DATA PRIVACY AND PROTECTION NEWSLETTER JUNE 2019 – PART 1
DATA PROTECTION AND PRIVACY
We, as humans find ourselves in a technologically advanced and digital age, where the world is interconnected. Who could have ever imagined that the launch of the World Wide Web (the “Web”) on 06 August 1991 would amass to what the Web exists as today, where our entire existence as humans is defined online, from simple acts such as sharing our family vacation photographs on social media platforms (WhatsApp, Facebook, Instagram, Twitter, but to name a few) to more extensive and personal, sensitive information sources such as our medical histories having been documented on a digital database – this all being in existence on one gigantic network.
The harsh reality about this gigantic network, however, is that the topic of the necessity of securing such information and data has only begun to gain traction in recent years, increasingly so at a rapidly growing rate, with the good guys having to play strategic ‘catch-up’ and advancement to counter the efforts of the bad guys actively hunting for data, which the latter can exploit for various reasons, including the monetization and utlisation thereof, often for nefarious purposes. Ofcourse, the world’s most valuable resource is no longer oil.
DATA DEFINED AND DATA CLASSIFICATION:
Data, generally speaking, can be defined as: “individual facts, statistics…items of information, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or by automatic means”.
Data, according to Dubai’s Dissemination Law is a collection of organized, or unorganized information, facts, concepts, instructions, observations or measurements, in the form of numbers, alphabets, symbols, images, or information in any other form, which is collected, produced or processed by data providers law is:
“1.) processed by means of equipment operating automatically in response to instructions given for that purpose; 2.) recorded with the intention that it should be processed by means of such equipment; 3.) recorded as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.”
Personal data means: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Personal data, in other words, is the data of any natural, living person, whom can be identified (whether directly or indirectly so) through means of a certain identification number, or by one (or more) specific, individual details as to their biological, physical, physiological, mental, economic, cultural or social identity.
Sensitive personal data is data consisting of: “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”, or any information relating to a person’s personal life. Such information too would include a person’s communal origin and criminal record – however, is a non-exhaustive list.
Genetic data means: “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
Data concerning health means: “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
Biometric data means: “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”
A private entity’s data (such as a Company and non-Governmental organization) is any data which is related to such entity, which is available to the public and can be used to identify the name, the objectives, and the legal status of that entity.
A private entity’s sensitive data is any data not expected to be made available to the public, including information relating to its officials or employees, revenues or profits, customer lists, technical know-how, or relating to any of its Intellectual Property Rights.
A data breach (also known as a data spill or data leak) is the intentional or unintentional release, copying, transmission, viewing, stealing or use by an individual, third party or entity, whom is unauthorized to do so.
“Data breaches may involve financial information such as credit card or bank details, personal health information (“PHI”), Personally identifiable information (“PII”), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data – files, documents, and sensitive information.” of secure or private/confidential information to an untrusted environment or to an unauthorized third party.
DATA PROTECTION AND PRIVACY IN THE UAE
The United Arab Emirates (“UAE”), in line with the visions of the Honourable Crown Prince of Dubai and Chairman of the Executive Council, His Highness Sheikh Hamdan bin Mohammed bin Rashid Al Maktoum and the Honourable Vice President and Prime Minister of the UAE, and Ruler of Dubai His Highness Sheikh Mohammed bin Rashid Al Maktoum in their collaborative effort for the “UAE strategy for the Future” have recognized the need for the implementation of data protection rules (laws) and regulations, as well as the establishment of various resources to ensure the proper, coercive execution and adherence thereto. In doing so, the ‘Dubai Cyber Security Strategy’ was launched in 2017 and aims to strengthen Dubai’s position as a world leader in innovation, safety and security.
The above efforts are further bolstered by the envisioned and planned promulgation of a UAE Data Protection law, similar to that of the European Union General Data Protection Regulation (GDPR), as part of the UAE National Cybersecurity Strategy.
