Tim Casben: Welcome everyone to the latest ThinkHouse webinar.
We had 48 acceptances, so a very good take-up and we are just sad that we are not meeting you all and seeing you all in person, and part of ThinkHouse was very much about getting everyone together in a room as well and just networking too, so we are very much looking forward in the not-too-distant future to having a live event in person.
Meanwhile today's talk is on DIFC Data Protection Law and the needle that has just come in and also -and that will be led by Tony Fielding who heads up the TMT practice here and is also part of our global data team.
And I am delighted to welcome Jocelyn Pauley who is joining us from the UK. Jocelyn is co-chair of the UK Privacy and Cyber Security Team, Jos is a partner in the UK and has been working basically with Tony on the likely implementation of DIFC Data Protection Law with her experience of GDPR and we thought it would be a good idea therefore to bring them together to provide some of Jocelyn's experience of GDPR, given the DIFC Declaration Law is likely to follow along the lines that GDPR has.
With no further introduction, I will now move on to Tony.
Tony Fielding: Thank you Tim for the introduction. Good morning everybody and it is great to see that we have had such good uptake for this particular session. I think, as Tim said, this sends a message and it is an indication of the fact that there is a focus on data protection regionally and as legal counsel is becoming more considered issue, the implications of business in the region and now that we have the new law, this is probably never more so.
Where were we? We were originally with the DIFC Data Protection Law of 2007 and it is true to say that that was also something that a law which was somewhat aligned with the principles of the GDPR in the EU.
However, where we are now is the new DIFC Data Protection Law Number 5, 2020 which basically repeals and replaces the previous DP Law, and as I said it borrows heavily from the GDPR and also the California Protection Act. And the additional obligations that have come through with this new DPL 2020 aligns it even more strongly and more heavily with the principles and the obligations and requirements of the GDPR.
It is also case that the DIFC Data Protection Regulations, are yet to be released by the DIFC Authority and of course we are anticipating that those will be released in the coming months, and if not they may well be drip feed in some respects in relation to the guidance as to how the new data protection laws are going to be interpreted in the DIFC. Next slide please.
Why does this matter? Obviously data is money, data can be monetised, it leads to commercial exploitation and of course it leads to increased risk. It is a very profitable commodity at the moment, particularly in the commercial industry and in the next - the next approach to protecting and minimising those rights is by way of either consumer protection and data subject rights which are enshrined in most of the data protection legislation and particularly within the GDPR and now particularly within the DPL 2020.
It also matters because it reflects an international benchmark of a global focus on DP. It is not just now something that certain countries and jurisdictions can no longer pay attention to, there is an international expectation that there will be some form of robust data protection frameworks that will apply in particular countries.
And off the back of there, what that does is remove certain degree of uncertainty and friction for businesses, it encourages trust from international investors and collaborators and it gives a sense of market resilience, so that people feel comfortable and trust the framework in the environment in which personal data is being provided.
And I think that is why the new DPL 2020 Law from the DIFC is key to encouraging this region's growth. So why does the DPL 2020 matter to you in particular?
One, there are a new set of obligations that will apply to you depending on whether or not you fall under the coverage of the DP Law. Two, there are always reputational risks in relation to breaches and security breaches for personal data and now with the new DPL, there are financial risks associated with that.
As I said, there is a regional focus and an international focus on enforcement and the likelihood is that we will also see - as Joss will probably talk about later - but there is an increased level of enforcement and there is an increased application of fines. So we are likely to see that here in the region also.
Again DP serious regional focus and that is why the DIFC is leading the charge and making sure that the DP frameworks are globally benchmarked and reflect the GPR requirements. For you, compliance is both now and for the future and we will talk a little bit further about that in relation to the timeframes you have to compliance and what the future holds in relation to compliance generally for DP.
And in that respect, what we have - you know - certainly heard in the market, is that there is expected to be a Federal Data Protection Law that will apply federally to controllers and processers and the expectation is that is going to be very very similar to the DIFC Data Protection Law and also obviously the GDPR.
And another risk and the reason it matters to you, is that we have seen internationally that certain examples have been made of particular companies - high-profile companies in particular, and we are uncertain as to whether or not the Commissioner here for the DIFC would look to making certain examples of particular companies where there are breaches of the DPL 2020.
Key dates! 1 July is when the new GPL Law 2020 became effective, obviously that has passed. It is now in force and it is law. The actual transition period that has been provided under this law, is that it becomes - you need to become compliant by the 1 October 2020, so you have got a three month period in which you can get your house in order for compliance perspective.
In my view and I think you now experienced, this is a fairly short time frame in order to get your house in order from a compliance perspective, but that may also depend largely on whether or not you are already a DIFC based company and you already have the GDPR compliant programs or if you are not, this may be slightly more challenging, but it will definitely - no matter which category you fall into – whether you are DIFC or non DIFC, it will certainly have implications as to the nature of your business and how you might need to look at your compliance programs going forward.
Does this new DPL 2020 apply to you?
It definitely applies to controllers or processes and now I am not going to go through the definitions of controllers and processes, I am going to assume that we all have some basic level of understanding in relation to that.
