Developing Data Privacy Legislation in the UAE
The UAE data protection landscape has seen several developments over the last 12–18 months which are set to continue.
Regarding the onshore legal framework, although there is currently no comprehensive data protection law in place, we understand that a draft law is currently being reviewed and considered. In 2019, a small step was achieved with the passing of Federal Law No 2 of 2019 to regulate data in the healthcare sector. It is also worth noting that there has been an increased focus on consumer protection issues at federal level. Accordingly, in June 2020, the Federal National Council approved a draft federal law on consumer protection with the aim of ensuring increased consumer protection and data security. Federal Law No 15 of 2020 (Consumer Protection Law) came into effect shortly thereafter.
Regarding the UAE offshore legal framework (ie, free zones), the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM) have taken major steps to align with global data protection standards and best practices, in particular the EU General Data Protection Regulation (GDPR).
The very recently enacted ADGM Data Protection Regulations 2021 (ADGM Regulations) repealed the ADGM Data Protection Regulations 2015 and set out a more robust and substantive legal framework for the protection of personal data. For example, the ADGM Regulations established a new Office of Data Protection headed by a Commissioner of Data Protection to oversee compliance with the ADGM Regulations. In addition, those entities which control or process personal data (as defined in the ADGM Regulations), and which contravene the provisions of the ADGM Regulations, may be subject to administrative fines of up to USD28 million. This is a significant increase from the previous maximum administrative fine of USD25,000 under the 2015 regulations.
The DIFC also recently took some significant steps to align with GDPR standards by introducing the new Data Protection DIFC Law No 5 of 2020 (DIFC DP Law), which consolidates and replaces previous data protection laws in the DIFC and brings the regime closer in line with global data protection standards. Significant fines have also been introduced as well as new obligations on data processors and controllers to notify authorities in the event of a breach.
Increased Regulatory Scrutiny and Emphasis on Guidance, Co-operation and Collaboration
In addition to legislation being developed in the UAE to more stringent and global standards, certain UAE regulators have decided to specifically focus on cyber-risks in the last year, and have adopted an approach based on guidance and collaboration with their regulated entities.
In June 2020, the Dubai Financial Services Authority (DFSA) published a thematic review report on cyber-risks (DFSA Thematic Report) as part of its ongoing objective of identifying the maturity and resilience levels of the cybersecurity programmes of firms operating in the DIFC. Their review included an assessment of cyber-risk governance frameworks, cyberhygiene practice and incident preparedness. The outcome of the DFSA Thematic Report revealed that a significant number of firms had either (i) not implemented a comprehensive cyber-risk management framework, or (ii) performed only a limited cyber-risk assessment of its practices. The DFSA went on to set out a note of its expectations and best practice examples of cyber-risk management.
Further to the thematic review, the DFSA launched a Cyber Threat Intelligence Platform (CTIP), which aims to facilitate the development of a community of information sharing amongst financial services firms. As cyber-attacks increase in frequency and sophistication, the DFSA’s aim by launching the CTIP is to shift organisations from a reactive approach to a more proactive, information-sharing and awareness-building approach.
The ADGM has also published guidance and online tools to assist ADGM-registered entities and encourage them to comply with the ADGM Regulations. Such guidance includes the ADGM’s comprehensive Data Protection Guidance Note, which sets out the key principles in processing personal data. Other resources also include a Data Protection Self-Assessment Questionnaire, which allows registered entities to evaluate the ways in which their organisation currently complies with the ADGM Regulations and those areas where the entities should pay attention and improve.
We expect to see the UAE regulators continuing to emphasise the need for collaboration and information sharing amongst organisations. We expect to see continued guidance on best practices by UAE regulators, especially the DFSA and the ADGM. However, should organisations fail to heed regulatory guidance, we expect stringent and punitive action to be taken against regulated firms for breaches in the coming years.
Acceleration in Digitisation and Remote Working
The UAE has, over the last few years strategically positioned itself to become a leading nation in digital competitiveness in the way it adopts digital technologies in government, business and the country as a whole.
Being at the forefront of global digital innovation is a key aim of the Dubai government’s initiatives, one of which is Smart Dubai 2021. The Smart Dubai 2021 initiative consists of multiple campaigns such as the “Paperless strategy”, the “Dubai Smart City Initiative” and the “Dubai Blockchain strategy”. In summary, the Dubai government aims to conduct services through digital means, via an app and to digitally transform the way in which the Emirate of Dubai is managed and how it interacts with its population, for example, through the use of digital transformation and disruptive technologies.
There is a parallel shift towards ensuring this vision has the proper framework in which to operate. In addition to the legislation and regulatory trends discussed above, increased digitisation and digital transformation has augmented the demand for cybersecurity products and services in the UAE. The cybersecurity market in the UAE has – in response – experienced, and is expected to continue to witness, strong growth and increased demand on account of the rapid development in the technology sector owing to advancement in big data storage, artificial intelligence and blockchain, to name only a few of the developing technologies.
The private sector has also had to take measures to digitally transform in the face of the COVID-19 pandemic, such as the need for businesses to increasingly operate remotely using technology. Telehealth medicine, for example, has gathered pace, as well as the use of video technology in professional services firms.
