Middle East Focus: Dubai International Finance Centre’s 2020 Data Protection Law

Evolving privacy laws are a global story, and among this year’s additions to the updated privacy regime pile is Dubai International Finance Centre (DIFC) – a Dubai financial centre, hub and free zone – which launched its new data protection law in July 2020.

Privacy is somewhat nascent in the Middle East compared to Europe, which has cut a swathe through the world’s privacy protocols with its catalytic GDPR. But like many areas of the world, the Middle East, including DIFC, has taken note.

“The demand for it [privacy] is bubbling over,” says Richard Chudzynski, PwC Legal’s Middle East Data Protection and Privacy Leader.

“Citizens and residents and everyone is asking for a bit more privacy protection because we’re getting cold calls, we’re getting unsolicited emails and WhatsApp messages constantly. We know that there is some misuse of our data and this requires stronger legislation to counter that..”

Into the mix came DIFC, already ahead of the curve in the region thanks to its 2004 law, first updated in 2007 along the lines of the 1995 European Data Protection Directive. When the GDPR became big news in 2018, DIFC was watching.

“The previous DIFC Data Protection Law, similar to the 1995 EU Directive, wasn’t equipped to deal with the digital age we live in now. The ‘95 Directive was drafted when Mark Zuckerberg was 11 – look how far the world has come since then” says former privacy and data protection lawyer at PWC Middle East Gordon Wade, now Data Protection Officer and Group Legal Counsel at Hostelworld Group.

“DIFC very much is, and wants to continue to be, seen as a leading financial district in the world. To do that, it has to have an up-to-date data protection regime,” adds

Martin Hayward, regional Head of the Technology, Media & Telecommunications practice at law firm Al Tamimi & Company.

For an entity like the DIFC, walking the tightrope of attracting businesses to the region while offering a robust regulatory framework, the appeal and legal certainty of a data protection backdrop somewhat familiar to companies operating in Europe under the GDPR, or in the US under the CCPA, would be a soft landing for those considering opening up in the Zone.

“We watched and we waited a little bit and saw how the rest of 2018 played out and, in January 2019, undertook our first gap analysis and major steps towards enacting an updated law,” says Lori Baker, VP, Legal & Director of Data Protection, Office of the Commissioner of Data Protection and one of the key architects of the law.

The process was swift – with the help of law firm Clyde & Co the law was drafted, and then consulted on in the summer of 2019, and it would have been enacted early in 2020, had the pandemic not hit. But even with the COVID-19 chaos, it was enacted in May, in effect from July, and enforceable from October 1.

The law

The law aimed to retain a lot of core principles with the old regime, to ease the transition for companies established in the region, but also those new to it. But that’s not to say that the new law doesn’t represent significant changes too.

Many commentators point out the law’s similarity to the GDPR, both in its tenets of privacy principles such as accountability and transparency, and much of its content. Baker is upfront about the influence Europe’s flagship regulation has had on the new DIFC regime – though not in isolation.

“What we wanted to do with this law was not just copy and paste the GDPR,” she says.

“We took some of the GDPR because obviously it is a gold standard, ‘leading the way’ type of law. But we looked at how the UK had drafted its Data Protection Act of 2018 and adapted a lot of that, we looked at the California Consumer Privacy Act, we looked at other jurisdictions in Asia because we have a lot of ties and links with them, especially from a FinTech perspective. And we looked at just what we wanted to do in the DIFC, for the ‘Future of Finance’ vision that we are aiming to have in place within the next five years.”

Terms such as the terms “Controller”, “Processor” and “Data Subjects”,

concepts such as that of the Data Protection Officer (DPO) along with requirements to essentially develop records and inventories of data processing operations to understand what data is being captured, how it is used, where it is sent, who it is shared with, how it is secured, and why it is being processed are all familiar concepts for those acquainted with the GDPR.

