On 11 February 2021, the Abu Dhabi Global Market (“ADGM”), Abu Dhabi’s financial free zone, enacted the new Data Protection Regulations 2021 (the “Regulations”), replacing the Data Protection Regulations 2015 in their entirety and bringing the ADGM regime closer to the European Union’s data protection regime under the General Data Protection Regulation (“GDPR”).
Our alert memo, published at the end of 2020 following the ADGM’s opening of a public consultation period on the draft Data Protection Regulations 2020 (the “Draft Regulations”), provides an overview of the key features of the Draft Regulations, areas of overlap with the GDPR, as well as certain proposed departures from the GDPR that will need to be monitored by organisations doing business in both the ADGM and the European Union.
The Regulations are applicable to those processing personal data where a controller or processor has been established in the ADGM, regardless of whether the processing actually takes place in the ADGM or not.
We set out below an update to our alert memo, highlighting the few notable additions/amendments to the Draft Regulations as compared with the final Regulations published on 11 February 2021.
- Territorial Scope
Section 3(2): The Regulations now provide that where a processor processes personal data for a controller located outside of the ADGM, such a processor only need comply with the Regulations “to the extent possible, taking into account whether the Controller is subject to similar obligations under the laws of its home jurisdiction”. This seems to be a business-friendly and pragmatic nuance that recognises that ADGM-established processors might be providing processing services to controllers based in jurisdictions that have potentially conflicting data protection requirements, and so mitigates the risk of such processors being unable to comply with any such conflicting requirements by qualifying their ADGM-based obligations.
- Time periods for responding if a data subject exercises its rights
Section 10(3) and (4): Responses to data subjects must be made without undue delay and within the initial two-month time limit. The Regulations now provide for a potential extension of this time limit by one additional month where necessary, “taking into account the complexity and number of the requests.” This brings the total time period for responses in line with the extended time period under the GDPR (i.e., three months), reducing the period that was previously provided in the Draft Regulations, which had allowed for a two month extension (four months in total).
Section 10(7): Where a controller has doubts about the identity of a person seeking to exercise their rights under the Regulations, the time period for complying with the request only commences after the controller has received sufficient information to reasonably identify the individual making such request. This is in line with the approach taken under the GDPR.
- Information rights: The controller’s intention to restrict data subject rights
Section 11(2)(h): The Regulations introduce a new information right that applies if a controller intends to restrict a data subject from exercising its rights to rectification or erasure of data. Where the controller intends to restrict the exercise of these rights, the controller must (i) include a clear and explicit explanation of the expected impact and (ii) satisfy itself that the data subject understands and acknowledges the extent of any such restrictions. This requirement is not present under the GDPR, which does not restrict these rights in similar situations (see below).
- Exemptions from the right to rectify or erase data on technical grounds with prior notice to the data subject
Section 14(2) and Section 15(4): As under the Draft Regulations, data subjects continue to have rights to rectification and erasure of their personal data in certain circumstances. However the Regulations provide that a controller will not be in breach of the Regulations for failing to give effect to the data subject request where rectification or erasure of personal data is not technically feasible and the controller has provided explicit, clear and prominent information explaining that rectification or erasure of the personal data would not be feasible. This technical feasibility exemption is not available under the GDPR.
- Exemptions from paying the data protection fee
Section 24(3): Small establishments employing fewer than five employees are exempt from paying the data protection fee, provided that such establishments do not carry out high risk processing activities.
- Removal of the exemption from to maintain a record of processing activities
Previously Section 28(5): The Draft Regulations provided an exemption from the requirements to maintain a record of processing activities for small establishments (being establishments with less than five employees), provided that such establishments do not carry out high risk processing activities. In line with the GDPR, this exemption has been deleted from Section 28 in the final Regulations.
- Cessation of processing
Section 31: A new section on cessation of processing has been included in the finalised Regulations, and provides that where the basis for processing changes or ceases to exist (or where the controller is required to cease processing as a result of a data subject exercising its rights), a controller must (subject to certain limited exceptions) ensure that personal data is securely and permanently deleted, anonymised, pseudonymised or securely encrypted, failing which the controller must ensure that the data is “put beyond further use”.
Following the expiry of the relevant transition periods from 14 February 2021 (twelve months for existing establishments in the ADGM and six months for new establishments that are registered after 14 February 2021) the Regulations will impose new obligations on personal data controllers and processors and will introduce new enforcement powers in cases of non-compliance, to be exercised by the Commissioner for Data Protection.
The ADGM prides itself on being a progressive regulator, and the broad alignment of the Regulations with international best practice (most notably, the GDPR) is another example of the regulator’s progressive approach. Shortly after the enactment of the Regulations, the ADGM’s Office of Data Protection became the first data protection regulator in the Gulf region to join the Global Privacy Assembly’s International Enforcement Cooperation Working Group or IECWG. The ADGM’s membership of IECWG, a global forum for data protection and privacy authorities, illustrates the ADGM’s commitment to data protection.
As noted in our previous alert memo, for certain controllers and processors located in the ADGM but active internationally, for whom compliance with the GDPR is already essential, the Regulations are unlikely to introduce a significant new compliance burden. Although compliance with the GDPR will go a long way towards ensuring compliance with the ADGM Regulations, organisations will need to ensure that they understand the few notable differences between the two regimes so that they may comply with both of them.