But what it is this law does apply to, those entities or companies that are incorporated in the DIFC and that is regardless of where the processing actually takes place, or there is processing of personal data within the DIFC as part of stable arrangements. Stable arrangements let us just assume our regular contractual arrangements or regular activities as opposed to stable.
Now, processing the DIFC in the previous law was very broadly considered and basically only made a statement that it applies in the jurisdiction of the DIFC. There was no particular guidance around that. However processing now in the DIFC occurs when the means or the personnel that are used to conduct a particular processing activity, either physically located within the DIFC? Well that processing is outside of the DIFC but still might have some connection or nexus to the DIFC.
This is the threshold that needs to be explored in relation to whether or not this is to apply to you. There have been quite a number of changes that have been brought in with this new law. What I do not want is to go through them all in particular detail, because A it will be particularly dull and dry potentially for you, but also because I think that we will send these slides out to you, so you will have a comprehensive list of them.
To give you a general idea of what the focus has been on this updated law is that, obviously there is now the requirement in certain circumstances to appoint a data protection officer which was not previously there. Data controllers are now required to produce a record of processing and that is in relation to their processing activities and Joss will probably be able to speak a little bit more to that later if we need to.
And also there is a requirement as well to conduct a data protection impact assessment, in relation to high-risk processing activities which is a particular category of it activities processing which we will talk about a little bit later in more detail.
Other things that have changed within this law, in relation to a new concept of joint controllership that was never there previously. There are enhanced breach notification requirements and there is now an obligation for a controller to enter into legally binding agreements with processors who are processing information on behalf of controllers, which was not previously there.
Just very quickly, the last two is in relation to cross-border transfers and special categories of data. Changes have been made in relation to how these are able to be permitted and permissible under the new laws, and largely it replaces the obligation which was to get permission from the Commissioner in order to do cross water transfers and alliance more GDPR now and has permitted countries that have adequate protection in relation to receiving or transferring of personal data.
Again, as I said, the purpose of this session today is to not really go into all of the new aspects of the DPL 2020, but as a recap what we see is that the general principles of the previous law are retained and they are enhanced and they are more aligned with the GDPR. It still is very critical in relation to the new law but the key points and key principles around personal data continue and obviously the list here is those key principles which still continue to apply, and the enhanced regulations that we now see feed directly into some of these particular requirements in relation to having things processed lawfully and fairly, keeping them accurate and up-to-date, retaining them for a particular period of time or indeed ensuring that there are appropriate security and operational measures in place to protect that particular personal data.
And some of the new obligations that are under the DPL 2020, directly reflect that and enhance those particular principles. One of the ones which is actually key is better lawful processing of personal data. One or more of the following is a legal basis that can be relied on in relation to processing your personal data.
Various of those are, to perform a contract into which you are a data subject. To comply with a particular legal obligation under the law in which the personal data needs to be processed or provided or shared. To indeed protect a particular data subjects interests, or where it is required on behalf of the DIFC or the court to the DIFC or other competent authorities, and again leading into what we are going to talk about next, where the data subject has freely given its consent in a particular manner, which is clear and unambiguous, for the processing of their particular data.
Consent is always, I think, historically somewhat seems to be somewhat straightforward and quite simple and I think that that is actually not the case. And I think certainly in our experience in advising clients and others, consent is not an easy concept necessarily grasped and certainly not an easy concept to interpret in a context of either the GDPR and/or this new DPL.
So I think it is important that you are mindful very much that consent drives a lot of the protections in relation to the DPL. A data subject is given control in relation to what it can and cannot consent to and the principles around consent under the DPL 2020 statement, the consent must be explicit, freely given, specific and unambiguous.
Now in relation to the explicit nature of that consent, it is not enough that it is an opt-in. It needs to be affirmed in a very clear manner, by obviously ticking a clear box with a statement as to what the consent has been given in relation to. It can be a verbal consent or a written consent, so it needs to be an explicit form of consent that is given.
One of the interesting issues is around the nature of whether it is a freely given form of consent. Recently we had a client who was looking at whether or not consent could be taken from an employment contract where if they had not agreed to provide a consent that provides particular personal data, that they might not be employed, and of course the Commissioner and obviously I think under the GDPR that form of restriction on being able to freely given consent would simply not be a valid form of consent under DPL 2020 or neither under the GDPR.
Jocelyn, just out of interest in relation to the UK, these are specifically fairly aligned with the UK's requirements correct?
Jocelyn Pauley: Yes. It is the same as the criteria in the UK and in fact in the example you gave, in the context of an employment contract, if that information is needed, so that an employer can employ someone either due to complying with their legal obligations or simply as a function of being employed then consent would not be a legitimate ground for processing in the EU, because it has to be given or else you cannot be employed, therefore it cannot be freely given because effectively the employee has no choice.
And over here the Commissioner will also consider the relative negotiating and powers of position between the two parties. So they will always take the view that an employer has a much much stronger position vis a vis an employee and so it is very hard here to obtain a valid consent from an employee for any kind of processing of data which is truly, completely optional no impact on a job if they give it, all those kind of criteria.
Tony: Yes. And again, I think that the direction from the ICO as you just indicated is something that obviously will drive quite considerably the way that these types of new principles are being expanded on here, so I think it is mindful that we need to stay on top of the ICO guidance and guidelines that are issued around certain principles of the GDPR.