GDPR-esque aspects such as data protection impact assessments, privacy notices, data subject rights and breach notification also feature, as do adequacy assessments for cross-border data transfers, and the provision for appropriate safeguards to be put in place if transferring to non-adequate jurisdictions.

“We have recognised all of the same countries that the EU has recognised and a few others of our own,” says Baker, adding that “our position is that we will continue to recognise the UK even after Brexit; we decided on that quite a long time ago through our own assessment of the UK DPA 2018.”

But there are deviations from GDPR too.

“We made a few key decisions around certain things that under GDPR were not mandatory. We made them mandatory,” says Baker.

DPOs, for example, must be appointed by companies conducting “High Risk Processing Activities” or by DIFC bodies other than courts.

“We’ll go through and classify the types of entities we have and the likelihood of their understanding of or compliance with the data protection law, and begin reaching out to them with guidance documentation ” Lori Baker

The law also prohibits organisations from discriminating against data subjects for exercising their rights.

A key area of originality allows flexibility with regard to future emerging technology – for example, a type of service or use of technology that might prevent data erasure, perhaps. The new law permits companies to limit certain data subject rights, as long as the subject is fully and clearly apprised of the data processing techniques used and their impact on these rights in notifications and contracts and other communications.

“We needed to be able to ‘underestimate’ ourselves, and leave space in the law for building in a bit of future proofing to tackle emerging technology issues… Exactly those kinds of things where we say, look, we envision that there could be technology that will be at play in the DIFC by some of our entities that have a few blind spots that haven’t even been addressed in data protection jurisprudence yet. We’re asking you in advance to always commit to these basic principles around data subjects’ rights, and providing notification and so on,” Baker explains.

As an international finance centre, DIFC is host to international companies, many of which will be fully aware of the GDPR in their home jurisdictions. However, not all DIFC entities will have embarked on a GDPR compliance journey, and so, particularly for local UAE enterprises or small regional outfits or outposts of companies based in other parts of the Middle East, the law represents a major shift – especially if they had not done much to meet the requirements of the 2007 law.

“The truth is,” says one data protection expert, “historically they do not take it as seriously as they do in Europe”.

The old law “didn’t have the same kind of levels of governance requirements, of documentation, of really bringing data protection into the organisation and flowing it through the organisation end to end. These are new concepts,” adds Hayward.

“To be honest, any kind of judgement that was made or any penalties that were levied under the old law… technically the fines go through the court system and then you can search the court records, which are publicly available. Certainly when we’ve done searches previously, we’re not finding evidence of enforcement cases that are going through the courts and the records have been publicly available. Doesn’t mean they’re not out there. So, whilst we have an understanding of the approach the Data Protection Commissioner’s Office took in relation to enforcement under the old law, we don’t really have the data,” Hayward says.

“But equally the fines regimes under the old law were pretty low… And to be honest, companies could build the risk premium into their business if they wanted to, knowing as well that it was probably a pretty low likelihood that there was going to be an issue.”

The enforcement

After a fairly short lead-in time, on October 1st the new law came into enforceability, although in reality, the new regime is unlikely to really start digging in its heels until the new year, according to Baker.

The Commissioner can fine Controllers and Processors up to $100,000, and DIFC courts can also find errant entities liable for compensation to data subjects as well, which is uncapped.

But the general regulatory culture is one of awareness-raising – at least at the outset, Baker insists.

“We’re not a threatening regulator, we are very pragmatic, we’re very supportive, we want to build a culture of compliance, we don’t want it to be all stick and no carrot and, in fact, quite the opposite. But when it’s warranted, we will take action that we have to take – and we have done in the past,” she says.

In recognition of the fact that the biggest challenge is education about the principles of ethical data management and its potential to be a business enabler, the strategy at the Office of the Commissioner is to reach out to companies and have individual conversations –possible thanks to the DIFC’s relatively small size of just 2500 companies.

The regulator has devised a triage system to identify organisations with the highest amount of personal data – and therefore risk – and then make contact, leading, potentially and eventually, to a fine for non-compliance.