The Telecommunications Regulatory Authority (“TRA”) of the UAE has launched the 2020 – 2025 strategy in the hope to enable the prompt and strategically coordinated response to cyber incidents within the UAE.
KNOWN CYBER ATTACKS AND DATA BREACHES AFFECTING THE UAE
The UAE had experienced it’s first reported large-scale data breach in 2018, wherein Careem cab services avowed of personal data breach wherein the data of more than 14 million of its riders and 558 800 drivers’ data was compromised, with the affected persons’ data stemming from the service provider in the Middle East, North Africa, Pakistan and Turkey – in 78 cities in 13 countries, to be precise. This attack was brought about by theft of data and was discovered by the company on 14 January 2018, but only notified the public in late April 2018 – approximately four (4) months after the detection.
Mr Mudassir Sheikha, Careem chief executive and co-founder told The National (news entity) that “throughout the incident, our priority has been to protect the data and privacy of our customers and captains. Since we discovered the criminal activity, we worked to understand the situation, who was affected, and what we needed to do. We’re sorry for what happened, but Careem has learned from this and will come out stronger and more resilient.”
PRESENT LEGISLATIVE PROVISIONS WITHIN THE UAE, GOVERNING DATA PROTECTION AND PRIVACY:
The UAE, although presently proactive in the drafting of its Data Protection Legislation, has until now always been conscious of general privacy rights and data protection principles and in so doing, been proactive in its approach concerning this.
Herewith a summary of the present generalist legislative principles, for your ease of reference and perusal. Further provisions will be documented in Part 2 of our newsletter, in due course.
- The Resolution No. 2 of 2017: Approving the Policies Document on Classification, Dissemination, Exchange, and Protection of Data in the Emirate of Dubai is a resolution that covers most of the aspects of Data Protection, however it’s applicability is limited to federal government entities, local government entities, and persons who produce, own, disseminate, or exchange Data relating to the Emirate.
- The Constitution of UAE acknowledges the right to communicate and express under Article 31. Under the said provision, the Constitution further recognizes general right to privacy, it provides, “Freedom of corresponding through the post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”. Protection under this law, however, is only availed to UAE Nationals.
- The UAE Penal Code, Federal Law Number 3 of 1987, as amended by Federal Law Number 34 of 2005 identifies the breach of privacy without consent as a criminal offence and lays down penal punishment, together with imposition a fine. Article 379 of the Penal Code allows a person entrusted with a secret about another person to use or disclosure it, only with the consent of the person to whom the secret pertains. However, in case the person entrusted breaches the trust, then he shall be held punishable by criminal penalty of imprisonment of a minimum of one (1) year, or a fine of a minimum of twenty-thousand (20 000) Dirhams, or both. The penalty of imprisonment shall not exceed a term of five (5) years where the perpetrator is a public servant or a person in charge of a public service who was confided the secret because or on the occasion of discharging his duties or performing his service.
ZONE SPECIFIC REGULATIONS
Notably, a distinction is to be drawn to the separately applied laws for mainland areas of the UAE and that of the free zones areas. Mainland laws, federal or sectoral may or may not apply to free-zone laws. Free-zone laws are specific and limited to the jurisdiction of that zone. In the context of data protection and privacy, there are three free zones namely, DHCC, DIFC and ADGM, that have drafted and implemented data protection regimes.
Dubai International Financial Centre (“DIFC”) Data Protection Law, Law no. 1 of 2017, is the comprehensive data protection law applicable on jurisdiction of DIFC – a free zone designated area in Dubai. The law lays down a holistic approach to ensure data protection. It provides general requirements such as data must be processed fairly, securely, for a purpose, purpose limitation, must be kept up to date, easily identifiable/ editable. It further lays down following provisions: legitimate processing, consent of Data Protection Commissioner, appropriate technical and operational measures, and actions to be taken in case of unauthorized intrusion. To ensure adherence to the law, there are provisions of high fines in cases of contravention.