I think one of the final statements I was just going to make really, in relation to the previous slide was, that consent should not be presumed to last indefinitely under the DPL. If the purpose for which the consent has been lawfully obtained and for the reasons for which the personal data is to be used changes or the time period changes in relation to that or the activity processing. Just because you have a form of consent originally under one particular specified purpose, does not mean that that will apply to all purposes and will not last indefinitely.
I think it is it is important for people to be mindful of the fact that if there is a shift in the nature of the purpose for that particular consent, then changes might need to be made in relation to particular statements on websites or in particular contracts or up other forms of legal contracting with particular people around their personal data.
Practical issues from a business perspective to consider is, make sure that consents are obvious and they are separate from other legal terms and conditions in a sense or they are expressly highlighted so that they are able to be obvious for a particular individual, a data subject to be able to engage with.
Active opt-ins are key to making it a freely given and an expressly given an unambiguous form of consent, so again we are encouraging that there are active opt-in functionalities and also active opt-in wordings and avoiding passive and ambiguous statements around opting in.
That leads down the clear statements and more granular options for how the wording for these types of consents are to be drafted by businesses in order to ensure that you are compliant with particular and proper requirements the DPL.
Also it is important to remember which we will talk a little bit about that later, that it is easy for a data subject withdraw their consent. If you are heavily reliant on consent for particular purposes, for example an advertising campaign that you are required to have consent to use particular personal information and that gets withdrawn, then you must be aware of the fact that these things can be easily requested by a data subject.
Very helpfully the DIFC had provided general guidance on consent which is available in this link here.
The other aspect of the DPL 2020 is that we have enhanced data subject rights now, but that is not to say that these data subject rights did not actually exist before. They did, but there are now some additional ones, so as I was just talking about, the withdrawal of consent from a data subject can happen at any time. In relation to withdrawal of the consent - if you are a controller of the personal data, you are required to basically make that withdrawal at least as easy as it is to basically give the consent.
So you are not to make it a complicated or convoluted or difficult process and it is, I think the wording is that if it is not required, it should not require undue effort on behalf of a data subject in order to be able to withdraw their consent and the withdrawal needs to be done within a reasonably practicable timeframe.
The new requirements understanding of the fact that this is not always something that can be done immediately and that sometimes will require time, it will effort from an IT and architectural perspective in order to be able to make sure that consent can be withdrawn and a controller will also be required to be able to - must be able to ensure that any downstream processes in relation to that personal data also are aware of the fact of the withdrawal of the consent and that they do not continue to use the personal data in relation to that consent when it has been withdrawn.
The other interesting right that has been introduced is the right to obtain personal data from the data controller and that is most commonly referred to in other forms of legislation as data portability.
Article 37 talks about daily portability in the new DPL 2020 and effectively a data subject can request that it's personal data be ported or obtained from a controller or ported to another controller in certain circumstances and it is really where the processing of that personal data is 1, based on consent so that the lawful basis where it was based on consent being given, or the performance of the contract, so the legal performance of an existing contract and it has been carried out by automated means by the controller. And you have a right - or the data subject will have a right - from the controller to receive a copy of their personal data in a structured, commonly used and machine-readable format to support the ability for them to be able to exercise this particular right.
Again there will likely to be more guidance that will come from the Commissioner in relation to these particular data subject rights going forward. Next slide please.
Very generally, I just wanted to know that there obviously are enhanced information that needs to be provided to data subjects if you are a control of personal data here is a list of the information that needs to be provided to data subjects. It really is a very much reflection obviously on protecting the rights of the individual data subjects and ensuring that the principles are all about reflecting those particular protections. Next slide Lib.
One of interesting aspects of the DPL 2020 is in relation to what is being termed high-risk processing activities and Article 20 talks about high-risk processing activities as being activities that employ new forms of technology or new methods of technology to process, which create a materially increased risk to the rights of the data subject or in fact might render it more difficult for a data subject to exercise their rights under the DPL. That is the first limb of the test.
The second limb is that it is potentially a considerable amount of personal data that will be processed and that processing is likely to result in a high risk to the data subject.
The third one is that the processing will involve a systematic evaluation of personal aspects relating to natural persons or individuals, based upon an automated processing activity and profiling is a good example of that, and off the back of that, decisions are to be made and are based on that particular form of automated and systematic processing that has a legal effect concerning that particular natural person or data subject.
These are the particular limbs of the high-risk processing activities that you will need to be aware of. There are some examples of high-risk processing activities. oh sorry, my apologies and there is a material now - the fourth part of that limb is, a material amount of special categories of personal data is to be processed which will amount to high-risk processing activities.
Special categories of personal data being interest such as medical history, healthcare history, religious or philosophical beliefs. Biometrics for example, where biometrics is required for access to particular data. That is the special categories of data. Examples of the typically high-risk data would include as I just said, special categories of personal data which is defined under the DPL 202. Bank account detail, salary details or financial data. Location tracking data and also data that is related to third parties just gathered from a primary data subject. Again Joss, just quickly in relation that, does that threshold of high processing activities reflect a similar threshold in the in the UK, or is it somewhat lower than you see?
