Al Tamimi recently had the opportunity to participate in a round of public consultations on the draft regulations to the newly established Abu Dhabi Global Market (“ADGM”).
In this article, we look at the scope of the consultation and outline some of the observations we made.
Abu Dhabi Global Market is an international financial centre established in accordance with the Federal Law No. 8 of 2004, Federal Decree No. 15 of 2013, Cabinet Resolution No. 4 of 2013 and Abu Dhabi Law No. 4 of 2013. It is seeking to introduce the type of regulatory framework necessary to ensure a business-friendly environment that operates in line with international best practice. One aspect of this involves providing an opportunity for public consultation on its draft regulations.
Amongst other draft regulations, we had the opportunity to comment on ADGM’s draft Data Protection Regulations 2015 (“Regulations”). The primary issue posed for consideration by ADGM was:
Should the ADGM Board adopt a set of stand-alone data protection regulations, or should it rely upon individual data protection provisions in existing regulations?
The reference to existing regulations is a reference to Article 51 of ADGM’s Employment Regulations 2015 (‘‘Employment Regulatioms”). Article 51 provides a data protection framework specific to the processing of personal data relating to employees of ADGM licensed entities.
In our view, ADGM’s approach of seeking to introduce a broader data protection regime is preferable to having data protection provisions aimed only at the employment relationship. The principles relating to the appropriate treatment of personal data should apply broadly to personal data relating to all natural persons, not only to the employees of data controllers. For example, personal data relating to natural persons who are clients (existing or potential) of data controllers and personal data relating to the personnel of others (eg. service providers to data controllers), should be afforded the same protection as personal data relating to a data controller’s employees.
Additionally, data protection is a highly relevant compliance issue for many individuals and organisations located in other jurisdictions. To seek to address data protection by way of a discrete provision in the Employment Regulations would send the market the wrong message and could even be construed as a failure on the part of ADGM to understand the issues. ADGM needs to take data protection issues seriously and it needs to be seen to do so. A set of stand-alone data protection regulations highlights ADGM’s commitment to ensuring that personal data is processed appropriately. Seeking to rely on Article 51 of the Employment Regulations would not send that message.
The Regulations also propose the repeal of Article 51, removing the ambiguity that would otherwise arise if the personal data of different types of data subjects was treated differently under separate regulations.
Beyond the observations directed to the issue posed for consideration, we also took the opportunity to make some more general observations regarding the Regulations.
The Regulations replicate significant portions of the DIFC Data Protection Law, whilst notably removing some prescriptive language and unwieldy definitions found in that legislation.
ADGM noted that developments in Europe indicate that EU Data Protection Directive 95/46/EC is outdated, and the General Data Protection Regulation is under consideration there. Were ADGM poised to adopt regulations more closely aligned with the General Data Protection Regulation, it could be seen as the data protection leader in this region.
The Regulations address transfers of personal data out of the ADGM jurisdiction in the absence of an adequate level of protection. Some European jurisdictions allow for the risk of transfers to recipients located in such jurisdictions to be addressed by way of a ‘Data Transfer Agreement’ or ‘Binding Corporate Rules’, which essentially provide a contractual basis for ensuring that data protection principles are respected in the context of data transfers out of the jurisdiction. Adopting this type of approach would enhance the Regulations, respecting data protection requirements while reflecting the need for flexibility and commercial pragmatism.
The Regulations address security of processing of personal data, and include an obligation on the data controller, or the data processor carrying out the data controller’s function at the time of an intrusion, to notify the ADGM registrar of a data breach incident. In practical terms, it may be appropriate to consider whether the obligation should fall on the data processor only in the event that the data controller fails to notify the ADGM registrar in a timely manner. In practice, noting that data processors could be in locations around the world, it would be unlikely for them to be aware of the Regulations - or to initiate a notification to the ADGM registrar other than by way of the data controller.
As a general point, we observed that the Regulations are well-drafted and are likely to be welcomed by those wishing to set up in the Abu Dhabi Global Market.