With the increase in digital technology use as a result of social distancing measures and work-from-home policies, businesses are facing even greater exposure to cyber-attacks and cyber-incidents in general. An example is increased vulnerability to ransomware, which has created an environment that is ripe for the picking for cyber-actors who have adapted their behaviour accordingly.
In April 2020, a national fraud awareness campaign was launched by the UAE Banks Federation, Central Bank, Abu Dhabi Police and Dubai Police to educate and protect residents from financial cybercrime and fraud, particularly in light of the increased use of digital banking services during the COVID-19 pandemic. According to a cyber-risk index published by NordVPN, the UAE is the third most attractive target for cybercriminals after Sweden and Iceland. The index concludes that developed countries are more vulnerable to cybercrime due to several factors, which include high per capita income and more time being spent online, especially since the outbreak of COVID-19.
The pandemic has put Chief Information Security Officers (CISOs) at the forefront of organisations’ attempts and ability to adapt to the changes forced upon them by the "new normal" working arrangements of 2021. While many thought remote working would be a temporary arrangement, this has now shifted to being the centre of long-term planning for UAE businesses. In navigating the new normal, businesses are embracing digital solutions to adapt. In tandem, this brings challenges to businesses and to cybersecurity providers around the visibility and effectiveness of the solutions presented to secure the IT environment.
The Changing Political Environment in the UAE
The UAE, as other Gulf countries, is a target of cyber-attacks by threat actors with political motivations. Cybersecurity experts in the region note that such threat actors have historically been nation state actors or political activist groups, usually focused on causing damage and destruction within the utility and critical infrastructure sectors.
There continues to be an upward global trend in state-sponsored actors using malicious software (malware) to collect confidential state-owned information and seeking to target critical infrastructure. Cybersecurity experts in the region note that cyber-actors are now targeting research centres as well as educational institutes, although oil and gas and government entities (especially foreign affairs and defence-related organisations) continue to be specific targets. Notably, SMEs and local government agencies are as vulnerable as larger organisations, due to the perception that they are likely to have fewer resources and less robust technical infrastructure in place to protect themselves from malicious threats.
There have been a number of geopolitical developments in recent months, specifically the normalisation of relations with regional neighbours. Such changes to the political environment should be noted by public and private sector organisations when assessing their exposure to cyber-attacks.
Continued Increase in Ransomware in the UAE
Ransomware continues to be a significant threat in the UAE, in line with global trends. According to some reports, a significant number of UAE businesses have experienced a significant ransomware attack in the last 12 months, which resulted in business interruption, recovery costs and the costs of hiring third-party experts to deal with the incident.
Ransomware threat actors that are attacking companies in the UAE are increasingly deploying pressure tactics where, in addition to encrypting data, they exfiltrate commercially sensitive or personal data from organisations, and can then extort ransom payments from their victims in exchange for decrypting the information and restoring victims’ access to their own systems and data. Even if a company can restore or reproduce encrypted data, it is the exfiltration of data that often acts as a pressure tactic for organisations to pay the ransom demand, given the risk of exfiltrated data being leaked or publicised. This is a trend that we see set to continue in the UAE.
We also predict that in line with global trends, cyber-threat actors will increasingly look at ransomware attacks in the UAE through the use of remote working software and cloud systems, which are now in operation due to COVID-19 working practices.
Changing Face of Fraud and Cyber-Attacks in Light of the Rise in Cryptocurrencies
Although cryptocurrencies are not a new phenomenon, their increased use and availability is of particular importance in the
context, as ransom demands made in instances of cyber-extortion are usually denominated in cryptocurrencies – which can generally be used anonymously or pseudonymously and without meaningful regulatory oversight.
Steps are being taken to regulate cryptocurrencies, for example, the UAE’s Securities and Commodities Authority (SCA) published Decision No 21 of 2020 Concerning the Regulation of Crypto Assets (SCA Regulation) in an effort to regulate the crypto market and sets out a licensing regime for those who wish to offer crypto assets within the UAE.
Although regulatory regimes for cryptocurrencies are developing in this region, we expect their use in cyber incidents will continue unaffected.
Rise in Demand for Cyber-Insurance in Light of the Above Trends
As UAE businesses consider the risk management processes that they have in place to mitigate and respond to cyber-risks, they are increasingly considering the benefits of cyber-insurance.
Historically, the uptake of cyber-insurance in the UAE has been low, with companies reluctant to spend company monies when the risks were considered low. In the wake of the COVID-19 pandemic, which saw an increase in cyber-attacks across all sectors and the increased focus of legislators and regulators in the UAE on cyber-risk frameworks in place over the last 12–18 months, UAE business have become more interested in cyber-insurance products.
The cyber-insurance market in the UAE has seen growth in the number of insurers entering the space and development of the variety and type of covers being offered in this region. We expect an increased interest in cyber-insurance in the context of both distressed M&A transactions as well as traditional M&A transactions, because these transactions increasingly involve the acquisition and/or integration of technology assets.
As the cyber-insurance market develops in the UAE, including the increased addition of cyber coverage to traditional property and liability policies, we expect to see a rise in insurance litigation as previously untested policies wordings are put to the test, connected with cyber-incidents.
4th Floor, Gate Precinct Building 3
Dubai International Financial Centre
+971 4 369 6393Adjou.AitBenIdir@nortonrosefulbright.com www.nortonrosefulbright.com/en-me/knowledge/publications/8200ecc9/middle-east-hub