Our comments on the Abu Dhabi Global Market’s Data Protection Regulations, 2020

This blogpost discusses the comments prepared by Ikigai Law with Ms. Arushi Goel (ex-Judge, India and a legal advisor based in UAE) for the draft ‘Data Protection Regulatory Framework’ notified by the Abu Dhabi Global Market in November 2020.

The Abu Dhabi Global Market or ADGM is an international financial centre and a financial free zone in the UAE. On 19 November 2020, the ADGM invited comments on a draft ‘Data Protection Regulatory Framework’ which will replace the ADGM Data Protection Regulations (“Regulations”) notified in 2015. As per the ADGM consultation paper (“Consultation Paper”), the draft framework will align the ADGM’s data protection law with the European Union’s GDPR, the UK Data Protection Act, 2018 and the Consultative Committee of the Convention for the protection of individuals with regard to the processing of personal data.

In our comments, we highlighted the following issues and gave corresponding recommendations-

1. Territorial scope: The Regulations apply to the processing of personal data by a controller or processor in ADGM, irrespective of whether the processing takes place in ADGM or elsewhere.[1] The Consultation Paper on the Regulations states that where a controller is located outside the ADGM, but it uses a processor located in the ADGM, then the Regulations will apply to the Processor.[2]

The territorial scope of the Regulations should not be determined by the location of the Processor. The Controller is the entity which determines the purposes and means of processing the Personal Data. The Processor follows the instructions of the Controller to process the collected Personal Data (which may be collected directly by the Controller, or through a Processor). This means that the Processor will have to process data as per the data protection law applicable to the Controller. The Processor cannot process the Personal Data in a manner different from the law applicable to the Controller, as the Processor is acting on behalf of the Controller. 

For example, if the Controller is bound by the laws of USA, and the Processor is located in ADGM, then the Processor cannot process the data as per the Regulations. It will have to process the data as per American law.

This clause is a departure from data protection laws like the GDPR and India’s Personal Data Protection Bill, 2019 (“PDP Bill”) which provide for a territorial nexus with the activities of the Controller/Processor or the data subject.[3]

Recommendation– The territorial scope should be linked to a territorial nexus requirement, in terms of the activities of the Controller or Processor, as well as the nationality of the data subject. The activity of the Controller or Processor should either be linked to a business activity in ADGM, or any profiling of Data Subjects within the ADGM.

2. Definition of personal data: The Regulations define ‘Personal Data’ as any information ‘relating’ to a Data Subject. However, the extent of this ‘relation’ is not defined in the Regulations. This definition can be interpreted in a wide manner to also include anonymized non-personal data, which should technically be excluded from the scope of a personal data protection regulation.

For example, companies often collect personal information about their customers. However, they may combine anonymized data of hundreds of customers to derive useful insights such as areas where number of customers is high, the average amount of money spent by a customer, best-selling products etc. Though these insights are derived from the personal data provided by individuals, the insights themselves do not reveal any person’s identity. Thus, these insights should not qualify as ‘personal data’.

Recommendation– Most data protection laws, such as the GDPR[4] or Singapore’s Personal Data Protection Act, 2012, use ‘identifiability’ as the criteria to define personal data i.e. whether an individual can be identified from that data. The ADGM should adopt the same criterion to define ‘personal data’.

3. Impact of the regulations on emerging technologies: The Regulations follow various data protection principles given in the GDPR. These include principles such as purpose limitation, data minimization, data subject rights etc. However, these principles may not always accommodate for emerging technologies such as artificial intelligence or blockchain. They may go against the very nature of these technologies.

For example, blockchain technology stores information immutably. It may be possible that data once stored cannot easily be removed from the blockchain network. This may also make it difficult for blockchain-based products or services to follow principles of purpose limitation or data minimization, or allow Data Subjects to exercise a right to erasure or correction.

Another example is of products or services that use artificial intelligence or machine learning (“AI/ML”) based technology. The Regulations impose a requirement for AI-based systems to provide ‘meaningful information’ about the ‘logic involved’ in the operation of such systems.[5] Furthermore, there is an obligation imposed on the Controller to provide the Data Subject information ‘prior to’ further Processing if it relates to a purpose other than for which the Personal Data was collected.[6]

Use of algorithms for fully or partially automated decision making suffers from explainability challenges. Big data analytics involves processing huge datasets in myriad ways, some of which may not be known at the outset, making it difficult to procure effective consent of the Data Subject prior to such processing. AI based technologies may also challenge principles of purpose limitation and data minimisation, as AI services often rely on storing datasets to train their algorithmic models.

Recommendation– There must be guidance provided by the relevant authority under the Regulations on interpreting the Regulations in a manner that accommodates new and emerging technologies. For example, the European Parliament has mentioned in a study that where the dataset is anonymised or where the personal data is being used in connection with the original purpose, then the concerned regulations must be interpreted to accommodate AI-based processing.[7]

Similarly, to reconcile the use of emerging technologies with principles like right of withdrawal of consent/right to erasure, we refer to the data protection law of the Dubai International Financial Centre (“DIFC”). It allows data to be archived in a manner that would put it ‘beyond further use’, where the data cannot be permanently deleted/anonymised/encrypted.[8] This ensures that emerging technologies such as blockchain can also function within the data protection framework.

4. Adequacy requirement for cross border data transfers:The Regulations have borrowed the concept of ‘adequacy’ from the GDPR, though the existing 2015 data protection regulations also provide for a different adequacy regime. However, both adequacy regimes are starkly different from one another.

