised to review the basis upon which they justify the transfer of personal data to the US. If the Privacy Shield played any role, then alternative grounds need to be identified in order for further transfers to be compliant on this point.