Privacy Talk with Sayid Madar, Head at ADGM Office of the Data Protection Commissioner: What is the ADGM uniqueness to invite tech company?
“This interview recorded on 7th June 2022 is talking about data protection
and new technology”
Kohei is having great time discussing data protection and new technology with Sayid Madar.
This interview outline:
- What is the ADGM uniqueness to invite tech company?
- How does ADGM require the registries to protect data?
- How does the tech company mitigate privacy risk?
- What is the ADGM money-laundering solution?
- Message to listeners
- What is the ADGM uniqueness to invite tech company?
Sayid: I think it is a really good question because I’m in ADGM, I think we’re in a unique position that about 30% of ADGM companies and operating entities here are tech companies.
So we make up a large amount of companies here that are focused solely on tech, fintech regtech and thosesectors, and ADGM is a jurisdiction.
I think it’s the first in the world to actually introduce a comprehensive and bespoke regulatory framework for virtual assets, activities, you know, such as in a multilateral trading, brokers, custodians, asset managers.
We have a law that regulates that we have a comprehensive law that governs those areas. So but in terms of our office, and our office’s role in rolling this as the Office of Data Pprotection, our mandate is to administer the data protection regulations.
So we have an interest where there is where there was processing of personal data or there could be impact, to the rights of individuals.
We recognize that you know, blockchain technology has many benefits. Many sectors, especially in finance, you know, we’ve seen some innovative ways that companies here in ADGM want to use blockchain to make, you know, finance, easier, streamlined, probably more efficient, more transparent, right.
The same in healthcare, where with the use of data, you know, especially diagnostics, there will use, you know, these technologies to helping that field, but of course, transparency plays a key role in that.
And, you know, from our position, we will always focus on making sure that companies are aware that they have these obligations to individuals.
Individuals are not surprised by the use of their data if data is used, and you advise them in ways that they can use you know, enhance the and use these technologies and in a non invasive way, so.
- How does ADGM require the registries to protect data?
For example, delete his personal data, could you not use, you know, synthetic data or data that might not necessarily, you know, identify a person, you can identify and remove the identifiers from that.
So, these are many areas but in terms of the Metaverse you know, I’ve seen especially as I have younger siblings as well.
The direction of traveling this and and you know, I can’t help to look at you know, things like Pokemon Go, Minecraft, World of Warcraft and these immersive games that really requires you to put a lot of your time, effort resources, but also your information into these tools.
And I think, where the complexity will come into that is where you have one company that’s a large gaming company and it is easy to find with a controller that information is right.
But then once you start creating this Metaverse of multiple companies, hundreds, thousands of companies that are all working within this space.
Who becomes the controller who becomes a processor, these are issues that we’d have to I guess look more deep into it across the board, not just here at ADGM, but regulators globally.
You know, we need to find convergence on on this because even where the data, where is the metaverse would be really important question in terms of when you’re trying to find who has jurisdiction over this so, but you know, we always go back to safeguarding of rights of individuals and individuals and making companies be aware that individuals are at the forefront of data protection law.
The reason we have these laws is about embedding the rights, making sure individuals are aware of how their data is used and giving them certain control over that information.
- How does the tech company mitigate privacy risk?
But when, I guess from a technology point of view and how we can support the sector and support these firms, the law has many aspects where we can cooperate a good.
So, so in any case, when it comes to data protection impact assessments, this is an area where we can cooperate.
So this gives us an opportunity actually, where if the activity in this tech sector can result in a higher risk to individuals, we can get involved in and consult with them because in many law, especially the GDPR and our laws as well, if there is a high risk individuals, you have to do data protection impact assessment.
If the data protection impact assessment has risks that you cannot mitigate, then you have to notify us and then we would actually work with
you to try and address these gaps and mitigate these risks.
Also you know, we will always look at you know, doing privacy by design, because this is an important aspect of data protection law.
If you want to ensure that you have got it right from the beginning, you should be thinking about embedding the principles around the collection of use purpose limitations within the initial beginning of the project.
And then all the way up to implementation you should be considering individual rights, you should be considering security of that information, you know, you need to ensure that there’s appropriate technical organizational measures in place to ensure that, you know, what does that mean in practice?
Could that mean end to end encryption for transactions? Does that mean two factor authentication, mitigating identity theft?
How would you do that in places like Metaverse, Blockchain using use of blockchain technologies, reducing harm to individuals.
How would you put away controls around it where they’re making stuff aware of, you know, their policies of the organization, the procedures, how they can use data, how they shouldn’t use data, you know, misinformation, which is a key area, I think too many organizations, but also many governments, you know, that the use of collection of use of this information can be used to have an adverse effect not just individual people, but actually communities.
You can result in ostracizing or in many cases in I don’t want to name areas, but there was, there’s been in many sensitive parts of the world this could result in, in you know, attacks on people as a result of the information.
So, we would always work with organizations when it comes to mitigating the risks, but you know, the laws that gives us power so we will not be you know, be deterred to enforce and, and we will use the stick where it’s less than proportionate. Sorry, you’re muted.
Kohei: In terms of new tech fields, I assume that there is needed collaboration, not just a single jurisdiction to work for the tech space regulations.
So do you think there are many rooms to collaborate in other jurisdictions in between Abu Dhab?
For example, like the crypto or finance space, there are some issues related to money laundering or other legal checks that are very significant for the against criminal actions.
So probably we have a many controversial especially for the data protections to investigate the personnel tracking of the financial transaction that is going against the money laundering issue?
