Data protection has now been centre stage for a while. In the financial sector, data protection gained significance as a result of the importance of analytics involved in developing and offering products and services to customers.

The United Arab Emirates' ('UAE') drive to be a crucial actor on the global stage of financial services pushed lawmakers to implement a new regulatory framework for data protection. Navigating such a framework will require financial businesses to re-assess their data management processes considering the local regulatory requirements, without undermining, where possible, the global reach of their services and partnerships.

A first step for the success of such compliance effort is to master full knowledge and control of each stage of the data processing activities carried out by providers of financial services. Whilst this task is not uncomplicated, it will, with few adjustments, enable compliance with many provisions that do not have a significant impact on businesses' operations. Compliance with other provisions, however, necessitates businesses to take a more radical approach on their data management procedures.

As financial services are various in scope and related regulations, this article aims at presenting a picture of the main practical topics to consider for financial services providers operating onshore in the UAE and licensed by the UAE Central Bank.

Applicable legislation and supervisory authorities

On 20 September 2021, the UAE issued Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law'), the first federal law in the UAE to provide a comprehensive legal framework for the processing of personal data. The Law aims to align the UAE's data protection framework with international standards (although it still lacks completeness as more detailed provisions will be implemented with the Law's Executive Regulations).

Notwithstanding the adoption of the Law, the legislation on personal data in the financial sector remains spread across various acts. Notably, Article 2(2) of the Law provides that the Law does not apply to 'personal banking and credit data and information' that are subject to legislation regulating the protection of such data.

Under Federal Law No 14 of 2018 regarding the Central Bank and Organization of Financial Institutions and Activities ('the Banking Law'), the UAE Central Bank has the duty to establish regulations relating to protection of customers of financial institutions licensed in accordance with the Banking Law ('Licensed Institutions'). Accordingly, most of the relevant provisions applicable to the processing of personal data in the financial sector are enacted by the UAE Central Bank, such as:

• Consumer Protection Regulation (Circular 8/2020) ('the Consumer Protection Regulation') and the Consumer Protection Standards with respect to protections allowed to data subjects in their capacity as consumers;
• Outsourcing Regulations for Banks and the accompanying Standards (Circular 12/2021) with regard to the processing of personal data by banks in the context of outsourced services;
• Retail Payment Services and Card Schemes Regulation with regard to the processing by payment service providers; and
• Stored Value Facilities Regulation with regard to the processing by Stored Value Facilities ('SVF') providers.

Supervisory authorities overseeing compliance are also separated: the recently established UAE Data Office will monitor compliance with the Law and the Executive Regulations, while the UAE Central Bank will supervise compliance with its regulatory acts.

Legal basis for processing and privacy notices

Licensed Institutions must plan and act in advance when processing personal data related to their services. Licensed Institutions' commercial interests are firstly bounded by the limited options available with regard to the legal basis for processing personal data.

Indeed, under the Consumer Protection Regulation and Standards, the processing of personal data requires the express consent of data subjects and Licensed Institutions must ensure that data subjects are able to make informed choices when providing such consent. Privacy policies must meet the requirements set forth in the Consumer Protection Standards and, prior to requesting consent, must be delivered in writing, with disclosure of the intention to process personal data and of recipients of such personal data, while abiding by the principles of data minimisation and transparency.

Furthermore, Licensed Institutions must ensure that personal data is: (i) collected for a lawful purpose directly related to the licensed financial activities of the Licensed Institution; (ii) adequate and not excessive in relation to the stated purpose (data minimisation); and (iii) collected with appropriate security and protection measures in place against unauthorized or unlawful processing and accidental loss or damage.

Compliance with all the above requires exhaustive knowledge of the data management processes and of the actors and features involved down the processing pipeline.

Under the Law, consent is the main lawful basis for processing personal data. However, other lawful bases are generally available, including, among others, circumstances specified by the Executive Regulations.

It is worth mentioning that the requirements for the validity of the consent sought in accordance with the Consumer Protection Standards do not exactly match those set forth in the Law. Therefore, policies implemented to seek consent should factor both the Law and the Consumer Protection Regulation.

Finally, in case of data processing for direct marketing or of transferring data to an authorised agent for direct marketing, Licensed Institutions must obtain informed and express consent before using and sharing data subjects' personal data. However, Federal Law No. (15) of 2020 on Consumer Protection provides that companies must ensure that the privacy and security of consumer data is protected. Additionally, companies are prohibited from using such data for promotional and marketing purposes. Thus, at the face of it, the above mentioned Federal Law seems to abruptly prevent direct marketing. However, the implementing regulations are yet to be issued to provide guidance on the scope of such express prohibition.

Data security and risk management

Compliance with data security requirements necessitate systematic planning as Licensed Institutions must implement appropriate measures to detect and track unauthorised internal access or use of consumer information. Appropriateness of the measures is assessed in proportion to the criticality and sensitivity of the systems and data handled.

