The DIFC are front runners in the region when it comes to the proposal to introduce data protection laws more aligned with the GDPR and ultimately, this is the way that things are going to progress. Whether you are a firm in the DIFC or elsewhere in the region, it is best to take the proposed legislation on board now rather than later.
Here we look at the key elements of the proposed data protection law and how the law compares to the biggest shakeup in data protection and privacy regulation in Europe to date, the General Data Protection Regulation (GDPR).
The proposed law is based on concepts and principles within the GDPR along with modifications reflecting latest privacy, technology and security law
The aim of the proposed law which will replace the existing Data Protection Law No. 1 of 2007 is to:
- incorporate international best practices including the GDPR and the California Consumer Privacy Act
- expand the compliance framework including in relation to data breach notification, prior consultation and the appointment of a data protection officer
- provide clarity on consent and data subjects’ rights
- amend the powers of the Commissioner of Data Protection, administrative requirements and sanctions/enforcement
As with the GDPR, the proposed law establishes precise rules for how personal data is collected, transferred, processed, and stored and also grants
data subjects certain rights and protections regarding their personal information. This creates new responsibilities for companies who now need to
ensure the privacy and protection of personal data. Companies who do not comply with the rules may see themselves being fined.
- companies operating in the DIFC
- customers and employees of such companies
- parties seeking to enter into transactions with companies in the DIFC, including those providing services to companies in the DIFC
- International groups of companies with data flows in and out of the DIFC
- compliance and legal advisors
The proposed law applies to the processing* of personal data in the context of the activities of a Processor** or Controller***, conducting or attempting to conduct business in or from the DIFC, whether the processing takes place in the DIFC or not.
The difference is that the GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location, whereas the proposed law does not seem to have concern for where the data subjects reside.
The proposed law introduces a wide range of rights granted to the data subject, all of which are also contained within the GDPR. The proposed law provides detail as to which rights are absolute and which are subject to certain conditions. The rights granted are:
- right to withdraw consent
- right to access, rectification and erasure of personal data
- right to object to processing
- right to restriction of processing
- right to data portability
- right not to be subject to a decision based solely on automated processing
- right to non-discrimination.
There is a key difference between the GDPR and the proposed law when it comes to certain data subject rights and how these interact with technology. For example, the proposed law allows individuals the right to request that their data is erased, provided certain conditions apply, but if a company finds it technically impossible or unfeasible to rectify or erase data due to constraints of their IT systems, they may not be required to comply.
There are six lawful bases that companies can use as legitimate purposes for processing personal data, with the most common for private sector businesses being the obtaining of consent of the data subjects. However, this basis may also be the least attractive due to the requirements for validity of obtaining and managing consent; once consent has been given, it can be withdrawn at any moment and with the same level of ease with which it was given.
The six lawful bases are listed below and are the same across the GDPR and the proposed law.
- Consent: the individual has given clear consent for a specific purpose.
- Contract: processing is necessary for a contract the firm has with the individual, or because the individual has requested the firm to take specific steps before finalising the contract.
- Legal obligation: processing is necessary for the firm to comply with the law (does not include contractual obligations).
- Vital interests: processing is necessary to protect the data subjects or the life of another.
- Public task: processing is necessary for the firm to perform a task in the public interest or for its official functions
- Legitimate interest: processing is necessary for legitimate interests, except where such interests are overridden by the interests or rights of the data subject.
Under the GDPR rules companies are required to appoint a data protection officer (DPO) to help them comply with all of their obligations. This is required where processing operations require regular or systematic monitoring of individuals on a large scale
or if they are involved in processing sensitive data on a large scale. This role includes responsibility for monitoring compliance and is required whether the company is acting as a processor or a controller.
Under the proposed DIFC law, the requirement to appoint a DPO exists if the company undertakes ‘high risk processing activities’, rather than ‘large scale’. A non-exhaustive list of types and categories of processing operations which are considered to be high risk is yet to be published by the Commissioner of Data Protection.
DPOs will also be required to complete an annual assessment reporting on their processing activities and indicating whether they anticipate performing high risk processing activities in the following year.
The proposed law states that all controllers must implement and maintain an appropriate written data protection policy. Processors, however, are only required to implement and maintain a policy where it is proportionate in relation to the processing activities.