Jocelyn: The language that you quoted from the legislation? About what amounts to high-risk? I can certainly spot bits that look like they have been GDPR inspired, where we have similar phraseology around 'likely to cause a high risk' and 'regular and systematic evaluation including profiling'. The examples on your slide there though? I feel are actually a lower bar, being high risk than in the UK. I have to say I had always thought the UK's bar, when you come to apply the test and the criteria in a real-world scenario, quite quickly hit the bar in the UK? I feel in the DIFC you are going to be hitting it even more quickly than in the UK and this is one area where across Europe, different member states were allowed to produce their own guidance and set their own criteria for when BPIA's had to be carried out - these high-risk processing activities and so there is divergence across Europe, so it is interesting here that it looks like the DIFC also making its own mark as to what it believes is high-risk and that bar is going to be stepped that slightly differently, in each different jurisdiction which makes compliance bit more a challenge for corporations, particularly if you have a global base and you are complying with these laws in different areas.
Tony: Thanks for that Joss. High risk processing activities, organisations in performing to high risk pressing activities are required to do several specific things. One, which we will talk about briefly later is appoint a Data Protection Officer in relation to the high risk processing activities undertaken, carry out annual assessment of its processing activities to ensure that it is compliant, and as Joss just mentioned, carrying out impact assessments in relation to the proposed processing operations that are used to undertake these high-risk processing activities.
As I just mentioned, you need to basically appoint a Data Protection Officer if your business is engaged in high risk processing activities and part of this is a self-assessment exercise also in deciding or determining whether or not your company is engaged in high-risk processing activities, and that I think is a deliberate aspect of the law to enable businesses to have flexibility to make these determinations themselves.
But examples would be, where there is automated decision-making, where you have new technologies which are being used, where you are processing activities using a large amount of personal data in order to deliver what is going to be delivered, or in fact you are using special categories of personal data which have been processed and you doing that on a regular basis and it is particularly special sensitive category of information.
There is also some changes in relation to cross-border transfers outside of the DIFC for personal data. Cross-water transfers are now able to be done without the permission of the Commissioner which was on a previous law. Now you are able to transfer personal data outside the DIFC to certain countries that have adequate forms of protection or adequate protection regimes in place where they are in receipt of the critical data and can guarantee a certain level of protection of that particular personal data.
To one or more specified sectors within those certain countries that have adequate protection regimes and also the DPL 2020 talks about international organisations which is defined, that have currently been deemed or will be deemed by the Commissioner to provide adequate levels of protection so that there will be appropriate safeguards in place in relation to those international organisations, that personal data can be transferred outside of the DIFC to international jurisdictions and/or international organisations.
And again the DIFC have a helpful link which is here which sets out those adequate data protection regimes that are currently in place and no doubt, if the UAE ends up being one of those eventually or the DIFC ends up being one of those eventually, it will be added to that list.
I guess most importantly and often what triggers a lot of people's interest in relation to compliance generally, is the sanctions and penalties and fines that might be imposed if you breach for infringement into particular requirements with any law.
In relation to the DPL, the structure of the fines and sanctions have been enhanced. They have been made more robust and there are clearly higher levels of fines imposed. Previously what we had was under the 2007 DPL, it was between $5,000 and $25,000 US dollars in relation to each infringement. Now it is between $25,000 and $100,000. Also the number of triggers in relation to fines and sanctions has also increased. I think under the old Data Protection Law, there was nine specific sets of fines that applied. Currently now under the new DPL there are 35.
It is been considerably expanded and that is intentionally so and I think that also reflects the fact that there is likely to be enforcement action. Factors that will be considered in relation to imposing those particular sanctions and fines are listed here, points one to nine. None of those are particularly surprising, particularly in relation to failing to co-operate with the Commissioner, repeated violations and whether or not a controller has taken meaningful steps towards its compliance and in the absence of that, clearly the Commissioner will take into consideration your failure to do so in relation to what time to be levied against you for the particular infringement.
What should you do next? If you are a DIFC registered company already, you are likely to have a DP program in place. You are well on your way to being compliant and you might just need to do a cursory gap analysis in order to see what is still outstanding in relation to some of the new obligations, but hopefully if you have that in place, the work required between now and October 1 should not be too great.
If you are a non DIFC based company but you work in the DIFC as part of an ongoing series of engagements or activities and have started processes in that personal data within the DIFC, or you have entities that process personal data exclusively within the DIFC on behalf of a business, then you will be required to look into a form of compliance program that is going to comply with these particular new requirements.
Quickly, I would suggest, obviously the most obvious way is to make a judgement as to your audit processes around your data processing activities. Your data flow. Where the data goes to, who it goes to, where it comes from and the nature of that data. And then, what will flow from that audit process is identifying particular clients gaps and the road to compliance is - depending on who you are - a relatively long journey.
Here is a list of some of the things that may or may not apply to you in relation to your compliance between now and October. But I would certainly suggest that it is very important that you start looking into these particular new obligations and whether they impact you and start to give some material consideration as to how or what you need to do in order to be compliant by 1 October.
I think that that is me done in relation to a canter-through. I am going to hand over the Jocelyn Pauley who hopefully will - well I know actually - will be sharing some gobal insights on GDPR two years on that might help us nail interpretation of the new DPL 2020 going forward. Thanks Joss.
