Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”).  This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification standard.  It also comes at a time when consumers may be feeling particularly interested in addressing cybersecurity threats, given healthcare insurer Anthem Inc.’s data breach and Sony Pictures Entertainment’s hack in November.

What Does the Act Govern?

The Act was originally articulated by the Administration in 2012, and the Act tracks the language used by the Administration in 2012.  The stated purpose of the Act is “[t]o establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.”

Specifically, the Act enumerates the following general principles:

  • Transparency: Covered entities must provide notice about the entity’s privacy and security practices.  The notice must be easily understandable, accurate, timely, conspicuous, and conveniently accessible and must provide individual’s with a company contact to address privacy concerns.
  • Individual Control: Covered entities must provide individuals with “reasonable means to control” the process of their data.  Individuals must be able to understand how to use the control mechanisms and must be able to withdraw consent that is reasonably comparable to the means used to grant consent.  Once consent has been withdrawn, the covered entity must delete the data with 45 days.
  • Focused Collection and Responsible Use: Covered entities must collect, retain, and use personal data in a manner that is reasonable in light of context and must minimize privacy risk (i.e., the potential for the data to cause harm to an individual) when determining its collection, retention, and use practices.  Context is defined in the Act by reference to several factors including the extent and frequency of interactions between individuals and the entity, a user’s understanding about how the entity processes collected data, and the types of personal data processed.  Responsible use includes the data minimization principle of deleting, destroying, or de-identifying personal data after it has fulfilled its business purpose.
  • Respect for Context: Covered entities who are not in accordance with the Act and are not using personal data reasonably in light of context must mitigate privacy risks by, inter alia, providing heightened transparency and individual control, absent limited exceptions.
  • Security: Covered entities must identify risks to the privacy and security of personal data, establish, implement, and maintain safeguards to ensure the security of personal data, and regularly assess, and if necessary adjust, those safeguards.  The reasonableness of the safeguards adopted will be determined by reference to the privacy risk of the data, the foreseeability of threats, widely accepted industry practices, and the cost of the safeguards.
  • Access and Accuracy: Covered entities must provide reasonable access to or a representation of the personal data under their control and must establish, implement, and maintain procedures to ensure such personal data is accurate.  Reasonableness considerations include the privacy risk, the risk of adverse action against the individual if the data is inaccurate, and the cost of providing access or ensuring accuracy.  Covered entities must also provide individuals with means to dispute and resolve the accuracy and completeness of the personal data.
  • Accountability: Covered entities must ensure compliance with the Act through training of their employees, internal or independent evaluations or audits, incorporating privacy and data protection into their systems and practices, and binding third parties to which personal data is disclosed to use that data “consistently with the covered entity’s commitments.”

Omnibus data privacy laws are few and far between in the Middle East. None of the six states of the Gulf Co-Operation Council (GCC)—which comprises Saudi Arabia, Kuwait, Oman, Qatar, Bahrain and the United Arab Emirates—have issued national privacy legislation, although several have draft regulations under consideration.

By contrast, the financial “free zone” jurisdictions of Dubai International Financial Centre (DIFC) and Qatar Financial Centre (QFC) have both adopted European-style data protection regulations.

Abu Dhabi Global Market (ADGM) is the proposed new financial services free zone on Al Maryah Island in the UAE’s capital city of Abu Dhabi. Like DIFC and QFC, it will have independent courts of first instance and appeal to oversee the jurisdiction of the free zone.

Unlike its more established neighbours, though, ADGM has decided not to introduce general legislation regulating the handling and processing of personal data in the first wave of draft regulations issued for public consultation this month.

There are, however, proposals to place certain limited obligations on employers operating in ADGM in relation to personal data relating to their employees.