The GDPR rules on establishing a data protection policy relate to what is proportionate and it is suggested that introducing a data protection policy is one of the measures companies can take to ensure and demonstrate compliance, but it is not a requirement for them to do so.
The GDPR and the proposed law set out slightly different reasons and timescales for a breach needing to be reported.
Under the proposed DIFC law, companies will be obligated to report data breaches to the Commissioner of Data Protection as soon as feasible in the circumstances. This applies if the breach compromises the data subject’s confidentiality, security or privacy.
When the data breach is likely to result in a high risk to confidentiality, security or privacy the controller shall, as soon as is feasible, alert the data breach to the data subjects.
Under the GDPR, companies must report a breach to the Information Commissioner’s Office (ICO) within 72 hours. Companies will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms and if a risk is likely then the ICO must be notified.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR states that you must inform those concerned directly and without undue delay.
The law details further conditions on this topic so that you can correctly identify whether or not it is necessary to provide notification to the Commissioner of Data Protection and data subject. In all cases it is important to document fully the facts relating to the data breach, its effects and the remedial action taken.
Transfers of personal data outside of the EEA and DIFC are covered under the regulations and law but there are various other conditions that must be met in order for transfers to be made. Companies must be careful to check that the conditions have been met before attempting to transfer data, or they may find themselves in breach of the rules.
The proposed law states that the Commissioner of Data Protection shall determine which jurisdictions and international organisations provide an adequate level of data protection. However, in the absence of an available adequate level of data protection, there are other conditions which, if met, may mean that a transfer may still be viable.
In order for the transfer to go ahead under the GDPR, the EC must have made an ‘adequacy decision’ in relation to the country or territory where the receiver is located, or a sector which covers the receiver. If an adequacy decision is not available then the transfer may still be made, provided there are appropriate safeguards that can be put in place.
Under both the GDPR and the proposed DIFC law, it is a requirement to have an agreement in place between the
controller and processor. This agreement will set out the following:
- the subject matter of the processing
- the duration of the processing
- the nature and purpose of the processing
- the type of personal data involved
- the categories of data subject
- the controller’s obligations and rights
The DIFC law also introduces the concept of joint controller, in which two or more controllers jointly determine the purposes and means of processing. An agreement must be in place setting out the respective responsibilities for ensuring compliance with the law, meaning that there will be no confusion regarding who should be held accountable for which tasks.
Both the GDPR and the proposed law talk about using certification schemes as a way for companies to demonstrate compliance. Participation in these types of schemes is currently voluntary but this may change in the future to allow firms to be more structured in evidencing their accountability.
The schedule of fines in the current DIFC data protection law has not been carried through to the proposed law because the Commissioner of Data Protection believes that a schedule of this kind may drive the wrong kind of behaviour, with breaches of the law being seen as “priced”. There are therefore no limits stated in the proposed law and the penalties will depend on the seriousness of the contravention and the risk and actual harm to data subjects.
However, the GDPR has a different approach, with two tiers depending on severity: less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue (whichever is greater) whereas more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue (whichever is greater).
The proposed DIFC data protection law is in the same spirit as the GDPR, placing accountability obligations on companies and providing more rights to individuals. The DIFC has made slight changes as a result of seeing the GDPR being introduced to the public and alterations could be made to ensure a smoother policy, with the proposed law taking into account technology, security and privacy developments.
Both the DIFC Law and the GDPR refer to data protection by default and design, and companies will need to create a data protection framework to assist in embedding accountability measures, as well as creating a data protection culture across the company. Of paramount importance is training employees to understand their responsibilities in order to stay on the right side of the law.
The introduction of more robust rules in relation to data protection should be welcomed by companies, as being accountable can help to build trust with clients and may help to mitigate enforcement action.
- Is your firm aware of all personal data it receives?
- Is your firm in receipt of any sensitive personal data?
- Is the personal data being handled/processed with due care and in a lawful manner?
- Is your firm transferring personal data outside the DIFC?
- Is your firm providing the DIFC Data Commissioner with the proper and timely disclosures?
- Is your firm’s IT platform providing adequate protection to stored personal data?
- Do your procedures allow for the timely collection of data subjects consent?