Home / Knowledge Hub

UAE: Proposed data protection amendments “seek to close loopholes”


Click here to view the article online.

The Abu Dhabi Global Market (‘ADGM’) launched, on 4 May 2017, a consultation on the Data Protection (Amendment) Regulations 2017 (‘the Proposed Amendments’), which would amend the Data Protection Regulations 2015 (‘the Regulations’). The Proposed Amendments would introduce significant changes to the capabilities of the ADGM Registration Authority (‘the Registrar’), including broader enforcement powers to ensure compliance with the Regulations.

Hadeel Mohamed, Associate at BSA Ahmad Bin Hezeem & Associates LLP, told DataGuidance, “Since the need for providing security is as old as the history of mankind, the Proposed Amendments aim to increase the authority of the Registrar by granting him the right to designate the jurisdictions [that provide an adequate level of protection and] to which personal data can be transferred, or to withdraw such a designation […] The enforcement [provisions introduced by] the Proposed Amendments are important for preventing business losses from a security incident. It is necessary to ensure that no loopholes may be found [by incorporating a high standard] of protection of personal data.”

In addition, the Proposed Amendments contain a grandfathering clause which provides that a legally binding agreement containing model data transfer clauses, concludedbefore the Proposed Amendments enter into force, will remain effective.
Since the Regulations took effect in 2015, the Registrar has kept itself abreast of international developments […] and [has] identified aspects of the legislation to update for improved clarity and effectiveness
Daher Bin Daher, CEO of the Registrar, stated, “Regarding the designation of jurisdictions with an adequate level of protection, [the Proposed Amendments] relate to [the criteria] by which jurisdictions are designated, and will have a negligible impact on cross-border data transfers.”

Moreover, theProposed Amendments include expanding the definition of personal data to also include the relevant filing system, as well as expanding the notion of sensitive personal data to cover criminal records. Additionally, it imposes a time limit of one month to notify the Registrar of the intention to renew registration, any change to the details of the controller or processor, and the appointment of a data processor.

Bin Daher explained, “Since the Regulations took effect in 2015, the Registrar has kept itself abreast of international developments and revolving needs in this area and [has] identified aspects of the legislation to update for improved clarity and effectiveness […] The current framework enables the Registrar to issue a direction in the event of a contravention of the Regulations. As part of the Proposed Amendments, the Registrar will be able to issue a fine not only for failure to follow a direction but in respect of a contravention itself. [This will] provide improved flexibility of approach and effectiveness in the ADGM’s enforcement of the data protection regime.”

After the consultation period closes on 30 May 2017, all comments will be reviewed and the ADGM will consider if any modifications to the Proposed Amendments are needed. The final Data Protection (Amendment) Regulations 2017 will be submitted to the the ADGM Board of Directors for approval.
Published: May 2017
Title: UAE: Proposed data protection amendments “seek to close loopholes”
Publication: DataGuidance
Authors: Hadeel Mohamed
Got a question or enquiry? Contact us