Notably, Licensed Institutions' commercial interests must face the hurdle of data localisation requirements as consumers' and transaction data must be held and stored within the UAE. Data backups must also be established in compliance with the detailed applicable provisions of law.

Therefore, management must carefully determine the setup of the IT infrastructure and select providers to meet all the required security features mandated by law.

It is not surprising that the Consumer Protection Regulation mandates a clear allocation of powers within the management structure. Licensed Institutions must establish a function responsible for data protection and data management which should also maintain policies, procedures, systems, and controls to protect personal data and information against misuse, unauthorised access, and undue processing. The appointment must fall on a senior position in management who reports directly to senior management within the Licensed Institution.

To ensure continued compliance, policies regarding data management and data retention must be reviewed annually to ensure that they are up to date and Licensed Institutions must ensure that their security and protection systems have the capacity to develop and adopt new approaches to cybersecurity as required by developments in technology and risk.

In general, under the Law, controllers and processors must develop and take appropriate technical and organisational procedures and measures to ensure the application of the level of information security that is commensurate with the risks associated with the processing in accordance with the best international standards.

Data Transfers and Outsourcing

Considering the increasing global reach of financial services and the growing numbers of actors involved in their delivery, Financial Institutions' commercial interests are greatly impacted by provisions governing data transfers and outsourcing.

Cross-border transfers of personal data as governed by the Law depend on the existence or absence of an adequate level of protection in the country of destination. The provisions of the Law are generally less restrictive than those of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Remarkably, personal data may be transferred outside the UAE with the express consent of the data subject to transfer the personal data outside the UAE in a manner that does not conflict with the public and security interests of the UAE.

Licensed Institutions entering into an outsourcing agreement, however, are further limited in their faculty to transfer personal data. Under the Outsourcing Regulation, Licensed Institutions outsourcing activities to a third party, either within or outside the UAE, must ensure compliance with all the applicable UAE legislation and regulations in managing and processing data. In particular, an outsourcing agreement must ensure the same degree of data protection that would apply if the Licensed Institution itself performed the outsourced activities, thereby extending the obligations applicable to the Licensed Institution to the service provider. Notably, outsourcing Licensed Institutions must establish adequate policies and procedures that include the minimum requirements set forth in the Outsourcing Standards.

Also, outsourcing Licensed Institutions must maintain an outsourcing register containing key information for each outsourcing agreement. Although the obligation is not primarily provided for data protection purposes, the register should also specify what type of data is shared with the service provider and what measures are in place to ensure compliance with applicable laws.

In case of outsourcing outside of the UAE, outsourcing Licensed Institutions: (i) are not permitted to enter into an outsourcing agreement that proposes the storage of data in any jurisdiction where bank secrecy, or other laws, restrict or limit access to data necessary for supervisory purposes; and (ii) must ensure compliance with all relevant personal data protection legislations and regulations prior to entering into the outsourcing agreement.

Data retention and record keeping

Data retention and record keeping, per se, do not thwart Licensed Institutions' business operations. However, compliance requires appropriate monitoring and knowledge of the data management processes, which, in many cases, Licensed Institutions struggle to maintain.

The Law merely lays out the principle of data minimisation: personal data must not be kept after the fulfilment of the purpose of processing it, unless after anonymisation. Further obligations will be set out in the Executive Regulations.

The regulations enacted by the UAE Central Bank mirror the provisions of the Law and add further obligations on Licensed Institutions. The Consumer Protection Standards provide that all personal data, documents, records, and files, as well as a copy of data subjects' express consent, must be securely retained for a minimum of five years. After the lapse of five years, Licensed Institutions must ensure that all data is destroyed or permanently deleted if it is no longer required for the purpose for which it was collected and processed or no longer required by law. Also logs, names of the personnel with access to consumer databases, and the timing of any such access must be kept for five years for audit and supervision purposes.

Breach Notification

Compliance with obligations on breach notification requires Licensed Institutions to implement appropriate mechanisms and functions to manage breaches, thus merely being an organisational burden rather than a regulatory impediment to carry out their business operations.

The Law provides that data controllers must immediately, upon becoming aware of any breach of the data subject's personal data that would prejudice the privacy, confidentiality, and security of the data subject's data, report such breach to the UAE Data Office within the period determined by the Executive Regulations. Also, data subjects must be notified of any such breach. Notably, for business to business ('B2B') agreements, if data processors become aware of any breach of personal data, data processors must immediately notify the data controller of such breach to enable the data controller to perform the required notifications.

The Consumer Protection Regulation substantially mirrors the provisions of the Law as it provides that Licensed Institutions must immediately notify the UAE Central Bank of all significant breaches of consumers' personal data and information and notify the breach, without undue delay, to consumers where the breach may pose a risk to their financial and personal security, including reputational risk. Licensed Institutions are also liable for reimbursing any direct costs incurred by consumers for actual harm done as a result of the breach. Therefore, Licensed Institutions should implement data breach policies that factor both notification obligations towards the two different supervisory entities.

