Privacy Talk with Sayid Madar, Head at ADGM Office of the Data Protection Commissioner: What is the difference GDPR and ADGM data protection?
“This interview recorded on 7th June 2022 is talking about data protection
and new technology”
Kohei is having great time discussing data protection and new technology with Sayid Madar.
This interview outline:
- How did you enhance privacy awareness in ADGM?
- What is the difference GDPR and ADGM data protection?
- What is the way to apply common law approach in ADGM?
- How did you enhance privacy awareness in ADGM?
Sayid: Thank you. That’s a good question. So the commercial Commissioner of data protection really has a several statutory obligation to as part of his responsibility office, raising awareness is one of them.
And it actually forms a key one, under our regulations, the commissioner must promote public awareness and understanding of the risks, the rules and the safeguards when it comes to the rights of individuals when it comes to the processing and use of their data.
But also, you know, we have an obligation to also promote awareness to controllers and processors, telling them about the obligations under the law.
So, because we have a statutory function and we can enforce the law, we need to be able to give organizations relevant information awareness on what our position is as regulators.
And you know, provide them with the frameworks that they can use personal data, in accordance with the law, in accorndance with the ethical standards ensuring that they respect the rights and freedoms of individuals.
I would also highlight that you know, when the law was enacted in February 2021 (14 February 2021), there was a two phase implementation period in our law. So we had the first phase which was six months for brand new entities. Entities that were established on or after the 14th of February 2021.
It had six months to implement that. And for existing entities, so those entities that were here on the island before the 14th of February 2021, there was a 12 month period so that they can update their frameworks.
And through that period, we were active, emphasizing, compliance and awareness in particular, we did a lot of outreach work where we did webinars we did quite a few webinars and some conferences.
We did some presentations with industry bodies, but we also need to see from our website, we issued quite a lot of guidance for companies, especially when it comes to leaflets, brochures, if you come to our offices, there’s many brochures outside of office.
So, we placed a heavy emphasis on, you know, raising awareness, letting the companies know, this is our position when it comes to the collection and use of personal data. And this is, our position when it comes to what we expect from you as companies once they’re using people’s data as well.
Kohei: Thank you. Yeah, the awareness is very important in our country, as well because a lot of companies are not figuring out what is data protection and privacy. So we should promote the concept and the principle to take an initiative to lead the prediction activity.
That is a very significant and important role that you are taking at this moment. So the next question is also my curiosities.
Probably you have experienced data protection the other country and other jurisdictions. So I want to ask you about the difference of the Data Protection Regulation, in compared to the GDPR the ADGM. So is there any difference in each different regulation?
- What is the difference GDPR and ADGM data protection?
Sayid: Sure. Let me just share my screen. It’s probably better for me to just show you as well. So I think it’s better for the audience as well. So once we enacted the data protection law, we did a benchmarking.
So we understand that globally, there are approximately around 140 jurisdictions with some form of data protection, privacy law.
When we did our benchmarking for what law should we look at? We looked across these laws, and we looked at which regulations had a robust regulatory framework. And the key thing is for businesses here at ADGM, but ADGM is a jurisdiction that wants to have consistency.
What is the global high standard? What do you think what can we take from the best piece of legislation globally, and apply to our jurisdiction to at least give businesses that consistency, so we looked at these laws. The GDPR played a key part of our assessment when we looked into that, in particular, as well, because we are a common law jurisdiction here on the island.
We looked at the UK application of the GDPR which is the UK GDPR. Because what as a Common Law jurisdiction, our courts look England and Wales and other jurisdictions like that when it comes to interpreting the law.
And but also, we looked at the Council of Europe’s Cconvention 108 which is the only international treaty that governs the processing of personal data, and here at the Office of Data Protection now we are an observer to Convention 108+plus and they really set the standard when it comes to data protection privacy laws.
In terms of your questions are the key differences between us, what you’ll find is actually there’s a lot of similarities. When do you look at for example, the scope of the use of personal data, the scope of it, also GDPR looks at you like EU personal data.
