DATA PRIVACY AND PROTECTION NEWSLETTER JULY 2019 – PART II
With a growing online footprint, one is at a higher risk of privacy breach than ever before and therefore, regulatory implementation around the world is ongoing, progressing rapidly with Legislators and Regulators focusing on transforming the legal framework to include policies that support innovation, but which, simultaneously protects individuals and entities from risks associated with data and privacy breaches. Part I of KARM’s newsletter in June 2019 focused on the importance of data protection and the classification of data, along with an introduction to specific legislation within the United Arab Emirates (“UAE”) mainland and Free Zone areas.
This month, we elaborate further thereon with keen focus on sector specific governing legislation and further, the efforts by the policymakers to design adequate data-protection practices for the UAE, notwithstanding individual efforts of persons and entities alike to counter modern day threats within this landscape.
SECTOR SPECIFIC LEGISLATION:
Released earlier this year, Federal Law No. 2 of 2019 on Using IT and Telecommunications in the Healthcare Sector (the “Law”) sets out the minimum requirements for securing health data of individuals in the UAE and introduces concepts that are on par with international best practices concerning information technology and privacy laws. This law applies in respect of all services relating to healthcare, healthcare information technology, health insurance or health related services (whereby entities offer / provide services directly or indirectly relating to the healthcare sector or engage in activities involving the handling of electronic health data) whereby such entities collect, process and transfer a data subject’s health information (which is personal and sensitive personal data) including a patient name, consultation details, patient diagnosis, patient treatment, specific patient identifiers – i.e. an alpha-numerical code, common procedural technology codes, medical scan images and laboratory results. Any such entity, whether onshore or in a Free Zone area, falls within the operation of this Law.
Violators are cautioned that the Health Data Protection Law imposes cumbersome sanctions for non-compliance with this law (i.e. data breaches) may impose various sanctions upon violators, including then issuance of warnings, the cancellation of the entity’s permit to use the data management system and/or fines of up to 1 000 000 (1M) AED.
The Health Data Protection Law mirrors familiar data protection concepts, such as the requirement of purpose limitation, accuracy, security measures (to protect health data, to prevent its unauthorized processing, damage, alteration, deletion or amendment) and prior patient consent for disclosure of data. The Health Data Protection Law also provides for the establishment of a new centralised data management system (see: Malaffi below, which is one form of such envisioned system, operating in Abu Dhabi only) which will be operated by the UAE Ministry of Health in order to facilitate the access, storage and exchange of a patient’s health data. Healthcare Service Providers (or Healthcare-related service providers) are required to register with the UAE Ministry of Health in order to access the centralised data management system (ensuring proper security, control etc.) and too are required identify all members of their personnel who are authorised to access the data base, subject to the Ministry’s approval.
Malaffi (which translated to Arabic means: “my file”) serves as a unified health data and information exchange platform that facilitates a more patient-centric approach to healthcare provision, through the introductions of the exchange of patient medical information, in a controlled, regulated and secure manner. Malaffi assists healthcare facilities, healthcare professionals and governmental authorities across the Emirate of Abu Dhabi to access and share patient medical information (sensitive personal data) with the aim to “to deliver better healthcare quality and enhance patient safety and overall health outcomes”. Malaffi provides a digitized system with instant access to crucial patient medical information, aimed to enhance the transition of care and care coordination by medical facilities and practitioners alike, also in reducing overutilization and the duplication of (unnecessary) tests, radiology examinations and other diagnostic procedures, thereby enabling the practice of “precision medicine”. The Malaffi centralized database allows access to real-time public health information, “making syndromic surveillance and management of chronic diseases possible by identifying potential spread of disease, helping prevent epidemics and enabling the government to create medical response action plans to ensure public health and safety.” Malaffi, aims to reduce disease progression, promote improved health outcomes and, ultimately, prolong patient life, by implementing the use of AI and machine learning technology. Malaffi has, to date, onboarded entities including MediClinic Middle East, NMC Health Care, the Abu Dhabi Health Services Company SEHA (Public health provider), the Cleveland Clinic - Abu Dhabi, the Imperial College London Diabetes Centre, Healthpoint, the United Eastern Medical Services group and the Oasis Hospital (Al Ain). Malaffi is presently only operational within the Emirate of Abu Dhabi.
