Businesses operating in the Dubai International Financial Centre (DIFC) should take immediate steps to understand their obligations around relying on consent to the processing of personal data, and if necessary take remedial action, to comply with a new data protection law that will shortly be enforced.
The DIFC Data Protection (DP) Law (DIFC Law No. 5 of 2020) came into force on 1 July this year, with organisations given a short grace period of three months until 1 October 2020 to ensure compliance with the new provisions.
The new DP Law is relevant to all organisations that process personal data. It raises particular points of action for employers, and, among the introduction of other new requirements on businesses, has further transformed the requirements around obtaining consent to process data in the DIFC, or by a DIFC incorporated entity.
Consent management is the process of obtaining and managing consent from data subjects in order to collect and process their personal data.
In other words, consent management aims to give data subjects a degree of choice and control, including the ability to positively opt-in and the possibility to later withdraw their consent to such processing.
Consent management is critical as it gives data subjects a degree of control over their privacy, as well as, an element of authority as to what personal information is obtained, to whom it is distributed, and for what purposes it is processed.
Therefore, what constitutes valid consent under the DP Law and how to ensure compliance with the new requirements is a core issue for organisations in the DIFC to understand.
To lawfully process personal data under the DP Law, there needs to be an evident lawful basis for the processing. The DP Law identifies six lawful bases for processing personal data, listed in Article 10, which include where the processing is:
Where reliance to process the personal data of an individual is based on the consent of the data subject, data controllers must comply with, and be able to demonstrate that, it is 'valid consent' under Article 12 of the DP Law.
Article 12 of the DP Law sets out what constitutes valid consent. Consent must be:
The data subject must have the option and genuine choice not to provide consent, if consent is to be 'valid'. If the data subject is seen to have been compelled to provide consent or may endure negative consequences if their consent is not given, then it is unlikely the consent will meet the Article 12 requirements, and therefore will be viewed as invalid.
Consent will be considered valid and freely given where it is distinguishable from other terms, especially non-negotiable conditions. This may be seen as problematic in employment relationships where there is an imbalance of power between the controller – the employer – and data subject – the employee.
The data subject must actively, affirmatively and unambiguously indicate their consent to processing, for example by ticking a box, applying a signature, validating a link sent by email, confirming by a clear email or orally. Under the new DP Law, reliance on the data subject's silence, inactivity or presumption will not meet the necessary requirements for valid consent.
The burden of proof for establishing valid consent is on the data controller. As such, appropriate internal operational control measures may need to be implemented to ensure that consent is freely given and a clear affirmative act is documented, particularly where oral consent is obtained.
The data subject's consent to processing must relate to a specific purpose and be distinguishable from other purposes that personal data is to be processed for. For example, obtaining consent to process personal data for marketing purposes should not be bundled together with consent obtained with respect to processing for research purposes.
The data subject should be given separate and sufficient information for each purpose, such that they are able to make a clear, informed and affirmative decision for each consent request.
Article 12(4) of the DP Law explains that "the request for consent for the processing of personal data must be clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language". Consent for specified purposes should therefore be provided separately, clearly and distinctly from any wider consent that is being requested.
The DP Law has been largely influenced by the rights granted to users in the EU with respect to the General Data Protection Regulation, or GDPR, as well as the California Consumer Privacy Act 2018. The broader rights data subjects enjoy under the DP Law include in respect to rectification and erasure of their data, as provided for under Article 32.
Data controllers must provide, and be able to demonstrate, that methods are available to data subjects periodically that enable them to evaluate their consent, and withdraw it should they wish to choose to.
Data subjects not only have the absolute right to easily withdraw their consent at any time, but also be informed that they have this right to withdraw consent. Exercising the right of withdrawal of consent should not be onerous, or effortful, for data subjects. It should be as simple any other method of exercising their data subject rights under the DP Law.
Where the data subject withdraws consent, the data controller should take steps as soon as reasonably practicable to cease the processing of that personal data in question; including ensuring that any third party data processors involved are also under a duty to take the necessary steps.
Consent management is critical in light of the new requirements under the DP Law. Data controllers should, among other things, investigate their current compliance with the new law, consider whether new consent procedures are required for compliance, and inform data subjects of their rights, including the right to withdraw consent.
Co-written by Alexandra Bertz of Pinsent Masons.