So do you think it’s any collaboration I expect into the other jurisdiction right now?
- What is the ADGM money-laundering solution?
Sayid: That’s a really good question. And it was a really good point, actually. So as an international financial center, we’re part of many other jurisdictions, many treaties and many obligations at the jurisdiction level also at the country level.
When it comes to as the office of data protection and the regulator for data protection on the island. You know, we do work with where member of what’s the global privacy assembly.
That’s the assembly consisting of all the commissioners, globally, I think there’s about 100 members or up to 100 members, I believe globally, privacy commissioners.
Where we know, we look at issues such as how to share data when it comes to different areas. Were part of the what’s known as is International Enforcement Cooperation Working group where data doesn’t necessarily have to be personal data that we can share information related to that the breaches of the law but also cooperating with other regulatory authorities.
So through our partnerships, I think many international forums, international groups will utilize our ability and also it’s important to highlight that under our law and regulations, were encouraged to work with others.
In particular, to show the rights and freedoms of individual are respected, irrespective of their jurisdiction, we have to if a data subject here is impacted, and we investigated a company where they may have a group company somewhere else in the world, it could be in Japan, it could be in the US to be we have to also be able to reach out to other authorities in these jurisdictions and cooperate.
But you touched on a good point around when it comes to anti- money laundering and counterterrorism financing, right. This is a big area for ADGM as a jurisdiction as a financial center and we have a Financial Intelligence Unit, FIU here.
We have there are many occasions that they are able to work together share information, and I’m the key thing to emphasize at least from a regulatory perspective is that data protection laws should not be acting as a barrier, right?
That they should be facilitating the flows of data, all it requires is to ensure that you consider individual rights, when it comes to the rights of individuals.
If there is an issue or let’s say a crime that has been committed globally, the data protection law cannot be used as an excuse to to withhold that information.
Because there would be a legal obligation to a authority or company that they might have to provide that information because the privacy, even though it’s a key principle and key human right, it’s not an absolute right.
There are circumstances where your privacy can be infringed purely. When it comes to, for example, the defence of a, when it comes to defence of a legal claims, when it comes to criminal activity investigations, prosecutions, the use of the data in court processes, but also you know to ensure the rights and freedoms of third people they could be other people impacted by the processing of personal data and they have a right to as much as you have a right to as a person.
So yes, cooperation is a key part of our office. We will always be part of you know, these international bodies where we facilitate the sharing of data, in particular making sure that individual rights are safeguarded.
Kohei: Absolutely, there are so many opportunities to work and collaborations to make it safe for the financial ecosystem to advance the finance of the business field, as well as the other tech business that the tech environment should be regulated for the safety reasons.
We can go something to collaborate to enhance the fundamental rights and as well as to sharing the great experience. great method to prove this more focusing on customer safety, the customer experience.
So that is, the opportunity is a commitment for us. Thank you for your idea. So lastly, could you give us any message? You have many, many experiences so far in the data protection field, as well as you are in charge of a very significant role to lead your jurisdiction. So could you give us any message for listeners?
- Message to listeners
Sayid: Yeah, sure. I mean, that’s a really hard question for me, because, you know, but I think what I’d tell your listeners is, you know, data protection, privacy.
It’s an exciting area, it’s ever changing, and it’s always evolving, the risks and challenges that I was managing, I guess, 10 years ago, are different today’s risks for you.
When it comes to, you know, the rights and freedoms of individuals, right? The new novel technologies and innovations will continue to play a key role in our lives. I mean, I remember as a child being I did not have access to the level of information and technological advances that younger children have nowadays.
When it comes to photos, the use of devices, so through that there will always be considerations or risks when it comes to privacy, children’s privacy, right. That’s an important area, not just in the region, but globally.
How children’s data is used, I think, UK especially the ICO, they’ve launched the children’s code, for example, to address that, when it comes to using and targeting children.
And so, I think what I would highlight to you and to the listeners here is you know, if you are starting out in the field, whether you’re new in the field or whether you really want to excel in this field, just always have this curiosity, always try to learn more, try and understand and it’s an area where you can be in the field for decades and you’ll still be learning because it’s such a fast moving environment for fast moving pace.
So in my role as regulators, you know, we will always work with companies and I want you to give you that reassurance that as regulators, we’re here to work with you, if we know what the risks and you’re able to bounce these ideas of us we will work with you to try and mitigate those risks.
Because it’s in our interest to try and find solutions or address and give you options that other companies can then, rely on and then later on, create this ecosystem where privacy rights are considered,
Through the beginning to the end, and that’s why privacy by design is a key part of our role, but most data protection laws GDPR, etc.
But we will always be pragmatic in how we interpret the law. We work collaboratively and I think my view to you is feel free to reach out to your regulator.
If you have any queries because it’s better for you to reach out to us at the start then later on where there is a breach and then we’ll conduct an investigation because at that point, then obviously we would be looking at your processes procedures, how you came to this decision, your rationale around it.
But if you were able to consult us and work with us, then that would be a favourable not just to us and yourselves but also to individuals.
Kohei: Thank you for great message. So we’re gonna work on this field because it’s very new, but it’s pretty advanced, in accordance with tech evolves. So we should collaborate it to work for the future of the problem, data protection.
So, Sayid, thank you for having a great time with you. It’s our very honor to have a conversation at this moment.
Sayid: Thank you, Kohei-san. And thank you for thank you listeners and thank you everyone for joining
Kohei: Thank you.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