Federal Law No. 3 of 2003 regulates the Telecommunications Sector of the UAE. This law relates to the regulated activities of: the operation of a Public Telecommunications Network or the supply of Telecommunications Services to subscribers, as well as all other types of activities specified by the Tele-communications Regulatory Authority (‘TRA’) Board (the ‘Board’). The TRA is a Govern-mental entity with its primary focus on regulating this sector, with the aim to enable government entities in the field of smart transformation.
Under Federal Law by Decree Number 3 of 2003, telecommunication services include: transmitting, broadcasting, switching or receiving by means of a Telecommunications Network of any of the following: wired/wireless telecommunications; voice, music and other sounds; visual images; signals used in radio and TV broadcasting; signals used to operate or control any machinery or apparatus; the installation, maintenance, adjustment, repair, replacement, moving or removal of apparatus which is, or will be connected to a Public Telecommunications Network; the construction maintenance and operation of networks for telegraph, telephone, telex, leased circuits, domestic and international data networks, Internet and Wireless Transmission; and any other Telecommunications Services approved by the Board.
Specifically related to data: The law provides that the data collected through telecommunication service shall be protected. The Consumer Protection Regulations of 2017 further provide certain rules to adhere to prohibit Licensees from using Subscriber Information for any purpose, other than interconnection. In particular, it states that data may not be used for any marketing purposes or anticompetitive practices; and that Licensees shall not require Subscribers to provide any personal information related to any other person that is not essential in relation to their service offering / subscription.
Penalties for infringements of this law could result in imprisonment and/or fines of up to AED 1,000,000.
INTERNET OF THINGS - IOT
In addition to the Federal Law No. 3 of 2003, the TRA added another framework within the telecommunications sector that embodies the crucial principles of data protection. The IoT Regulatory Policy (the “Policy”) dated 22 March 2018 and IoT Regulatory Procedures (the “Procedures”) dated 6 March 2019 establish a mandatory registration process for "IoT Service Providers" within the UAE. The Policy defines an IoT Service Provider as "any Person that provides loT Service to users”. For the purposes of the Policy and the Procedures, “Users” include individuals, businesses and the Government of the UAE. Through this framework, the TRA seeks to achieve the following objectives throughout the UAE: ensuring protection of consumer data; meeting all reasonable demands for IoT Service; supporting ongoing innovation; managing scarce resources efficiently; protecting the rights and interests of user of IoT, and providing clarity for IoT market development.
Being perceived as a step closer to the data protection regime, the framework introduces several concepts that have been considered as the ‘spine’ for several overseas data protection regulations, i.e.: the definition of “Consent”, “Personal Data”, “Data Subject” “Data Processor”, “Data Controller” derive their essence from EU’s General Data Protection Regulation, including: 1. Purpose limitation, which provides that data shall be collected for specified, explicit and legitimate purposes only and shall not further be processed in a manner that is incompatible with those purposes; 2. Data minimization: which provides that data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it was processed; 3. Storage limitation: which provides that data shall be kept in a form that permits identification of data Subjects for no longer than is necessary for the purposes for which the data is processed.
The Regulation classifies the categories of data as ‘Open’, ‘Secret’, ‘Sensitive’ and ‘Confidential’ for individuals, businesses and the Government. While the rules relating to the storage of such data for the individuals and businesses allows for some flexibility, higher standards for protection are applicable when dealing with the secret, sensitive and confidential data for the Government, and which is mandatorily to be stored within the UAE.