The adequacy regime under the 2015 regulations is less complex than the one under the Regulations. The 2015 regulations provide for an inclusive list of four simple parameters that are used to assess the ‘adequacy’ of a jurisdiction in terms of the protection afforded by its laws.[9] There are 42 countries that are deemed to be adequate under the 2015 regulations.[10]

However, the adequacy regime under the Regulations will be complicated. The Commissioner of Data Protection will have to undertake a comprehensive review of the laws of the recipient jurisdiction on public security, defence, national security and criminal law; access of public authorities to personal data; implementation status of all these laws etc.[11] The Commissioner of Data Protection may have to review the current adequacy status granted to the 42 countries. It will be a heavy regulatory burden for the Commissioner to undertake a comprehensive review of the laws of these 42 countries, in addition to verifying the other requirements. It is also possible that many of these 42 countries may not meet the adequacy criteria under the Regulations. Importantly, these adequacy decisions will have to be reviewed every four years.[12] There is no such requirement under the 2015 regulations.

Additionally, it is also difficult for other jurisdictions to obtain adequacy status under this GDPR-like regime. Advanced economies like Japan, Switzerland and New Zealand have been able to meet the adequacy requirements under the GDPR.[13] However, even after significant changes to local legislation, multiple rounds of negotiation with the EU authorities, and several administrative changes, countries find it extremely difficult to obtain EU adequacy approvals.[14] Such a requirement could make the ADGM a less attractive jurisdiction for technology-based businesses. Additionally, a complicated adequacy regime can act as a hindrance in enabling cross border data flows.

Recommendation– Instead of adopting the adequacy regime of the GDPR, the Regulations should incorporate the adequacy regime under the existing 2015 regulations. The existing adequacy can be regime can be strengthened further, but it need not be replaced completely with a GDPR-like adequacy regime. This will ensure continuity of the adequacy status of the currently adequate 42 jurisdictions. It will also prevent any increase in the regulatory burden of the Commissioner of Data Protection and other relevant authorities. 

5. Charging data subjects for exercising their rights under the Regulations: The Regulations require Data Controllers and Processors to implement the rights of Data Subjects ‘free of charge’.[15] This can impose a heavy financial burden on Controllers and Processors, especially multi-national companies which may also be implementing similar rights in other jurisdictions.

New companies in the ADGM will already have to incur financial expenditure for overhauling their data processing architecture to become compliant with the Regulations. If they are not allowed to charge Data Subjects for implementing their rights, it would add to their financial burden. Importantly, a fee would ensure that Data Subjects exercise their rights responsibly under the Regulations.

Recommendation– We recommend that Controllers and Processors should be allowed to charge a reasonable fee for implementing the various rights provided to Data Subjects in the Regulations. Another alternative is to allow Controllers/Processors to charge a fee only for specific rights. For example, India’s proposed data protection law allows Controllers to charge for implementing the right to data portability and the right to be forgotten.[16]

6. Transition period to comply with the regulations: The Regulations currently provide a time period of 6 months for new establishments, and 12 months for existing establishments to comply with the Regulations.[17] However, this time period may not be sufficient to comply with a complex legislation.

Though existing establishments in the ADGM would already be compliant with the 2015 regulations, there are still many new requirements in the Regulations. Even the GDPR had provided a transition period of 24 months to allow entities to comply with it.[18]

Recommendation- The Regulations should provide a 24-month transition period for existing establishments, and a 12-month transition period for new establishments.


Image credits: ADGM


[1] Clause 3 of the Regulations.

[2] Para B(15), Consultation Paper No. 6 of 2020, New Data Protection Regulatory Framework, ADGM, 19 November 2020.

[3] Clause 2(c) of the PDP Bill; Art. 3(2) of the GDPR.

[4] Art. 4(1) of the GDPR; Section 2(1) of Singapore’s Personal Data Protection Act, 2012.

[5] Clause 11(2)(g) of the Regulations.

[6] Clause 11(3) of the Reguations.

[7] The impact of the GDPR on AI, Study by the Panel for the Future of Science and Technology, European Parliamentary Research Service, June 2020, https://www.europarl.europa.eu/RegData/etudes/STUD/2020/641530/EPRS_STU(2020)641530_EN.pdf.

[8] Clause 22(2), Data Protection Law, DIFC Law No. 5 of 2020.

[9] Section 4(2), ADGM Data Protection Regulations, 2015, https://en.adgm.thomsonreuters.com/sites/default/files/net_file_store/
Consolidated_Version_Data_Protection_Regulations_2015_February_01_2018.pdf
.

[10] Schedule 3, ADGM Data Protection Regulations, 2015.

[11] Clause 40(2) of the Regulations.

[12] Clause 40(3) of the Regulations.

[13] Adequacy decisions, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions

[14] South Korea: The long road to adequacy, Data Guidance, March 2020,https://www.dataguidance.com/opinion/south-korea-long-road-adequacy

[15] Clause 10(6) of the Regulations.

[16] Clauses 19 and 20 of the PDP Bill.

[17] Clause 62 of the Regulations.

[18] GDPR enters into application, European Commission, 25 May 2018, https://ec.europa.eu/commission/news/general-data-protection-regulation-enters-application-2018-may-25_en.

Challenge
the status quo

Challenging the status quo...