“We’ll go through and classify the types of entities we have and the likelihood of their understanding of or compliance with the data protection law, and begin reaching out to them with guidance documentation that will help them understand why they need to comply and what happens. And certain tolerance thresholds for how long it takes them to respond or to comply, or to provide the information that we need, and an inspection process, if you will,’ explains Baker.

A huge part of that approach is breaking down the requirements into simple terms based around best practice rather than onerous talk of laws and breaches and fines. For smaller companies, that can mean boiling down the requirement to keep a record of processing activities into basic Excel spreadsheets, and keeping compliance checklists.

Don O’Shaughnessy, Dubai-based Group Data Protection Officer at residence and citizenship planning consultancy Henley & Partners, observes that although many companies may not be prepared – as is the case in Europe, still – and may be tempted to take a risk-based approach, the tactic of the Commissioner’s office has been very helpful.

“All due respect to our Commissioner, she has had a very, very simple, ‘if you don’t know what’s going on, reach out to us. We’re open. You can talk to us’. And their calling lines are plain English. Really, really, really simple.”

The response

Given the early days of the new law, whether the long-term effectiveness of this approach remains to be seen. But the engagement is promising, according to Baker.

“Positive or negative, we’ve actually got a lot of response to it generally… for a jurisdiction our size to get 500 people a time on a webinar about data protection is a pretty huge sea change really,” she says.

“So it’s really gaining momentum. I think there’s been definitely a huge cultural shift, the responsiveness is just one piece of evidence of that. We’re getting meaningful questions, not just what’s the law and what do I have to do?”

But some believe the process might involve a lengthier mindset shift.

Chudzynski says “I got in touch with an organisation last week; it has a full programme in Europe, it’s on delay mode and therefore it’s in breach as we currently stand. It wants to do something, but is delaying in taking this forward, budgets are tight and the pandemic has not helped as to what organisations are prioritising at the moment’

“A number of organisations are not taking it seriously enough, but [that’s] not for want of the DIFC alerting them to it, because it is doing supervisory and enforcement visits,” he adds.

Chudzynski believes that what will really kickstart compliance in the region generally is the fear of reputational damage.

“A catalyst for getting organisations to understand the importance of privacy across the region will be a major breach that causes data subjects to be severely affected and part of that processing happens out of an organisation based in the Middle East, and such reputational damage is then highlighted across the international press.

Operational challenges

There are real operational challenges of course, and preparing an inventory and data map of all personal data processing flows is a time-consuming task that is organic and never completed. In addition, businesses are reporting the challenges of complying with different data protection regimes across the region. Chudzynski recommends benchmarking with another comprehensive regime like the GDPR, the most mature privacy law of its type.

The DIFC law has some extraterritorial reach – the law attaches to DIFC-incorporated companies or non-DIFC entities processing data in the DIFC by means of stable and regular processing arrangements – which can raise some issues, according to Hayward.

“A lot of the way that companies are structured regionally here, they’ve got big hubs in the DIFC. So where they’ve got lots of regional offices, particularly banks, they will pump a lot of data into the DIFC, and that raises a couple of issues. One, the fact that that means they’ve got a lot of data in the DIFC, which is now subject to the DIFC data protection law. Plus, there are companies using the DIFC entities for back-office processing, who may well get caught by the extraterritorial limb of the new law,” he explains.

“It needs analysis, and is on a case-by-case basis. But it has led to quite a lot of attention, particularly from a lot of the international banks, to kind of figure out whether their operations in Saudi Arabia or Egypt or wherever, that are basically using DIFC as a clearing house or for other back-office services, are going to get caught by the law.”

Governance might also be a stretch for some organisations: “Should this sit in legal, should it sit in risk, should it sit compliance, should it sit in IT security? And then they say well, we don’t have a never-ending budget for this and who wants it? If you’ve got someone who’s not interested in it, it’s never going to run,” says Chudzynski.

