Included in this edition of Data & Privacy News: UAE Federal Data Protection Law 2021, UK and US issue joint statement on deepening the data partnership, and more

UAE Federal Data Protection Law 2021

The UAE has enacted Federal Data Protection Law No. 45 of 2021 (DP Law) to regulate the processing of personal data in the UAE as part of its 50th anniversary this year. The DP Law was issued on 26 September 2021 and recently announced by the UAE's Cabinet Office in the UAE's official gazette.

The DP Law will take effect from 2 January 2022 however the executive regulations which will clarify various elements of the DP Law are yet to be released. The Regulations are expected to be issued within six months of the date of the issuance of the DP Law (i.e. before the end of March 2022). Businesses will then have a grace period of six months from the date of the Regulations to bring their organisations into compliance with the DP Law meaning enforcement is likely to commence from September 2022. The DP Law brings the UAE's federal data protection regime in line with modern global data protection and data privacy standards, including Europe's General Data Protection Regulation (GDPR).

This Addleshaw Goddard briefing examines who this law applies to; the scope of the regulations; who will be responsible for regulating compliance; and what businesses should do in order to comply.

ICO issues fine to Cabinet Office over New Year Honours List data breach

The Information Commissioner’s Office (ICO) has issued a Monetary Penalty Notice of £500,000 to the Cabinet Office for breaches of data protection law regarding the 2020 New Year Honours recipients. An investigation by the ICO found that the Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information, resulting in the publishing of a file on GOV.UK on 27 December 2019 containing the names and un-redacted addresses of more than 1,000 people announced in the New Year Honours list.

The Cabinet Office removed the weblink to the file after being made aware of the breach, however the file was still cached and accessible online to people who had the exact webpage address. In total the personal data was available online for over two hours and accessed 3,872 times, leading to complaints to the ICO from three individuals and complaints to the Cabinet Office from 27. The Cabinet Office has since instigated a number of operational and technical measures to improve the security of its systems, and an independent review focusing on data handling was completed in 2020.

Former Information Commissioner reflects on the impact of COVID-19 on information rights

The Information Commissioner’s Office (ICO) has published a report reflecting on the primary themes and emerging issues in information rights regulation that the ICO has focused on since the beginning of the UK Coronavirus pandemic in March 2020. The report is aimed at parliamentarians, policy-makers and stakeholders with an interest in service delivery through the pandemic and seeks to compliment the evidence provided by former Information Commissioner Elizabeth Denham to Parliament during the pandemic on her office’s approach.

The report focuses on two primary issues that the ICO deems to central to the successful delivery of digital and technological solutions:

• ensuring that data is able to be used in an innovative way whilst still providing protection to people; and
• ensuring that people trust the way their data is being used by organisation responsible for developing these solutions.

European Council and Parliament reach deal on Data Governance Act

The European Council and the European Parliament have announced the provisional agreement of a Data Governance Act (DGA), designed to establish a set of mechanisms to facilitate the reuse of certain categories of protected public-sector data, increase trust in data intermediation services and foster data altruism across the EU.

The DGA will complement the 2019 Open Data Directive and enable exclusive arrangements for the reuse of public-sector data for the provision of a service of general interest. The provisional agreement has been submitted to the Council’s Permanent Representatives Committee for endorsement and, should it be approved, will apply 15 months after the entry into force of the regulation.

Advocate General delivers Opinion on Article 80(2) of EU GDPR

In Facebook Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V (2 December 2021), Advocate General de la Tour provided his opinion that national legislation, which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for an infringement of the protection of personal data, is not precluded by Article 80(2) of General Data Protection Regulation (GDPR).

The response stemmed from a referral for a preliminary ruling from Germany's Federal Court of Justice (Bundesgerichtshof). The referral asked the Advocate General to determine whether Article 80(2) precluded consumer protection associations from retaining, following the entry into force of that regulation, the standing to bring proceedings that national law confers on them in order to obtain injunctions against conduct that constitutes both an infringement of the rights conferred by that regulation and an infringement of the rules designed to protect consumer rights and to combat unfair commercial practices.

UK and US issue joint statement on deepening the data partnership

Nadine Dorries, the UK Secretary of State for Digital, Culture, Media & Sport, and Gina M. Raimondo, the US Commerce Secretary, have issued a joint statement on the UK and US government's shared commitment to deepening the UK-US data partnership. The statement commits to the aim of realising "a more peaceful and prosperous future by promoting the trustworthy use and exchange of data across borders" as well as to "achieving a successful and enduring partnership, including on adequacy".