Jocelyn: I am conscious there are questions coming in. We will leave time for those at the end. I think they will be more Tony than for me, so I will try and keep this short and snappy.
I was listening with interest to what Tony was saying in terms of the timelines that you were working to in the DIFC. Three months to put in place all your documentation, do your risk assessments. Achieve compliance by 1 October. In Europe there was a two-year transition window, so I think you do have a road to travel which maybe is made slightly easier by what you can learn by looking to Europe. I think it is a fairly tall order to get to grips with all the new bits and pieces of the legislation in that time scale.
I have lots of clients at the moment are actually doing what I have called on the slide there, GDPR version 2.0? This is going back and looking again at the compliance programs they ran two years ago in order to become compliant by the 25 May 2018. And at that time there was no hanging fruit that people could address quite quickly, things like getting their records of processing in place or updating the privacy notice. There are also lots of activities that got put in a "too hard" box for various reasons for different organisations, and even now clients are not wholly compliant and are coming back to look again at those things which were not perfect first time around, to address them now they have a bit more time and knowledge of how the legislation is working.
Because I think a lot of clients found that in order to comply with some parts of the GDPR, such as applying the correct retention periods, different pieces of information, being able to give access to granular different pieces of information to people who needed to know all the subject access requests. Having the right software and structure behind their systems to enable them to do that. It was not there, so compliance with GDPR actually required a different procurement running for a different information or storage system in the first place. Those are the kinds of activity that some clients are coming back to, to look at implementing now once they found a workaround in the meantime.
Another reason for clients coming back and looking again at compliance is, we have had guidance drip‑fed over the course of time. There were various pieces of guidance obviously issued by the ICO in the run-up to the 25 May and further guidances have continued to follow, including from the European Data Protection Board. They adopted some of their old guidances, but we have had new ones out as well.
In particular around things like when to carry out the BPIA. As I was saying, because guidance is varying across Europe. Special category data and the processing of that and in the UK an additional test around a substantial public interest, because as well as a GDPR we had new national legislation because there were derogations within GDPR when member states were allowed to make their own local laws. We have had that to comply with and that is another reason some clients are going back and re-looking at GDPR.
Clarification around time limits, when responding to subject rights requests. The clients are having to ensure that the regimes they set-up two years ago are still in accordance with the new guidances. One of the first things and if Tony was advising, on compliance and New York laws, you would be talking about is, doing a data audit of your business and your estates, so you understand what data you have, why you are using it, who has access to it. What is your legitimate ground for processing. Because unless you know that and you have the right context, it is impossible to write an accurate privacy notice to give the right pieces of that information to data subjects.
And when we were doing this two years ago in the UK, the ways that you understood your data estate, was essentially by sitting down with all the different stakeholders in the business and asking them questions. You could get some way by having an IT structure diagram and seeing different systems that are being used, but that does not necessarily tell you what date is in there and it does not tell you why it is being processed to work out things like your ground processing. It would not necessary tell you who was sharing it or what the source of that data was.
I think at the time, everyone hoped and wished that there was a clever piece of software that would go off and sniff around your systems to work out what personal data you had. We did not have it two years ago, but I have seen in the market more recently, different pieces of software attempting to address that problem and getting much closer than there was two years ago, so I would hope for you that this would be an easier experience and being able to do it in a more technology friendly, automated way rather than we had to - in a very manual way.
In the UK there was a real fear that there would be a skills shortage for companies who had to have mandatory DPOs. The requirements here were slightly tighter than Tony just ran through for the new DPL/DIFC? But there was still a concern, because this is not something we have ever had before and it was a fairly high bar for a DPO to be independent, an expert in data protection, adequately resourced and reporting to the highest levels of management.
I think there is still a very active market here if you have that skillset. It has also not been helped by the fact that, although you can have an external DPO and it can be fulfilled by a third party, offerings I have seen from consultancy and third party providers, I think do not achieve the level of mandatory DPO with the skillset that is required by the GDPR.
I think you can most merely a post-box for subject rights requests or provide some kind of helpline for ad-hoc bits of advice, but because you do not sit inside an organisation and know it inside out, you cannot provide that level of independent expertise that is required by the GDPR.
Privacy notices are obvious a major exercise when going through GDPR compliance. They have now settled down in terms of the type of language that companies are using, the way they are structured, we frequently see layered privacy notices as envisaged by the European guidance.
Either way you have bits of information that people need to know right here right now as they enter personal details onto a website maybe, and then they can click through for more detail or flipping it around as a core privacy notice that has information about retention, subject access rights, how to make complaints and then that breaks up into different bits and pieces that contain specifics around reasons for processing in different scenarios - maybe for marketing or competitions activities like that.
Consent, as Tony talked about, there is a very high standard for obtaining a valid consent under GDPR. The area's where we have seen this make the biggest impact, are where people were using consent as a ground for processing and never should have been in the first place - like in the employment scenario we talked about.
But also outside of maybe core GDPR, around marketing - because where you are obtaining a marketing consent in Europe that is a GDPR standard of consent, so people having to be very granular and specific about the different types of marketing that they might wish to do, for different products or group companies or with affiliated partners - those now have to be much more granular than they were previously.
