Consultation Paper No. 2 of 2017 – Amendments to ADGM’s Data Protection Regulations

CONSULTATION PAPER NO.2 OF 2017 4 MAY 2017 PROPOSED AMENDMENTS TO ADGM’S DATA PROTECTION REGULATIONS

2 INTRODUCTION WHY ARE WE ISSUING THIS PAPER?

1. The Abu Dhabi Global Market ("ADGM") and the Registration Authority (“RA”) has issued this Consultation Paper to invite public comment on proposed amendments to the Data Protection Regulations 2015 (the “Regulations”).
2. We have summarised the main provisions of the Regulations in this Consultation Paper. The summaries provided within should be read as an introduction to the provisions only – many of the precise details and specifics are contained in the draft Regulations themselves. Where terms are capitalised in this paper, they (unless context requires otherwise) should be taken to have the definitions ascribed to such terms in the Regulations.
3. A proposed draft of the Regulations is set out at Annex A to this Consultation Paper. WHO SHOULD READ THIS PAPER?
4. The proposals in this Consultation Paper would be of interest to individuals, organisations and investors with an interest in establishing a presence in ADGM or otherwise doing business in ADGM, and their professional advisors. HOW TO PROVIDE COMMENTS
5. All comments should be in writing and sent to the address or email specified below. If sending your comments by email, please use the Consultation Paper number in the subject line. You may, if relevant, identify the organisation you represent in providing your comments. The Registration Authority reserves the right to publish, including on its website, any comments you provide, unless you expressly request otherwise at the time of making comments. Comments supported by reasoning and evidence will be given more weight by the Registration Authority. WHAT HAPPENS NEXT?
6. The deadline for providing comments on this proposal is 30 May 2017. Once we receive your comments, we will consider whether any modifications are required to this proposal. The amendments to the Regulations will then be considered by the ADGM Board of Directors (the “Board”) for enactment. You should not act on these proposals until the amended Regulations are issued. We shall issue a notice on our website telling you when this happens. COMMENTS TO BE ADDRESSED TO: Consultation Paper No. 2 of 2017 Registration Authority Abu Dhabi Global Market Square Al Maryah Island PO Box 111999 Abu Dhabi, UAE Email: ra@adgm.com

3 AMENDMENT TO DATA PROTECTION REGULATIONS SCOPE AND APPROACH TO THE PROPOSED AMENDMENTS OF DATA PROTECTION REGULATIONS 7. This Consultation Paper aims to propose amendments to the existing Regulations. The proposed amendments offer more clarity on defined terms, designation of jurisdictions with adequate level of protection, enhanced enforcement provisions, amendment to the Registrar notification provisions, amendment to data transfer agreements, amendment for ADGM authorities to share information with other authorities and amendment to the fees schedule. 8. The Board is aware of the EU General Data Protection Regulation ("GDPR”), which has been developed by the European Commission to replace the current EU Data Protection Directive (Directive 95/46/EC). The GDPR applies from 25 May 2018 and until such time the EU Data Protection Directive will still be applicable. The draft Regulations have not attempted to preempt GDPR. 9. The Regulations apply to any person based in the ADGM who, either alone or jointly with others, determines the purposes or processing methods of any Personal Data (collectively defined as "Data Controllers"). 10. The following amendments are proposed to the defined terms: a. The definition of Sensitive Personal Data has been amended to include Person Data concerning an individual’s criminal record. This addresses a difference in scope from the same concept in equivalent EU legislation. b. The definition of Personal Data has been amended by introduction of Data and Relevant Filing System as new defined terms. The amendments have the effect of: i. explicitly including electronic databases and filing systems (please see definition of ‘Relevant Filing System’); and ii. introducing various consequential changes throughout the Regulations and the Schedules to define ‘Data’ where used (as distinct from ‘Personal Data’). c. The definitions of Abu Dhabi Global Market Board, ADGM Registration Authority, ADGM Courts, and ADGM Financial Services Regulatory Authority have also been updated to refer to the meanings given to those terms in the Interpretation Regulations 2015. ISSUE FOR CONSIDERATION Q1: DO YOU AGREE WITH THE PROPOSED AMENDMENTS TO THE DEFINED TERMS?