We also take a similar approach and we’re looking at personal data that is collected and using the context of the activities of establishment here in ADGM. So whilst we there’s many similarities there, we apply the law consistently to that, applies to any controller established on the island.
That is processing personal data, irrespective of where the process is undertaken, if it’s in the context of the activities of the establishment here it applies.
In terms of the principles, you know, there’s a lot of consistency as well that this particularly you know, we set out the seven principles process and personal data, which includes, you know, the accountability principle that are similar in our law.
We have the same principles you know, about fairness, lawfulness, necessity proportionality around, using excessive data, the security the principle for retention, not keeping data longer than necessary. These are all consistent individuals rights as well as consistent we have the same rights when it comes to access objection to the processing of personal data.
When it comes to rectification, when it comes to portability to be able to take your data with you that so there’s still consistency in any of these areas. When it comes individual right request.
There is a slight difference where it looks at when we look at is two months with a possibility of extension for an additional month when you use one month with a possibility some circumstances to addition by another two months, but in total three months. It’s consistent.
We have a similar obligation when it comes to appointing a Data Protection Officer, at least to provide the authority it doesn’t really apply here because we are the authority responsible for ADGM as a jurisdiction.
But you know, we also do know we have you know, independent supervisory authority, which is the office of data protection and the Commissioner. Things such as, data protection impact assessments.
These are all within our laws well as you know, it’s consistent with the GDPR, breach notification, the timescales are all consistent. 72 hours is to align to the GDPR standard, data transfers, chapter five, which is also chapter five in our legislation, it’s consistent allows, you know, the transfer of data when it comes to adequacy, contractual clauses, other mechanisms to send the data we can rely on a derogation this is all consistent.
I think one of the key differences really is the enforcement powers. I mean, everyone’s heard of the 20 million euros 4% of global turnover fines. Here and actually ADGM is capped at 28 million US dollars. But that still makes us the highest finding regime and regulator’s office in the Middle East.
We have the fining ability to fine up to 20 million which makes us , one of the we have the biggest stick I’d say in the region when it comes to the force of that.
Kohei: Thank you. Yeah, that’s very interesting. And also that you have posted on Linkedin about the introduction of ADGM. On your post, you mentioned that ADGM courts direct applies to common law of England and Wales. I’m a beginner of this region. So could you tell us of this means, what did you want to mention about it?
- What is the way to apply common law approach in ADGM?
Sayid: Sure. So the court system here and ADGM is benchmarked to common law, right? So we have here and ADGM, we have the judge and here all set up in accordance with common law practices. So in the ADGM courts we have what’s known as the application of the English law regulations 2015.
And what that law did here in ADGM is applied English common law as stands from time to time it applies here in ADGM. So that means that the judges here and ADGM will consider judgments in UK English common law when making a decision.
So there are also 47 other laws of England and Wales that are directly applicable here that they’ve just been applied here. So what that does is it creates this level of consistency within ADGM, when working with other jurisdictions like Singapore, Hong Kong, UK, and other common law jurisdictions.
So when we say you know that the laws are directly applicable, that’s what makes ADGM, I guess unique in terms of that it’s not a consolidated use of the law. It will the judges and decisions here are closely aligned with UK common law practices.
So what that means for data protection and privacy if there is an issue that has been decided upon in other common law jurisdictions that the courts here will take that into account and you know, we’ll use that to then find what the meaning of the law truly means in these jurisdictions and apply that here.
So that gives businesses consistency here, but it also gives individuals consistency when they are, you know, applying their rights here in Abu Dhabi, in ADGM.
At the same standards will be applied here as it would be in many jurisdictions that have high data protection laws, practices and standards.
Kohei: Thank you for your explanations. That is very helpful for the beginners to your original regions, that is very helpful to understand of that. So the next question is about the new technology field.
I think Abu Dhabi is one of the great position to invite new technology all over the world. So in a data protection field, there is in discussions on how they can apply this new legislation into the new tech space, such as the blockchain, Metaverse, there is a bunch of new technology is coming right now.
So in Abu Dhabi, so how do you work for the new technology and data protection at this moment?
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
