The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence.

By Brian A. MeenaghKsenia Koroleva, and Lucy Tucker 

On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection Regulations (the Regulations) for a 30-day public consultation.

The Consultation Paper acknowledges that AI systems are important and useful but carry risks to personal data processing. The DIFC’s proposed approach urges all companies using AI systems to adopt and reinforce technical and organisational means to protect personal data when using AI.

The proposed amendments  (the Draft Amendments) also cover other areas, most notably the use of data in digital and communications services (DCS) which consist of electronic communications (e.g., SMS, MMS, email, in-app messaging) generally enabled through behavioural advertising (e.g., direct marketing, and the use of cookies for personalisation and analytics).

The Consultation Paper aims to collect industry feedback on the Draft Amendments to ensure that the regulatory approach is reasonable and permits flexibility in the rapidly developing area of AI.

Key Requirements Under the Draft Amendments

The Draft Amendments outline the obligations that would apply when personal data is processed for use in or to enable the learning process of “digital enablement technologies”, including AI systems and other autonomous and automated systems (AI Systems). When using AI Systems, all persons involved in data processing — e.g., controllers, joint controllers, processors, and sub-processors — shall ensure compliance with the general requirements under the Regulations (including having a legal basis for processing).

The Draft Amendments propose changes to the standard definitions of controllers (including joint controllers) and processors (including sub-processors) for the purpose of regulating personal data processing by an AI System. The new definitions focus on who receives the benefit of the processing.

  • Regardless of whether a person determines the purposes and means of processing, such person is a controller if:
    • the AI System is operated for the benefit of such person; or
    • such person uses or otherwise receives the benefit of any output generated by the AI System in connection with such processing.
  • Regardless of whether a person  directs processing, such person is a processor if:
    • the AI System is operated by such person;
    • the AI System is operated for the benefit of another; and
    • such person does not use or otherwise receive the benefit of any output generated by the AI System in connection with such processing.

Therefore, the key criterion for determining whether a person is a controller or a processor is based on whether such person gets the benefit of AI-generated output. Therefore, if a business allowing use of AI Systems benefits from the output, such business would be treated as a controller of the relevant personal data regardless of the level of its involvement in determining how the AI Systems function. For example, if a business allows AI Systems to schedule appointments, but is not directly involved in determining how such AI Systems process data provided by data subjects for such scheduling (e.g., means of processing), such business could still be treated as a controller of personal data provided to the AI System and bear higher responsibility for the processing. Careful choice of AI Systems is therefore important.

Controllers and processors would be subject to the following requirements if their application or website service employs AI Systems to process personal data.

Notice Regarding AI Systems: Controllers and processors would need to provide a clear and explicit notice regarding the AI Systems used, which shall:

  • Alert data subjects of the use of the AI Systems and explain that the AI Systems use technology and processes that are not human-initiated or directed;
  • Describe the impact of the use of the AI Systems on data subjects’ rights;
  • Specify the purposes of processing, output produced by the AI Systems, and the manner in which it is produced;
  • Outline the principles based on which the AI Systems are designed and developed, including any safeguards used; and
  • Describe any codes and certifications with which the AI Systems are compliant.

Keeping Records and Providing Requested Information: Controllers and processors would also need to ensure that they can provide the DIFC Commissioner of Data Protection (the Commissioner) and affected third parties with the following information upon request:

  • Evidence of the AI Systems’ compliance with audit and certification requirements to be established by the Commissioner;
  • Evidence of any algorithms instructing the AI Systems to seek human intervention, including a risk and impact assessment of:
    • access by the AI Systems or law enforcement authorities to information; and
    • avoidance of bias;
  • Register showing personal data processed within AI Systems, processing activities, and use cases of the AI Systems; and
  • Any other information demonstrating compliance with the Regulations.

Requirements on the Design of AI Systems

Companies would need to design AI Systems in accordance with the following principles:

  • Fairness (treatment of individuals must be equal and fair)
  • Ethics (algorithmic decisions and associated data lineage must be unbiased)
  • Transparency (processing must be explainable to data subjects in non-technical terms)
  • Security (personal data must be kept confidential and data breaches must be avoided)
  • Accountability (internal mechanisms must ensure responsibility and accountability for outcomes, including internal governance, periodic audits, etc.).

Digital and Communications Services

The Draft Amendments also propose detailed rules on processing of personal data in DCSs. Controllers would need to comply with several conditions including the following:

  • Notifying data subjects that personal data may be used for enabling DCSs during personal data collection, providing data subjects with an opportunity to refuse/opt out of receiving DCS, and applying privacy-focused default settings;
  • When relying on consent for processing personal data in the context of DCSs, ensuring that consent is provided by way of a clear affirmative act that shows an unambiguous indication of freely given consent (e.g., via unticked pop-up windows):
    • Any method of obtaining consent should be accompanied by links to privacy policies, notices, or other information clarifying the processing and its purposes;
    • Pre-ticked selection boxes, silence, or inactivity are not acceptable forms of consent for the purposes of DCSs; and
    • Data subjects must be provided with an opportunity to refuse or opt out of receiving DCSs.
  • Abiding by default privacy preferences which shall neither promote nor discourage any particular setting selection, explain consequences of specific choices, and allow to easily alter choices.

Next Steps

The Regulations only apply to the processing of personal data by controllers and processors incorporated in DIFC, and to any personal data processing which takes place in the DIFC (regardless of the place of incorporation).

However, the Draft Amendments represent a significant step in the regulation of AI in the UAE, Middle East, and arguably globally. The proposed amendments are in draft form and subject to further review,  but DIFC has become one of the first regulators in the Middle East to propose a detailed set of rules regarding processing of personal data when using AI.

Latham & Watkins will continue to monitor developments related to regulation of AI in the Middle East, including the forthcoming additional rules and regulations.