Also consent around use of cookies. If you go on to websites that are UK based, you will see very clear cookie banners and if you click through to see what is behind those, much more granulated consents being given for cookies for different functions for different purposes and easy to use sliders to say yes/no.
That is where we are really seeing consent materialise in the real world. We have mentioned DPIAs a few times. I am seeing clients using these to a much greater degree than I really thought I would. I think that is because it has become a part of procedures for companies, where they are embarking on new projects or they are aware they are collecting a new piece of personal data because having done their audits they are much more aware of what they have got from and what is new.
I think the difficulties around, although they have been doing any kind of template for a DPIA, because these are risk assessments. You only need to do what is re-cautionate to the nature of the data and the risk that it might entail for the individuals. It could be a case of a DPO thinking it through in their heads and doing a very quick and dirty assessment, or it could be a major project where you need that detailed documentation to refer back to at a later date if there was ever to be a breach or if you were ever going to query, why did we make this decision, what mitigations did we put in place.
Coming up with a template that you can use in any scenario is quite challenging. The other challenge is, who is best placed to complete that template. Project teams might not have the knowledge of all the right jargon and concepts that we use when talking about privacy rights, but equally in-house lawyers or DPOs or external counsel can be too far removed from a project. It requires a really close collaboration between the two to complete those assessments adequately.
DSARS. We are all concerned with the advent of GDPR, there would be a big uptick in DSARS and other subject rights, some of the new ones that Tony showed on the screen. Yes we have seen an increase, but certainly not floodgates opening and really they are still being used tactically in particular scenarios, typically where there is an employee dispute or a tenancy dispute and there really there as fishing exercises or to cause aggravation to the employer or the landlord.
We see clients having to use the time limit extension you are allowed to use in Europe, to go beyond the 30 days, because these things do take a lot more time then you anticipate, even for the relatively simple ones. And the other challenge has been actually identifying data within systems in the first place, so going back to the point I made at the beginning about having proper storage systems, being able to correctly identify and tag data that has made compliance more difficult.
Flipping this round, that has been on the ground - what has it looked like two years on and what developments have we seen? What about from the ICOs point of view.
In terms of their approach, our regulator is all about a proportionate response. They focus their efforts where they see the most risks. They have not looked to go out and just cherry-pick a company and make an example of them for no reason, they are still resource constrained and therefore will focus where there is the greatest risk to individuals or the greatest abuses of the legislation.
They try to be collaborative with data protection officers, through talking to clients I understand they do feel well supported by the ICO, there are people they can reach out there and talk to.
Similarly for SMEs, there has been a lot of effort by the ICO and other European regulators to create templates and simplified checklists, recognising that to achieve the standard of compliance required by GDPR can be a really high hurdle for SMEs which was not the intention of the legislation originally.
The regulator's put a lot of effort into technology and innovation. They are aware that they need to keep up with the market to understand the new technologies that are being used, that they can make sure the legislation and the guidance stay up-to-date, and in particular, just this last month we have had really hefty guidance on AI. They call it project explainability. Explained to organisations how if you are using AI or producing AI, the standards that you need to be complying with, and that is obviously with the interest of making sure AI is used by the market and take on board.
The ICA also has a sectoral approach. There will be particular themes and issues. Recently they had a campaign into ad-tech, the myriad and confusing world that is between the brand here and the consumer here and all the different parties that use marketing database or profiles or cookies to deliver adverts, through the end consumer from the brands - that world there is very brained[46:50] in terms of GDPR compliance.
The ICO is doing an investigation into that when COVID-19 hit and that has all been paused. Similarly political campaigning - there have been some high-profile cases in the UK around Brexit and general elections of misuses of personal data.
So breaches. As Tony mentioned, we now have some staggeringly large fines or the potential for fines in Europe, what have we been seeing here? Interestingly, even at the lower end of the scale? The ICO ran an investigation last year to look at companies who had not paid their data protection fee. These are very small fees if you are a small organisation or a few thousand pounds if you are in the largest or the highest category. But they fined 544 organisations for not paying those fees.
Interesting to see the regulator is saying even the lower end of the scale, this legislation has teeth. At the higher end of the scale, we are seeing fines coming out under GDPR levels. We did have some examples of what was the previous highest fine the 500,000 being given to companies like Cathay Pacific and Equifax, so mainly security-related breaches.
The highest ones that have been publicised under GDPR are BA and Marriott Hotel with staggering £184,000,000 and £99,000,000 GDP pound fines proposed. Those are being challenged. The ICO is looking at all the evidence and running investigations and the timelines so the next steps have been delayed again due to COVID-19 and now there is a political angle on those as well because ICO would never want to put a company under, due to a fine.
Clearly with the international stage of aviation and the leisure industries, that now has a political overlay so will be very interesting to see what happens with the progress of those fines.
The ICO now has other enforcement actions it can take - enforcement notices and information notices. They have used those, but not in a major way. The focus of really serious breaches of GDPR has been to issue a fine still.