4 11. Certain provisions of the Regulations have been amended with the effect that: a) Jurisdictions listed in Schedule 3 to the Regulations are now designated as jurisdictions with an adequate level of protection for Personal Data pursuant to the Regulations (rather than, as previously, pursuant to designation by the Registrar); and b) The Registrar now has an explicit power to designate further jurisdictions as having an adequate level of protection for Personal Data, and to withdraw such status from a jurisdiction. 12. This addresses possible issues that have arisen in the EU, as regards the legality of the European Commission’s designation of the USA as equivalent. By making this designation take effect under the Regulations, questions as to the status of ADGM designations are eliminated. ISSUE FOR CONSIDERATION Q2: DO YOU AGREE WITH THE PROPOSED METHOD OF DESIGNATING JURISDICTIONS OFFERING ADEQUATE PROTECTION FOR PERSONAL DATA AND POWERS GRANTED TO THE REGISTRAR TO MAKE SUCH DESIGNATION? 13. The proposed amendments in the Regulations to enhance enforcement provisions establishing specific power of the Registrar are as follows: a) To make additional rules regarding procedures relating to the imposition of financial penalties; and b) To impose fines in respect of contraventions of directions of the Registrar, the Regulations, or rules made pursuant to the Regulations; 14. An additional provision establishes the presumption that enforcement related certificates signed by the Registrar are deemed to be: a) Conclusive evidence of the application of the enforcement action in question; and b) Prima facie evidence of the facts contained in the direction or notice. 15. Non-compliance with any direction issued by the Registrar, the Regulations or any rules made pursuant to the Regulations are now subject to a maximum fine of USD25,000 (currently USD15,000 in the Regulations). ISSUE FOR CONSIDERATION Q3: DO YOU AGREE WITH THE PROPOSED ADDITIONAL ENFORCEMENT PROVISIONS? Q4: DO YOU AGREE TO AN INCREASED MAXIMUM FINE PROPOSED IN THE AMENDMENT REGULATIONS?

5 16. The amendment Regulations propose time limits and clarifications to the existing provisions regarding when Data Controllers must make certain notifications to the Registrar. ISSUE FOR CONSIDERATION Q5: DO YOU AGREE WITH THE PROPOSED TIME LIMITS OF ONE MONTH SPECIFIED FOR NOTIFICATIONS BY DATA CONTROLLER TO THE REGISTRAR? 17. The amendment Regulations propose amendments to the Model Data Transfer Agreements with the effect that clauses relating to parties’ obligations and termination clauses correspond to the proposed amendments in jurisdictions that have either been designated by the Regulations or the Registrar as having an adequate level of protection for Personal Data. In addition to that, a grandfathering clause has been added to the Regulations to ensure that model data transfer agreements entered into prior to the proposed amendments remain effective, and that data transfers in accordance with such agreements will be in compliance with the Regulations. ISSUE FOR CONSIDERATION Q6: DO YOU AGREE WITH THE PROPOSED AMENDMENTS TO THE MODEL DATA TRANSFER AGREEMENT? 18. The amendment Regulations propose general exemption for ADGM independent authorities to share data with other authorities to enable the Board, ADGM Registration Authority, ADGM Courts, or ADGM Financial Services Regulatory Authority to share Personal Data and Sensitive Data with other governmental or regulatory bodies or authorities for the purpose of exercising the recipient’s, ADGM Registration Authority’s, ADGM Courts’, or ADGM Financial Services Regulatory Authority’s powers or objectives. ISSUE FOR CONSIDERATION Q7: DO YOU AGREE WITH THE PROPOSED EXPANDED GENERAL EXEMPTIONS GRANTED TO ADGM AND ITS AUTHORITIES? 19. The amendment Regulations propose amendments to the Fees schedule to the effect of further detailing certain types of applications/notifications for which fees are payable. For example, the amendments clarify that the fee for appointment of a Data Processor is payable per appointment where there is more than one. 20. There are no new fees introduced nor amendment to the quantum of existing fees.

6 21. The rule-making provisions in the Regulations have also been supplemented so that the Board is empowered to make rules imposing additional fees for any other matters related to the Regulations, and to amend the level of fees payable for applications/notifications under Schedule 3 of the Regulations or under any other rules made by the Board pursuant to the Regulations. ISSUE FOR CONSIDERATION Q8: DO YOU AGREE WITH THE PROPOSED CHANGES TO THE FEES SCHEDULE?

7 ANNEX A: PROPOSED AMENDED DATA PROTECTION REGULATIONS