As the shift to digitalisation accelerates, data hygiene is imperative and must remain high on the list of priorities for all business sectors, says Mr Justin Whelan of HFW.
The year 2020 has certainly been a tumultuous one, with the word ‘unprecedented’ being pervasively deployed as all industries grapple with and attempt to rationalise the short- and long-term effects of the pandemic on their business sectors. Indeed, amid the blanket of COVID-19 and the demands it has and is imposing, it can at times be testing for businesses to stay on top of their requirements in other areas, such as data-related regulation.
Readers of our previous contributions on cyber security and data protection will be aware of the regional regulations that 2019 brought and, notwithstanding the pandemic, 2020 has been no different in the UAE and beyond.
As we approach the end of the calendar year, this article addresses some of the main regulatory developments that have taken place in 2020, which largely serve to emphasise that as the shift to digitalisation accelerates, data hygiene is imperative and must remain high on the list of priorities for all business sectors.
The year of legislation
Within the UAE’s DIFC, 2020 heralded the implementation of Law No. 5/2020, repealing and replacing Law No.1/2007 Data Protection Law (as amended) and the Data Protection Regulations. The new law reflects international best practice and imposes new requirements on data controllers and processors that are incorporated in the DIFC, or undertaking data processing activities within the DIFC. Specifically, and very much in line with Europe’s GDPR and California’s Consumer Privacy Act 2020 (CCPA), such businesses require a lawful basis for processing data and now have additional requirements around accountability, data protection impact assessment, appointing a data protection officer, transferring data, and notification to the authorities and to data subjects.
Onshore in the UAE, 2020 also saw the UAE’s Insurance Authority (IA) Board of Director’s Resolution No. 18 of 2020 Concerning the Electronic Insurance Regulations, regulating online and electronic insurance activities. Pursuant to this resolution, licensed firms conducting online/electronic business such as marketing policies, collecting premia and handling claims have a requirement to obtain approval from the IA, with an application process inclusive of contingency plans should the data online/electronic platform be disrupted. Similarly approval is required should a firm outsource its website management, with the outsourced company required to equally comply with the regulations. Key aspects are that cyber security and data protection measures are essential, and communications officers must be appointed. The resolution also addresses insurance price comparison websites, which must be incorporated in the UAE and registered with the IA.
Elsewhere onshore in the UAE, the Federal Government’s Cabinet Resolution No.32 of 2020 builds on Federal Law No. 2 of 2019 on the Use of Information and Communications Technology (ICT) in the Health Sector. The 2019 law was importantly the first piece of federal data protection legislation in the UAE and regulates the health data processing of healthcare service providers including insurers, brokers and claims management companies. Whilst further resolutions are awaited around the centralised IT system that will allow the Ministry of Health and Prevention to collect, analyse and retain health data, Resolution No.32 of 2020 imposes additional cyber security and data protection requirements on those concerned, for instance in the need for encryption when dealing with health data. In Abu Dhabi, 2020’s Standard on Patient Healthcare Data Privacy further expands the above regarding data governance.
With advances in digital health and telemedicine in mind, other industry-specific regulations in the UAE in 2020 include the Ministry of Health and Preventions Decree No. 321 of 2020 regulating the use of data and information in innovative pharmaceutical products registered in the UAE.
Transformative move
From the UAE insurance regulatory perspective, October 2020 saw the headline announcement, contemporaneously first delivered on Twitter, approving the issuance of a federal decree merging the IA with the Central Bank, by which there is to be a transfer of powers of authority to the latter. A stated aim of the merging is economic organisation and an increase in the efficacy of the insurance sector. UAE insurance businesses can expect further legislation around the Central Bank’s supervisory capacity. The move is also directed at making the UAE’s financial markets more competitive. The announcement sits alongside a further decree concerning the powers of the Securities and Commodities Authority (SCA), which also in October 2020 published a draft Regulation for Issuing and Offering Crypto-Assets covering for instance security tokens, asset exchanges, fundraising platforms and tracing requirements.
The above is to be considered in the wider context of other stated aims such as the Emirates Blockchain Strategy 2021, that seeks to place the majority of governmental transactions onto blockchain platforms, and the Smart Dubai strategy, that aims for the entire digital operation of government services by the end of next year.
Digital acceleration in 2021 and the years to come will also see the continued expansion of online commercial businesses and social media influencing in the UAE. Those involved in such businesses can expect the 2018 Electronic Media Activity Resolution to further mature accordingly.
The above regulatory expansions remain very much industry-specific, as opposed to say the all-encompassing personal data privacy nature of GDPR. However, the regulatory environment in the UAE is rapidly evolving and it is fair to assume that it will not be long before we see the announcement in the UAE of a federal, cross-sector, personal data privacy law that will largely align to international principles.
Around the region
Other main data-related regulations in the region this year include Egypt’s Personal Data Protection Law No. 151 of 2020, which came into force in October. As with data privacy regimes elsewhere, the law draws on GDPR principles in regulating data processing activities in accordance with international standards, and can be seen as a significant development given the length of time it sat on the drawing board.
In Saudi Arabia a law around private data protection is understood to be under review, and future developments on Oman’s and Jordan’s public consultations in this field can be expected. Implementing regulations to Bahrain’s Personal Data Protection Law No. 30 of 2018, which came into force in August 2019, are awaited.
Notwithstanding the economic havoc wreaked by the pandemic, 2020 has thus far seen important advances around the world in the requirement for regulation of personal data privacy. By way of illustration, in addition to the California Consumer Privacy Act, Brazil implemented new personal data protection legislation in August 2020. In July 2020 China published a draft Personal Information Protection Law, and Indonesia is set, in November 2020, to become the fifth ASEAN country to implement personal data regulations, following Thailand’s enactment in May 2020 (the other ASEAN countries being Singapore, Malaysia and the Philippines).
Various countries around the world have also reacted to the pandemic by issuing personal data guidelines for businesses and employers. Other countries, Turkey for example, extended personal data controller regulatory compliance requirements in 2020 because of COVID-19 related reasons.
Global movement towards stricter regulation
A common data privacy theme is that regulators are looking to safeguard and access data by placing the responsibility of protection onto data controllers. Data privacy legislation will drive the need for a greater comprehension of data, and it will necessitate the implementation of processes to comply with increasing regulations.
Another main theme of data privacy regulation is that of how to transfer data outside of a relevant jurisdiction, with the common regulatory standard being that to do so it must be to a jurisdiction where there is an adequate level of data processing protection. In this regard, 2020 was also significant with the EU’s Court of Justice landmark ruling in Schrems II in July. The judgment invalidated the EU-US privacy shield in transferring personal data to the US, on the basis that the US was unable to secure an adequate level of protection from the operations of US national security surveillance.
The rippling ramifications of this EU judgment will be interesting to observe, not least in the context of the historic 2020 Abraham Accords Peace Agreement and the inevitable need for the signatories to the same to be able to transfer personal data as various business sectors collaborate and look to widen and exploit markets.
The unprecedented changes that we have witnessed this year, and the ensuing acceleration of all things digital, will inevitably expedite the inexorable march to more and more global legislation around the use of data in everyday life and commerce. The UAE and the wider Middle East are unlikely to be any different to the worldwide movement towards ever more stricter data-related regulation and personal data privacy. M
Mr Justin Whelan is partner at HFW Abu Dhabi.