A number of jurisdictions around the world follow the lead from Europe in relation to data protection and impose similar restrictions on the export of personal data unless there is an “adequate level” of protection offered in the recipient jurisdiction. The EU Commission’s “US Safe Harbor” decision had permitted the transfer of personal data between Europe and the US by establishing that an adequate level of data protection was ensured by the EU-US Safe Harbor scheme.

In January, we commented on the release of a consultation paper by Abu Dhabi Global Market (ADGM) relating to proposed employment regulations. At the time, ADGM indicated that it would not be introducing more general legislation to regulate the handling and processing of personal data in the new free zone.

The Board of Directors of ADGM has subsequently reconsidered the issue and issued a consultation paper inviting public comment on a proposed set of standalone data protection regulations. This would be an alternative to the individual provisions currently legislating for a limited level of data protection on the employment regulations.

Omnibus data privacy laws are few and far between in the Middle East. None of the six states of the Gulf Co-Operation Council (GCC)—which comprises Saudi Arabia, Kuwait, Oman, Qatar, Bahrain and the United Arab Emirates—have issued national privacy legislation, although several have draft regulations under consideration.

By contrast, the financial “free zone” jurisdictions of Dubai International Financial Centre (DIFC) and Qatar Financial Centre (QFC) have both adopted European-style data protection regulations.

Abu Dhabi Global Market (ADGM) is the proposed new financial services free zone on Al Maryah Island in the UAE’s capital city of Abu Dhabi. Like DIFC and QFC, it will have independent courts of first instance and appeal to oversee the jurisdiction of the free zone.

Unlike its more established neighbours, though, ADGM has decided not to introduce general legislation regulating the handling and processing of personal data in the first wave of draft regulations issued for public consultation this month.

There are, however, proposals to place certain limited obligations on employers operating in ADGM in relation to personal data relating to their employees.