ADGM: ADGM launches public consultation on new data protection framework and Data Protection Regulations 2020
The Abu Dhabi Global Market ('ADGM') published, on 19 November 2020, Consultation Paper No. 6 of 2020 ('the Consultation Paper') introducing the New Data Protection Regulatory Framework ('the Proposed Data Protection Framework') and Annex A containing the Data Protection Regulations 2020, to replace the Data Protection Regulations 2015, as amended in 2018 ('the 2015 Regulations'). In particular, the ADGM highlighted that it is attempting to broadly align the Proposed Data Protection Framework with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') unless there is compelling reason for divergence as the 2015 Regulations are based on the OECD Privacy Guidelines, the former Data Protection Directive (Directive 95/46/EC) and the UK's Data Protection Act 1998 which have now been superseded by the GDPR and the UK's Data Protection Act 2018 ('the UK DPA 2018').
In particular, the ADGM outlined that the Proposed Data Protection Framework introduces several new requirements, and also establishes an independent Office of Data Protection ('the Office'), headed by a Commissioner of Data Protection, which is empowered to monitor compliance with the Proposed Data Protection Framework and will ensure appropriate enforcement in cases of non-compliance. The ADGM proposed to maintain its current Office within the Registration Authority but with clear operational independence from the Registration Authority's other regulatory functions. In addition, the Office would have the ability to approve industry-specific codes of conduct and establish a certification regime for compliant data controllers and data processors. Furthermore, the ADGM noted that, in order to fully align itself with the GDPR, the Proposed Data Protection Framework introduces, among other things:
- key definitions such as personal data, processing, consent, data controller, data processor and recipient;
- principle of accountability which introduces requirements regarding Data Protection by Design and by Default, records of data processing, data protection impact assessments, and data protection officer appointment,
- the principle of transparency;
- lawful bases of processing for special category data, such as health data;
- that individual rights are not to be subject to a decision which is based solely on automated decision-making, including profiling, and the right to data portability;
- security obligations which require the data controller to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; and
- a trigger point for notification of a data breach to the Office and affected individuals. The ADGM noted that the notification requirements in the 2015 Regulations differ from GDPR requirements and that aligning with the GDPR would simplify the analysis carried out by businesses in respect of where and when notification is required.
In addition, the Proposed Data Protection Framework applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in ADGM, regardless of whether the processing takes place in ADGM or not, and applies to natural persons whatever their nationality or place of residence, although where a data controller is only connected to ADGM because it uses a data processor located inside the ADGM, the Proposed Data Protection Framework would not apply to the data controller. Moreover, the ADGM seeks to align its intragroup data transfer mechanism to the EU's Binding Corporate Rules ('BCRs') and to incorporate the European Commission's most recently updated model clauses by reference to ensure that the updated versions are automatically incorporated into the Proposed Data Protection Framework.
The ADGM further stated that the Proposed Data Protection Framework seeks for the Office to be empowered to levy administrative fines, which are reviewable by the ADGM Courts, and also proposes to set an absolute cap on administrative fines under the Proposed Data Protection Framework at $28 million.
Finally, the ADGM stipulated that a transition period of 12 months to the Proposed Data Protection Framework has been proposed for current establishments, and six months for new establishments, from the date of enactment.
ADGM invites public feedback and comments on the Proposed Data Protection Framework, which can be addressed to the following email: [email protected] by 19 December 2020.