“I always say don’t worry too much about where it sits. Who is interested in this subject matter and topic and will drive your privacy agenda forward, that is the most important factor? Privacy is organisational wide and, again, that’s a difficult thing that organisations find hard to grasp – it doesn’t just sit with one department.”

The rise of the DPO could be a stumbling block for those whom the role is now mandatory, in terms of understanding the necessity, reporting structure and recruitment, says O’Shaughnessy.

“There is a talent pool. The talent pool is nowhere near as vast as it would be in Europe.

You have a lot of lawyers out here that would be information technology lawyers. However, they’re not experienced in the ways of data protection and the laws of it, so when you’re trying to explain to them about how it should all be imposed, they see more of the black and the white, and they don’t see the grey,” he says.

“One of the things I will always state if you’re hiring someone as a DPO role, is to hire them on a short-term contract. Because as a company, you’re not going to know how good they are until the time really comes.”

When it comes to implementation, there are those who have invested time and effort in becoming fully compliant, but also many organisations which have taken a phased approach, prioritising quick wins, says Hayward. In many cases this might have involved adjusting to a move away from a consent-based framework for lawful processing to broader range of lawful bases, particularly in internal policies and employee data.

Regional significance

The new DIFC law contributes to a data protection conversation that has been happening in the region for some time, with dedicated privacy laws recently seen in, for example, Bahrain and Egypt.

Some states are expected to introduce new or updated data protection regimes in the near future, such as Oman, the UAE at a federal level, and the Abu Dhabi Global Market, which closed a consultation period on its proposed updated Data Protection Regulations earlier in December.

Middle Eastern states have applied individual regulatory approaches, in some cases, as with the Bahrain law, including criminal penalty frameworks – although these could be seen as a deterrent to doing business in a particular country.

Baker hopes that that the DIFC’s law is able to play an influential role and inform the discussion in the region more broadly for states considering adding new or revised regimes into the mix.

“There are people here in very high leadership positions that are getting their arms around this topic at a breakneck speed and doing it really, really well. So, I hope that there will be that cooperation and consistency. For the sake of the region, it would be really just difficult and slow and not good for international trade or commerce to have fragmented data protection regimes,” she says.

Effective, globally recognised data protection laws are likely to support and “drive the agenda of technologising the Middle East,” says Gordon Wade, who observes a growth in cloud data, cyber security, Internet of Things and other regulation as technology propels innovation in the region.

“Certainly from a European perspective, laws that are designed to attract in the major technology players in the markets – and I do know the UAE want the AWSs, the SalesForces, the Facebooks, the Googles etc. to set up their data centres across the Middle East – should bring greater legal certainty for businesses about the privacy operating environment. A bit like the GDPR, and as would be expected of any UAE federal law that comes in, it’s going to be a data localisation law, restricting transfers outside the DIFC – they want to house the data in situ in the region. I think it will be a big driver for those companies to come in and set up their data centres and generate revenue, generate jobs,” he adds.

Back in the DIFC, Baker advises any nascent data protection regulatory regime to have a regulator “ready to go” in order for entities to take laws and regulations seriously.

Chudzynski agrees: “It’s the regulators that really hold the key because as one organisation told me in Bahrain, ‘I ain’t going to do anything until the regulator is set up, because who is going to enforce against me?’ So they’ve got a law, but it really has not pushed the needle. And it has to, the Bahrain law, because it has criminal sanctions so it really has teeth but until there’s an effective regulator set up and operating, then it’s going to be difficult to move forward.”

For Hayward, the establishment of effective regulators could even be the key to deeper collaboration across the region on data protection – interesting, given the currently unlikelihood of any formal Middle East-wide data protection framework.

“A lot of the challenge here is that they bring the law out but you don’t see the supervisory authority for a period afterwards… what would be interesting for us would be how the people who are running those authorities, how they come together… because to some extent, whether or not you have a regional law, it may well be the case that you see the regulators taking a consistent approach – that may well be the first stage to getting more coherence regionally.”