In January, we commented on the release of a consultation paper by Abu Dhabi Global Market (ADGM) relating to proposed employment regulations. At the time, ADGM indicated that it would not be introducing more general legislation to regulate the handling and processing of personal data in the new free zone.
The Board of Directors of ADGM has subsequently reconsidered the issue and issued a consultation paper inviting public comment on a proposed set of standalone data protection regulations. This would be an alternative to the individual provisions currently legislating for a limited level of data protection on the employment regulations.
The draft ADGM Data Protection Regulations are modeled on European legislation, specifically the current EU Data Protection Directive 95/46/EC. Although the consultation paper notes that the Board is aware of the current proposals in Europe for adoption of a new General Data Protection Regulation, it acknowledges that the final text is yet to be agreed and the current Directive is likely to be applicable for at least two years after publication of the final version of the new regulation. As a result, the draft Data Protection Regulations for ADGM do not attempt to pre-empt any proposed modifications to European laws.
The draft ADGM Data Protection Regulations contain general rules on the processing of personal data that are very similar to the core principles of the EU Data Protection Directive. There are also equivalent rights for data subjects, obligations to notify the Registrar in relation to processing activities and certain powers and sanctions available to the Registrar to enforce the Regulations. Data controllers in ADGM will have to be aware of some departures from European law, particularly the requirement for a data subject to given “written consent” to the processing of any personal data (sensitive or non-sensitive) and an obligation to notify the Registrar in the event of any “unauthorised intrusion… to any Personal Data database”.
The consultation paper asks whether the Board should adopt a set of standalone data protection regulations for ADGM or rely upon individual data protection provisions in existing regulations.
In addition to protecting the rights of individuals, an important driver for the adoption of data protection rules is to provide a legal framework in which organisations can process personal data in the course of their business operations. Many of the organisations that ADGM is seeking to attract will be multinational financial institutions that are used to complying with data protection rules in other jurisdictions. As such, the adoption of specific and standalone data privacy regulations is likely to be helpful in providing certainty to organisations operating in the new free zone and we suspect that this will override any concerns over the additional compliance burden of the proposed regulations.