GDPR in the Middle East: Impact, Reach and Compliance
This article first appeared in The Oath in October 2017.
With the impending enforcement of the GDPR in early 2018, how far do the tentacles of the new EU data protection law extend to the Middle East? Joby Beretta of The Bench breaks it down to the basics.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation (2016/679) which is making some fundamental changes to the data protection laws across Europe. It has been receiving a lot of interest recently due to the impending deadline of May 25, 2018, the potential large fines and, of particular relevance to companies in the Middle East region, its global reach.
Does it apply to companies in the Middle East?
The GDPR applies to any companies:
‘established’ in Europe. This includes companies with offices or branches in the EU, but this is not the determining factor, it also extends to ‘effective and real exercise of activity through stable arrangements’, which can be fairly minimal. The Court of Justice of the EU has taken a very wide interpretation of what constitutes ‘establishment’ in recent cases such as Google Spain and Weltimmo and it is therefore best to err on the side of caution. If this test is met, it applies even if the processing of such data takes places outside of the EU e.g. in a data centre in the UAE;
based outside of the EU but offering goods or services to individuals in the EU. This can be via fairly obvious means such as Middle East based companies delivering physical goods to Europe. However if is apparent that the company ‘envisages’ that activities will be directed at EU individuals that will be sufficient. Factors taken into consideration may includes using local top-level domain names (such as .de or .eu), accepting orders in EU languages, accepting payment in EU currencies, having EU references on websites or paying for search engines to facilitate access from the EU; or
monitoring the behaviour of EU data subjects (such as profiling, location based or behavioral advertising) to the extent that such behavior takes places in the EU.
The territorial reach of the GDPR applies to both ‘data controllers’ (who determine the purpose and means of processing) and ‘data processors’ (who process the data on behalf of the controller).
It is essential therefore for all companies in the Middle East to at least assess, based on the test above, whether the GDPR applies to them. If the answer is yes or potentially yes, the rest of the article should hopefully serve as a useful summary of the key requirements of the GDPR. If the answer is definitely no, it is probably time for a coffee break and/or skip to the next the Oath article because lets face it, data protection is not the most exciting topic.
What type of data does it apply to?
The GDPR applies to all ‘personal data’, which is widely defined and includes names, addresses, emails etc. but also IP addresses. For most companies the main databases of personal data relate to (i) clients (ii) employees and (iii) suppliers.
The GDPR has specific requirements for sensitive information and other special categories of personal data such as genetic data and biometric data where processed to uniquely identify an individual. There are also additional requirements when dealing with personal data of children.
The Rights of Individuals
The GDPR provides individual data subjects with the following rights:
access (i.e. to their personal data and details of how it is being processed);
rectification (e.g. to have their information updated if it is incorrect);
erasure (i.e. the right to be forgotten / request deletion where there is no compelling reason for its continued processing);
to restrict processing (i.e. the right to block the processing of data in certain circumstances);
data portability (i.e. the right to move their data from one IT system or supplier to another);
to object (i.e. to certain activities such as direct marketing, including profiling); and
rights in relation to automated decision making and profiling (e.g. to object to decisions being made without human intervention).
The main requirements / principles are set out in Article 5 of the GDPR which states that all personal data must be:
processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability and Governance
Further Article 5(2) of the GDPR requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles”. This is a significant development in that it requires companies to show how they comply with the principles e.g. by way of:
implementing appropriate technical and organisational measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies;
maintaining relevant documentation on processing activities;
where appropriate, appointing a data protection officer (mandatory for companies carrying out large scale systematic monitoring of individuals or large scale processing of special categories of data);
implementing measures that meet the principles of ‘data protection by design and data protection by default’; and
using data protection impact assessments where appropriate.
The above are just some of the key provisions but other notable obligations include:
the requirement to notify both the supervisory authorities (if likely to result in a risk to the rights and freedoms of individuals) and the individuals (if likely to result in a high risk to the rights and freedoms of individuals) in the event of a data breach;
detailed requirements on the obtaining of consent; and
certain restrictions on the transfer of data.
The exemptions to the GDPR are fairly narrow and only cover processing covered by the EU Law Enforcement Directive (EU 2016/680), processing for national security purposes and processing by individuals purely for personal/household activities (e.g. personal address books, social networking etc.).
Companies without entities in the EU could try to limit the applicability of the GDPR to its business by practical measures such as (i) not monitoring the behaviour of EU citizens, (ii) not accepting payment in any European currencies, (iii) restricting access to their websites from the EU, (iv) not specifically targeting EU based individuals, (vi) not translating their website into European languages etc.
The penalties are harsh – up to 4per cent of global turnover or €20m (approx. AED87m), whichever is greater. It will however be interesting to see how effective the EU regulator will be at enforcing such fines over a company based in the Middle East with no entities or assets located within the EU. One way they appear to be approaching this is by requiring non-EU entities, which fall within the GDPR’s remit, to appoint a representative within the EU. Such representative may then be subject to such enforcement proceedings and may subsequently look to recover any such fines from the non-EU entity.
For companies subject to the GDPR, we would recommend the following:
reviewing current privacy and data protection policies and procedures to assess whether they meet the new requirements such as dealing with requests from individuals, data breaches etc.;
reviewing and updating standard wording such as data protection clauses in contracts with third parties and consent wording;
an audit of the IT systems to assess if they are sufficiently robust against attack and update such systems where necessary;
an audit of the use of personal data (including any transfers) to ensure they align with the law and the privacy policies, consent notices etc;
considering whether a data protection officer is required;
reviewing current insurance coverage in light of the more onerous requirements;
building ‘privacy by design’ into all new IT systems;
training the management team and staff on the new data protection obligations; and
instructing a law firm with extensive experience in both EU data protection law and local privacy laws).