Where breaches of the data management control framework regarding the unauthorised access or release of consumers' personal data occur, the Licensed Institution must also record any disciplinary actions taken against any personnel, agents, or contractors responsible for the breach, and must maintain records of such events for five years after the event being recorded.

Confidentiality and Banking Secrecy

In terms of confidentiality obligations, Article 120 of the Banking Law provides that all data and information relating to customers' accounts, deposits, safe deposit boxes, and trusts with Licensed Institutions and related transactions shall be considered confidential in nature, and may not be perused, or directly or indirectly disclosed to any third party without the written permission of the owner of the account or deposit, their legal attorney or authorised agent, and in legally authorised cases.

Pursuant to the Consumer Protection Standards, the legal obligation of confidentiality towards consumers meets two exceptions: (i) when disclosure of consumer data is properly imposed by a legal authority; or (ii) when disclosure is made with the expressed consent of the consumer. A laxer framework is applicable to disclosure of personal data by payment service providers as outlined in the following paragraph.

Payment services and Fintech

Due to the increasing offering and demand of payment services, a particular focus must be reserved to the processing of personal data by payment service providers.

Explicit consent must be obtained from data subjects under the Retail Payment Services and Card Schemes Regulation. Due to the multiplication of stakeholders and services in the payment pipeline, consent shall be sought with the granularity required to match the structure of the services provided. This is particularly relevant for businesses engaging open-banking providers or offering open-banking solutions.

As anticipated, detaching from the stricter regime under the Consumer Protection Standards, payment service providers may disclose personal data to a broad list of recipients such as: (i) the UAE Central Bank; (ii) other regulatory authorities with the prior approval of the UAE Central Bank; (iii) a third party where the disclosure is made with the prior written consent of the user or where it is required pursuant to applicable laws; (iv) a court of law; and (v) other government bodies who have lawfully authorized rights of access.

Finally, personal data processed by payment service providers and related records must be stored and maintained in the UAE and backup copies must be kept in compliance with the detailed applicable provisions of law. Similar provisions are set forth by the Stored Value Facilities Regulation for Stored Value Facilities providers.

Once again, data localisation obligations might create some frictions in the selection of and contracting with service providers.

When processing personal data in the broader Fintech ecosystem, the Guidelines for Financial Institutions adopting Enabling Technologies ('the Guidelines'), issued jointly by the UAE Central Bank, the Securities and Commodities Authority ('SCA'), the Dubai Financial Services Authority ('DFSA'), and the Financial Services Regulatory Authority ('FSRA') must be considered.

The Guidelines are applicable to all institutions licensed and supervised by the above authorities that are using, or intend to use, Enabling Technologies (APIs, cloud computing, biometrics, Big Data analytics, artificial intelligence ('AI'), and distributed ledger technologies ('DLT')), and provide for a further set of provisions applicable in addition to any binding regulations, standards, guidance, and other instructions issued by the relevant authority.

With regard to personal data, the Guidelines set forth specific provisions for each of the enabling technologies adopted. In general, institutions must have proper engagement with providers before the latter can expose any personal data through their technology and they should ensure that the transmission and storage of personal data adopts encryption of the data. Multi-factor authentication is also mandated in specific cases. Notably, personal data must not be stored on a blockchain or maintained on any DLT but, rather, kept off-chain.

Enforcement

In comparison with other data protection legislations, especially the GDPR, the Law is visibly indeterminate. More clarity and completeness will come with the Executive Regulations covering many pivotal provisions (such as additional legal bases for processing, further obligations of the data controller and of the data processor, and the period for the reporting of a data breach). Moreover, Article 26 of the Law provides that the Cabinet shall issue a decision specifying the acts that constitute a violation of the provisions of the Law and its Executive Regulations, as well as the administrative penalties to be imposed.

A further element of uncertainty is added by the fact that the financial sector-specific provisions governing the processing of 'personal banking and credit data and information' were adopted prior to the Law and, in light of Article 2(2) of the Law, carve-out the provisions of the Law. However, what constitutes 'personal banking and credit data and information' is not straightforward and many provisions of the Law overlap with the financial sector-specific provisions. Moreover, most regulations issued by the UAE Central Bank interchangeably refer to 'data' and to 'personal data' contributing to increasing the ambiguity in the scope of the application of the relevant regulations.

Pending the adoption of the Executive Regulations of the Law, of the Cabinet decision, and in the absence of a robust case law base of the UAE Data Office, the enforcement of the provisions of the Law remains fairly blurred and a significant degree of vagueness hovers over compliance with the laws and regulations applicable to the processing of personal data in the financial sector.

Therefore, stakeholders should attentively detect any new trend, assess the nature of their services, and review their data processing procedures to identify the provisions applicable to their business. The key to cross the regulatory maze successfully will be to act well in advance of any regulatory enforcement, starting from mapping their internal processing and ensuring control over data processed.

Gianluca de Feo Lawyer
[email protected]
AX Law, Dubai