The Procedures supporting the Policy set forth the formal process for registration for an IoT Service. The TRA has retained a wide discretion to accept or reject any request application and has made it obligatory for the applicant/licensee and IoT Service Providers to ensure sufficiency of compliance with the entire regulatory framework. Strong emphasis on the classification of consumer data, the methods of storing and processing such data and the territory for data storage indicates TRA’s commitment to value and protect consumer data and the intention impose enhanced accountability upon the licensees and IoT Service Providers in relation to handling of the consumer data. A violation of the Policy & Procedures may result in the temporary or permanent suspension of the offending services, and any such breach would contravene the Federal Law by Decree No 3 of 2003, imposing penalties for infringements of imprisonment and/or fines of up to AED 1,000,000.
Stored Value Digital Payments are regulated by the Central Bank of the UAE, with the said Regulations having been published in January 2017, aimed at a robust approach to digital payments across the UAE, and to facilitate such payments in a manner so as to ensure the safety, security thereof, in addition to maintaining the public’s trust in the UAE payment ecosystem.. Licenses for Digital payment services can be issued to four (4) categories of entities digital payments services, namely: retail; micropayment; government; and non-issuing entities.
The Regulations impose data protection and privacy obligations on Payment Service Providers (PSPs) which specifically requires, inter alia that, all transactional records and user data must be stored in the UAE only (and not in a financial free zone) and for a minimum retention period. The Regulations further provide that PSPs shall not disclose any personal consumer data to third parties [barring the UAE Central Bank or by means of an Order by a Court with Competent Jurisdiction, or to another regulatory Authority (so permissioned)].
PUBLICATIONS AND PUBLISHING SECTOR:
Section 79 of Federal Law Number 15 of 1980 provides that news, photographs, comments relating to the secrets of the private or family life of individuals may not be published.
Cybercrimes are offences that are committed against individuals or groups of individuals with the motive to intentionally harm the reputation of the victim, or to cause physical or mental harm, or loss, to the victim (directly or indirectly so), using modern telecommunication networks such as the Internet or mobile devices, i.e. social media, chat rooms, emails, notice boards and groups, mobile phones, being a non-exhaustive list. Cybercrime may threaten a person or a nation's security and financial health.
Article 2 of Federal Law Number 5 of 2012 was promulgated with the aim of combating cybercrimes within the UAE, including the criminalization of acts, such as the unauthorised access to a website, electronic information system, computer network or any information technology-related system. The law criminalises all kinds of misuse of social media, including the making of threats, impersonations, solicitations, insulting religions and/or religious rituals, slandering public officials, forging electronic official documents, sending or re-publishing pornographic materials, reproducing credit or debit card data, obtaining secret pin codes or passwords etc. – this again being a non-exhaustive list of offences. Further hereto, should any acts of cybercrimes result in the deletion, omission, destruction, disclosure, deterioration, alteration, copying, publication or re-publishing of any data or information, this shall be considered as an aggravating factor for imposition of a greater penalty, in relation to the offense.
The most severe penalties under this law concern the act(s) of running malicious software that may cause / intend to cause a network or Information Technology (IT) system to stop functioning, or which results in the crashing, deletion, omission, destruction and alteration of an IT programme, system, website, data or information. It is notable that penalties under this legislation include imprisonment (including that of a life sentence) and/or fines varying between 50,000 AED and 3 million AED, depending the severity and seriousness of the cybercrime(s).
DATA BREACHES AND CYBERCRIMES IN THE UAE
Newspaper headline reads: “Confidential data theft becoming a major threat - In one of the biggest exposures of data breaches, over 700 million email addresses and nearly 22 million passwords were reportedly compromised last month” written by Alkesh Sharma of The National Newspaper dated February 21, 2019.
In reiteration of an insert contained in Part one of the KARM Newsletter of June 2019, the TRA has launched the 2020 – 2025 UAE National Cyber Security Strategy in the hope to enable the prompt and strategically coordinated response to cyber incidents within the UAE.