Abu Dhabi Global Market, ADGM, Data Protection Regulation 2015, is Regulation to make provision for the protection of personal data within the Abu Dhabi Global Market (the free zone area of Abu Dhabi) and for connected purposes. This regulation alike DIFC regime is a comprehensive law, which provides General Rules on the Processing of Personal Data, Rights of Data Subjects, The Board, Remedies, Liability and Sanctions, and General Exemptions among other things. The Remedies, Liability and Sanctions part further lays down that in case of contravention by data controller, he may be asked for specific performance, permanent injunction or shall be held liable for a fine of up to USD 15,000.
DHCC: the only healthcare freezone to have a dedicated data protection regulation. The regulation applies to all licensees who manage the patient health information. The patient health information includes:
1.) information about the health of a Patient, including his/her medical history;
2.) information about any disabilities that Patient has, or has had;
3.) information about any healthcare services that are being provided, or have been provided, to that patient;
4.) information provided by that Patient in connection with the donation, by that Patient, of any body part or any bodily substance of that Patient, or derived from the testing or examination of any body part, or any bodily substance of that Patient; or information about that Patient which is collected before, or in the course of, and incidental to, the provision of any Healthcare Service to that Patient.
We at KARM Legal Consultants are delighted at the vast and speedy data protection and cyber security developments made within the UAE. Presently, we remain actively involved in this sphere (both as a technical and regulatory resource) and professionally, we strive to remedy and aid the education, implementation and rectification of certain deficits within data protection policies and privacy measures of persons and entities alike, in providing professional and skilled services, in line with the relevant and on-going development of legislative provisions, so as to ensure the effective implementation of necessary and vital frameworks.
 , The Economist,The world’s most valuable resource is no longer oil, but data, May 6, 2017, https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
 Image credit to David Parkins, The world’s most valuable resource is no longer oil, but data, May 6, 2017, https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
 US Department of Defense 2005; Dictionary of Military and Associated Terms, https://www.thefreedictionary.com/data
 Resolution No. (2) of 2017, Approving the Policies Document on Classification, Dissemination, Exchange, and Protection of Data in the Emirate of Dubai
 DIFC Data Protection Law DIFC Law No. 1 of 2007 (as amended); DIFC Data Protection Regulations (as amended); ADGM Data Protection Regulations 2018
 ADGM Data Protection Regulations 2018
 Article 4, European Union Data Protection Regulation (GDPR),
 Supra note 4
 Supra note 5
 Supra note 5
 Supra note 4
 ‘Not expected to be made available to the public, including information relating to its officials or employees; revenues or profits; customer lists; or technical know-how, or relating to any of its Intellectual Property Rights.’
 Yaki Faitelson, Xconomy, Panama Papers Leak: the New Normal?. April 26, 2016, https://xconomy.com/new-york/2016/04/26/panama-papers-leak-the-new-normal/
Emirates 24/7, Sheikh Mohammed launches ‘Dubai Cyber Security Strategy, May 31, 2017, https://www.emirates247.com/news/emirates/sheikh-mohammed-launches-dubai-cyber-security-strategy-2017-05-31-1.653844
 Naushad K. Cherrayil, UAE data protection law, similar to GDPR, likely landing this year, June 24, 2019, https://www.techradar.com/news/uae-data-protection-law-similar-to-gdpr-likely-landing-this-year
 The National AE, Ride sharing platform Careem says hit by cyber attack with data of up to 14 million users stolen, April 23, 2018, https://www.thenational.ae/business/technology/ride-sharing-platform-careem-says-hit-by-cyber-attack-with-data-of-up-to-14-million-users-stolen-1.723927
 Constitution of the UAE, https://www.wipo.int/edocs/lexdocs/laws/en/ae/ae030en.pdf
Authored by Luna de Lange (Partner) and Tripti Jain (Intern) with inputs from Cherry Bhatnagar (Senior Associate).