And lastly group litigation which was something new in the GDPR. We wondered if we would see law firms offering group litigation or indeed campaign groups starting those up. There have been just two main ones so far. Against Morrison's which was actually under the DPA 98 not the new legislation and now one with the latest EasyJet breach, there is a group litigation case starting up. But we have not seen again floodgates open and we have not seen substantial amounts of compensation being awarded to individuals.
And lastly I look from the European Commission's point of view two years on. They released a report on the 24 June giving their view of the world. This is a quote from the executive summary at the start saying "the general view is if it has been applied successfully and met its objectives, a strengthening both protection for personal data but also the free flow of personal data". I think is important to remember that even the 95 Directive included in its title about free movement for personal data. This is not about locking it down, it is making sure that processing is transparent and the companies do it in accordance with regulations.
However as you might expect, they did identify a number of areas for future improvement and I have selected a handful of those. The first is the new right of portability that Tony highlighted as well. The regulators in Europe really do see this as an innovation that they think has the potential to both unlock emerging technologies and protecting consumer rights against lock-in as well, so they talk about the internet of things and sensors being used all over the home and the business world and ensuring that people using those are not locked in to one vendor. They can easily pick up their information from one service, drop it into another and carry on.
Particularly in the UK we have seen this around the open banking initiative - that is really the only example so far.
Cross-border co-operation. This ranges from ensuring that regulators are working to the same procedural timescales. Admin-type considerations to make it easier for both companies and regulators enforcing cross-border, but also looking to the likes of some of the activity we have seen against Google in Ireland and France where the French regulator CNIL was looking to fine Google €50,000,000 for failing to comply - sorry failing to process and tell people adequately a transparent manner of what it was processing and why, and Google were saying well do you have jurisdiction or should this really sitting in Ireland?
The European regulators are looking to cut down on that kind of procedural aspects to enforcement.
But also looking for greater co-operation in the actual analysing and coming up with verdicts on 'has the law been complied with or not'. They think this needs more legal instruments between regulators to make that happen and to make exchanging information easier between regulators, but they also talk though about setting up a data protection academy where both European and foreign data protection authorities can share knowledge and experience and know-how, so interesting that they are looking to put this on a more global footing than just simply across Europe.
There was an interesting nod as well to SMEs, acknowledging that it is difficult for them to comply in encouraging regulators to produce more material to make it easier for them and I did wonder if that was maybe a nod to considering, in the future whether there were aspects of the compliance it could be made easier for SMEs, although they have not gone quite that far in the report to date.
And finally they talk about pursuing adequacy decisions with more countries internationally to make data flow easier, not just within Europe but within third countries as well and they also referred again to supporting either ongoing reforms in third countries without laws or supporting those with new laws like DIFC by sharing experience and best practices and also taking part in the data flow with trust initiative that was initiated by Japan when they hosted their G20 meeting last year.
I think there is an interesting direction of travel there about putting privacy and data protection compliance on a more global footing and getting greater co-operation between regulators internationally.
That is my Whistle-stop tour GDPR two years on. Tony you have got a bit more to say there about how we can help you comply and if you want to turn to looking at any of the questions as well in the last few minutes.
Tony: Thanks Joss, that was incredibly helpful. I think as a bit of a wrap-up statement, I just like to make that one of the values of having Jocelyn on this call is because of these new obligations that are imposed under the DPL 2020, are in fact heavily reliant on the GDPR and consequently the guidelines and the guidance that will evolve in the DIFC in relation to this law, will be directly taken from the working group in the EU as well as other examples of jurisdictional consideration, around particular issues.
I think as companies and as legal counsels in UAE, whether we be in the DIFC or otherwise, we need to be mindful of the developments that come out of the EU and obviously it is great that we have Joss and the global team that are able to help us in relation to interpreting and applying those particular guidelines to this new law.
Obviously we can help you internationally in relation to those things that are listed on that particular slide, as to how we can help you, the international team have a huge amount of experience in relation to things like the broker requirements and the different requirements, as well as certain contractual changes and clauses that might need to be addressed in your specific supplier contracts, for example in relation to various issues to ensure that you are going to be compliant.
Other than that I have done my best to try and answer questions real-time by typing responses, so to those of you who have got those and sent those questions, thank you very much and I hope the answers that I sent have been helpful.
Just quickly Joss, you will have seen some of the questions as well. There is a particular question that Joss might be able to shed some specific light on. Is in relation to facial recognition data Joss. That is used and whether or not that has the power to make a particular entity that is using facial recognition data which is obviously becoming far more common now, whether it makes an entity a process or a controller and will it be considered special category personal data.
I mean my view as whether it would make an entity processor or controller, depends on what you are doing and your ability to be able to determine the purpose and the means of processing that data, so you would be a controller in relation to that potential facial-recognition data, if you had the purpose and the means of processing that particular data. And you would be a processor, for example, if you were simply just processing that data on behalf of a controller who is in control of that particular facial‑recognition data.
Joss is there anything that has come out of the EU in relation to facial-recognition data specifically?
Jocelyn: It would be considered special category data in the EU. You also need to ensure you had an Article Nine ground for processing's and in the EU it is a two-pronged approach. You need one from Article Six and one from Article Nine so you would need to ensure that you have identified what that was that you were using it for, and things then like security - there would be a higher standard of security you need to apply because of the damage that could be caused if that data was wrongfully accessed or disclosed.
