Abu Dhabi’s financial free zone regulator has passed a number of amendments to its regime, including recognition of DIFC for data exports and an increase in the maximum fine. This article examines the various changes that companies operating in, or dealing with, ADGM will need to consider in order to remain compliant.
Abu Dhabi Global Market (ADGM), the international financial centre established in the UAE capital, has announced a number of amendments to the ADGM Data Protection Regulations 2015 (the Regulations) effective from 1 February 2018.
The Data Protection (Amendment) Regulations 2018 contain updates that will bring some of the definitions closer to international standards, provide clarity around the timing of certain obligations and expand the number of jurisdictions approved for the transfer of personal data. A higher maximum fine and other changes will enhance the enforcement powers of the newly-formed Office of Data Protection (ODP), which was established in December 2017 as the independent data protection regulator for ADGM.
Summary of changes
The Regulations primarily impose obligations on "Data Controllers", i.e. persons in ADGM (excluding individuals acting in their capacity as employees) who alone or jointly with others determine the purposes and means of processing personal data. All Data Controllers were already required to notify the ODP and to comply with the Regulations in relation to the processing of personal data.
The latest update was finalised after a public consultation process initiated by the ADGM Regulatory Authority and will introduce the following key changes to the Regulations:
- Amendments to core definitions: Among other changes, the definition of "Sensitive Personal Data" has been expanded to include personal data concerning an individual's criminal record. This addresses a disparity that existed in relation to the same concept under European legislation. Similarly, "Data" and "Relevant Filing System" have been introduced as new definitions in the Regulations. These amendments make it clearer that "Personal Data" extends only to information that is processed by automatic means or otherwise in a structured manner.
- Expansion of jurisdictions deemed suitable for data export: The number of jurisdictions that are deemed to offer an adequate level of protection for personal data to allow for easier transfers from ADGM has been expanded from 39 to 42 with the addition of Andorra, Faeroe Islands and Dubai International Financial Centre (DIFC). The inclusion of DIFC will be particularly helpful to organisations with establishments in both free zones, although it is notable that DIFC does not currently reciprocate with recognition of ADGM in its own list of permitted jurisdictions. The status of Canada has been narrowed to acknowledge only those recipients that are subject to the Canadian Personal Information Protection and Electronic Documents Act and the Regulations have clarified that transfers to the US should be subject to compliance with the terms of the EU-US Privacy Shield (replacing the previous reference to the former Safe Harbour scheme).
- Updated breach notification timelines: The original version of the Regulations stated that Data Controllers should inform the Registrar "as soon as reasonably practicable" in the event of any unauthorised intrusion (including loss or disclosure) to any personal data. This has now been clarified with the words "without undue delay, and where feasible, not later than 72 hours after becoming aware of it". This mirrors the language of the incoming EU General Data Protection Regulation (see 'Comment' below) and represents a significant advancement in breach reporting requirements in the Middle East. Both the DIFC Data Protection Law and Qatar's Personal Data Privacy Law require breaches to be notified to the respective authorities, but neither of those regimes currently imposes any specific deadline.
- Enhanced enforcement powers: A new provision in the Regulations states that enforcement-related certificates signed by the Registrar shall be deemed conclusive evidence of the application of the enforcement action in question and prima facie evidence of the facts contained in the direction or notice. These changes provide additional clarity in relation to the status of the Registrar's notices to support its ability to enforce the Regulations. The maximum fine payable for non-compliance with any direction of the Registrar is increased from USD 15,000 to USD 25,000. This also applies to any failure to comply with the Regulations or rules made pursuant to the Regulations.
- Notifications: While it was previously only implied that Data Controllers should notify the Registrar of the appointment of any Data Processor, this is now explicitly stated in the Regulations. Data Controllers must notify the Registrar of the appointment, cessation or change in particulars of any Data Processor within one month of the relevant date. While there is no fee for these notifications, this requirement to provide the authorities with details of third party processors is a distinct feature of the ADGM regime and not typically required in Europe, DIFC or other jurisdictions.
All of the amendments have been incorporated into an unofficial consolidated version of the Regulations that has been made available on the ADGM website for ease of reference.
The changes introduced by ADGM should be broadly welcomed by international organisations operating in the free zone due to closer alignment with international standards (with the exception of the requirement to notify details of third party processors). The enhanced enforcement powers should offer additional protection for data subjects and the recognition of other jurisdictions – particularly DIFC – will be welcomed by organisations that use processors or business partners in other locations.
Data Controllers will need to ensure that their processes are aligned with the new obligations and timings, particularly in respect of breach notification where incident response plans may need to be updated.
In the consultation paper on the latest changes, ADGM noted that it was aware of the incoming EU General Data Protection Regulation (GDPR) that will replace the current European data protection regime from 25 May 2018. However, this round of amendments has pointedly not attempted to pre-empt GDPR. The DPO has instead chosen to adopt a "wait and see" approach on the new European legislation before deciding whether the Regulations will be further amended to align with GDPR.