Eng. Mohammad Al Zarooni, Director of the Policies and Programs Department at the TRA is quoted in saying: “Part of the strategy is that data privacy is crucial to the cyber (sic) and the UAE is regulating and drafting a data protection law. We will look at the best performing practices performed worldwide; GDPR will be one of the inputs to it. We want to make sure that whatever regulations are put, are easy to be implemented across different sectors”. Mr Al Zarooni, in cautioning against the threat of impacts of deficits in cyber security, data protection and data privacy strategies is quoted in saying that: “Large organisations are impacted by the GDPR but we observed, unlike in Europe where privacy has been a topic for a very long time, in the Middle East there is a lower understanding of how privacy impacts organisations”.
We, at KARM, have had the privilege of having consulted with Mr Marc Green, Senior Cyber Threat Intelligence Analyst (EMEA) on behalf of Anomali whom operate globally, and locally within the UAE (Anomali Solutions with offices in Dubai). He advises that: “Working day-to-day within the cyber threat intelligence (CTI) realm, CTI classically being defined here as the process and product of collecting, processing, analyzing, and the interpretation of acquired threat information (data), provides insight of the constant risk to organizations and individuals from the ever-evolving cyber threat actor. There is a vast array of attack types and vectors which can cause operational and financial damage and the high profile incidents often make the front pages in the media. Ask any Chief Information Security Officer (CISO), or Security Operations Center (SOC) or Incident Response (IR) folks what is currently causing the most concern and you will likely hear a spectrum of answers. However, one recurring answer is likely to be ransomware. Ransomware outbreaks are repeatedly observed, both targeted and opportunistic, across all verticals and regions by financially motivated cyber threat actors, and pose a significant threat to enterprise.”
Mr Green adds that: “This concern is no different in the Middle East, with cyber security peers and those within trusted communities also relaying their efforts to continually optimize security control detection and protection strategies to mitigate newly observed techniques. As a simplistic measure, the scale of the ransomware threat is evident as we look at active observable data (domains, IPs, hashes, URLs, etc.) from the last 90 days in the Anomali ThreatStream platform that shows ~460k indicators that have been marked with a “ransomware” tag from Anomali Threat Research and the wider Anomali Preferred Partner (APP) network.”
Advices offered by Mr Green: “There is established ransomware impact prevention guidance which should be considered by all:
In 2018, IBM & Michigan-based Ponemon Institute published study on data breach wherein they interviewed more than 2,200 IT, data protection and compliance professionals from 477 companies that have experienced a data breach in the said year. The study revealed that the average cost of data breaches in 2018 for the two biggest economies of Gulf – the UAE and Saudi Arabia – was $5.31m. The report further highlighted that the UAE and Saudi Arabia collectively spent $1.47m on post data breach response - the second-highest after the US that spent $1.76m.
It is reported that the average cost globally of identifying and stopping a data breach is $2.1 million (Dh7.7m), compared to $3.5m in the Gulf Cooperation Council (GCC) region, according to US researcher Gartner. It is notable that more than 300 cyber attacks were reported in 2017 in the GCC region with a minimum of half a dozen resulting in data breaches.
“Compared to the global trend where personal data and payment details are the common targets of cyber attackers (66.5 percent and 18.2 percent, respectively), the majority of data breaches in the wider Middle East and North Africa (MENA) region involve trade secrets and ‘know-hows’ (38.6 percent), personal data (29.6 percent) and state secrets (25 percent), according to another study by information security group InfoWatch.”
PUBLICISED DATA BREACHES IN GLOBAL JURISDICTIONS
Herewith brief examples of recent data breaches during 2018 and 2019, affecting global jurisdictions:
Education, collaboration, communication and implementation of necessary protective measures are essential for effective protection to ensure effective cyber resilience against any threat against data security and privacy.
KARM Legal Consultants are advocates for the education of persons and entities in all areas of our Practice specialization and in so doing, are proud of the development of our dedicated Data Protection Department, with broad application across the spectrum of the service offerings of our Practice. We strive to continue our efforts in the education of persons and entities in so far as Data Protection and Privacy is concerned, in addition to our professional advisory services for mandated output, both from a Technical and a Regulatory perspective, together with necessary collaboration and outsourced resources , as per the requirements of our clientele, with various associated entities.
To stay updated,
subscribe to our newsletter