There is certainly some specific guidance around things like body-worn cameras for law enforcement, that will clearly be capturing facial data although that is maybe more like CCTV. I think the biggest image around facial recognition at the moment is transparency, so do people actually understand that their space is being analysed and potentially captured and maybe the whoever's capturing it is trying to work out who they are, so a transparency issue. But also that we see coming out from law enforcement as well and obviously lots of software players in this market have recently withdrawn their facial recognition software from law enforcers because the feeling is that it is not well enough understood and it is not robust enough to accurately identify or where police are using it to anticipate what might happen. That the databases that the facial recognition software is working off, potentially discriminatory and that is part of the AI guidance that the regulator's put out about, is it a trustworthy a AI. How is it being trained and how do you guard against discrimination coming through in the way it is being trained.
Tim: Yes. Thanks and also specifically to answer the question that came through is, that obviously if it is special category personal data, which it would be and for the particular purposes that it might be be being used for, you would need explicit and express consent from a data subject in order to be able to process that particular information also.
I think it is worthwhile also mentioning as you just did, the AI considerations in relation to the innovations and technological developments around facial recognition and biometrics is really fascinating. Again I think not only this DPL 2020 Law obviously the GDPR just continues to develop rules and regulations and guidelines in relation to the application and interpretation of some of these new technologies, so again it is worthwhile as legal counsel, to stay on top of those types of developments and guidelines as and when they come out.
I have got another question here which talks about - appreciating that the focus on DIFC requirements but is there anything that Non-DIFC entities should be doing from a DP perspective. Noting that the DP Federal Law might be coming in at some point in time.
I would say absolutely! It is just a matter of time before we have a Federal Data Protection ratio that applies to all entities in this region. I do not know how long that will be. There has been a consultation process in the UAE in relation to it and that consultation process has been finalised. I understand.
I imagine that it is in the process of being finalised. It could be 12 months, it could be 18 months but again I am not entirely sure and cannot give any guarantees, but I would certainly say that it is timely that now we have got the DIFC/new DPL Law with the enhanced regulations that align to the GDPR specifically, but in all likelihood, if your business is going to be controlling or processing personal data as part of your business, then start looking at it now really and start familiarising yourself, start educating yourselves and the business in relation to what those frameworks are likely to require, because I think the more proactive you are in relation to these things, the less pain you will feel later on. As Joss could attest to at the time when the GDPR came in, there were many organisations thought they were ready? They were not. They were not ready and did not care. Certainly felt the pain of the GDPR.
If you have got time and you have got inclination, I would suggest that yes, the law will be coming and it will be federally applicable and it is worthwhile to making an effort to get familiar with that and look at your business, from that perspective.
Sorry, just flipping through. There was a query …where the processing is necessary for compliance with a legal obligation does the DPL 2020 state that it must be in accordance with DIFC laws or can it be any law? I understand in the GDPR it specifically refers to Union and Member State Law.
To be honest I would have to have a look at that, to just read the provisions specifically to make sure that I can give you the right answer, but I would be happy to do that after this.
Anybody else got any other particular questions?
I think - there was a query around miners granting consent and where the parents had to grant consents so I have answered that.
Does anybody else have any specific questions for either myself or Joss?
Tim: There is one at the bottom there Tony. If one member of your group of companies is incorporated in the DIFC, will the law apply to any other members of the group registered in the UAE?
Tony: I believe that you will be required to have agreements in place between your affiliated entities in relation to your obligations for data protection under the DIFC. So I would say yes.
Tim: And then there are a couple of other questions that came in the chat box…perhaps we can just answer those afterwards and urgent general/ couple of lines on those.
Tony: I mean any questions that Joss or I have not had an opportunity to answer, just for your benefit, I mean we are obviously more than happy to send them to you directly as an answer if you are happy for us to do that, or Joss and I are also proposing to send out (a) these slides and (b) there is likely to be some form of collateral on the basis of this that might actually specifically address some of these questions as well, but irrespective of that happy to address them specifically for you.
There is a query about onshore branch of a DIFC entity and whether they are required to comply with the DIFC data protection law.
I think I covered that but the DIFC data - if you're a DIFC registered company and you have got onshore activities and those onshore activities are utilising processing within the DIFC or personnel in the DIFC, you would be caught by this and I think it is intentional that there is a slight halfway house at the moment under the drafting of this legislation, to ensure that there is the ability for the Commissioner to be able to bring others within the remit of the new DPL requirements to compliance obligations under these principles.
Tim: Okay I think a number of people are now falling off the course, so I suspect we should draw it to a close. I would like to thank Joss, in particularly for joining us and that was very helpful from my perspective and I am sure it was from others.
Thank you all for joining and thank you Tony for the update on the new law. Obviously you all know where we are, so please do reach out if you have any questions or queries. We will also be sending around a survey and that includes a question of what you would like to hear about most or next from us in relation to ThinkHouse and if there are specific areas, please do shout and we would be happy to address those, and as I said at the beginning I very much hope to see you all soon at a live event rather than by webinar.
Okay thanks everyone.
Tony: Thanks everybody.
Thank you and thank you Joss. Really appreciate your involvement today.
Joss: Thank you everyone. Good to be here. Bye.