Data Protection Report - Norton Rose Fulbright

Omnibus data privacy laws are few and far between in the Middle East. None of the six states of the Gulf Co-Operation Council (GCC)—which comprises Saudi Arabia, Kuwait, Oman, Qatar, Bahrain and the United Arab Emirates—have issued national privacy legislation, although several have draft regulations under consideration.

By contrast, the financial “free zone” jurisdictions of Dubai International Financial Centre (DIFC) and Qatar Financial Centre (QFC) have both adopted European-style data protection regulations.

Abu Dhabi Global Market (ADGM) is the proposed new financial services free zone on Al Maryah Island in the UAE’s capital city of Abu Dhabi. Like DIFC and QFC, it will have independent courts of first instance and appeal to oversee the jurisdiction of the free zone.

Unlike its more established neighbours, though, ADGM has decided not to introduce general legislation regulating the handling and processing of personal data in the first wave of draft regulations issued for public consultation this month.

There are, however, proposals to place certain limited obligations on employers operating in ADGM in relation to personal data relating to their employees.

The relevant provision in the draft Employment Regulations reads as follows:

50. Data Protection

  1. In relation to Personal Data relating to an Employee, the Employer shall ensure that such Personal Data:
    1. is processed fairly, lawfully and securely;
    2. is obtained and processed only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
    3. must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or processed;
    4. must be accurate and, where necessary, kept up to date; and
    5. must not be kept for longer than is necessary by the Employer.
  2. The Employer shall take all reasonable steps to ensure that Personal Data relating to an Employee which is inaccurate or incomplete, having regard to purpose for which it was obtained and processed, is erased or rectified.”

Personal Data is defined in the draft regulations as “any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity”.

The principles contained in the draft regulation are relatively consistent with the first five of the eight European data protection principles.

The addition of “securely” in Regulation 50(1)(a) potentially also covers aspects of the seventh European data protection principle (the obligation to implement appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss or destruction of, or damage to, personal data).

The draft Regulations do not provide for any further interpretation of these basic principles (as outlined, for example, in Part II of Schedule 1 to the UK Data Protection Act 1998).

While this leaves some scope for uncertainty in respect of the obligations on Employers, we assume that interpretation will follow English law authorities on the equivalent principles (other regulations issued by the authority confirm that English common law will be the underlying legal framework for ADGM).

The consultation paper notes that an employment tribunal system will be considered in due course but, until then, the rights and obligations will be enforced directly through the court.

It is unclear, however, whether these principles are intended to grant rights directly to employees of companies in ADGM.

Sub-section (2) of Regulation 50 imports an obligation on the Employer to erase or rectify any Personal Data relating to an Employee which is “inaccurate or incomplete”.

Without any specific rights of access being granted to Employees, it is difficult to envisage how any inaccuracy or incompleteness would be discovered. Moreover, it is unclear what this sub-section adds to the obligation under sub-section (1)(d) to ensure that the data is accurate and up to date.

In any case, the concept of “completeness” cannot properly be understood without some context. Where this term is used in the UK Data Protection Act 1998, it is noted that data is only incomplete if such incompleteness would constitute a contravention of certain of the data protection principles (namely the principles that data must be adequate, relevant and not excessive, accurate and up to date).

Again, in that context, it is unclear how sub-section (2) adds to the obligation that is already imposed on the Employer sub-sections (1)(c) and (1)(d).

The draft Regulations do not expressly prohibit the export of data outside ADGM. In other jurisdictions, the restriction on transfers outside the relevant territory serves to ensure that the relevant data remains subject to legal protections that the data subject can enforce.

Notwithstanding the question noted above as to whether the Regulations intend to grant any enforceable rights to Employees in respect of data privacy, the Regulations’ silence on the issue of data export potentially creates uncertainty for Employers who will have to assess whether any transfer outside ADGM is fair, lawful and secure (and otherwise complies with the remaining principles in Regulation 50).

The new ADGM court may have to consider whether a transfer outside the jurisdiction is inherently less fair, lawful and/or secure than processing within ADGM, which could have the effect of imposing conditions on data export in practice.

Such non-statutory conditions would create some uncertainty for Employers seeking to do business in ADGM.

We will be monitoring the outcome of the consultation process and will provide an update once the final regulations are issued.