Written with Maciej Kuziemski.
The recently introduced General Data Protection Regulation (GDPR) provides an opportunity to reconsider privacy regimes far beyond the borders of the European Union. In countries like the UAE where the right to a private life is valued by state and residents, there is more reason to lead the way in imagining about bold alternatives to our current data sharing habits.
Over the next few months, the Centre for Accelerated Research at the Dubai Future Foundation is developing scenarios for these alternatives based on discussions with local stakeholders and experts. This post introduces the thinking behind this short project.
A large chunk of the digital economy is based on providing free services in exchange for consumer data that can be monetized. For years, the benefits of accumulating individual data have fueled the growth of social media platforms, search engines and online retailers. But which entities had access to our personal data — including shopping habits and political preferences — often remains a mystery to consumers.
This is changing. On 25 May, the European General Data Protection Regulation created a new landscape of rules for data access and transparency. It allows EU citizens to access the information companies gather about them, imposing a stricter data management regime and introducing severe fines for non-compliance (and a bunch of other stuff).
What does it mean in practice for the UAE? Any organizations that store and process EU citizens’ data will have to take appropriate measures to protect it — potentially making a heavy investment in data infrastructure. The regulation doesn’t apply to the citizens from outside of the EU just yet. But Dubai has over 80% foreign residents, and many companies with a global customer base. So GDPR is affecting the country already.
Companies that have already created bespoke data management processes to comply with GDPR are faced with a dilemma: apply the rules universally or run two-tier system for different geographies. Would they do the latter? Possibly. Protecting individual data is tremendously expensive, so why do it unless legally obliged?
Wondering about data privacy futures is a timely topic in the Middle East. Most Gulf countries do not have a dedicated national data protection law. The Dubai Data Law from 2015 goes much further. But it only covers data held by government entities and others that produce, own, publish or exchange data “relating to the Emirate of Dubai” (Dubai Data Law, page 3). This Law puts data protection in its objectives:
“Data protection and privacy of the individual is our highest priority. The most impactful and ready data will be shared first. Data will always be anonymous, hence untraceable, when it is opened.”
In addition, the UAE’s constitution guarantees the secrecy of “corresponding through the post, telegraph or other means of communication”, which is considered by experts as a basis for the individual’s right to privacy (although this rule applies solely to UAE citizens, and not all residents).
The 2012 UAE Federal Law on Combating Cybercrime prohibits the invasion of an individual’s privacy by taking pictures of others, publishing or displaying those pictures. This law has been strongly enforced. Dubai Police recently arrested someone for filming a man who was crying after finding out his relative had run up 20,000 AED in traffic fines.
Full and detailed consumer data protection is not part of UAE law, but these examples show how highly it is valued.
Here kicks in an unintended, but beneficial consequence of GDPR — it raises the salience of the topic of privacy in several ways. First, it introduces data privacy as a casual conversation subject, raising awareness and expectations among consumers: why can they can be protected, while we don’t know what happens to our sensitive informations? Citizens notice that regulatory powers can be effective against multinationals, making new relationships with these companies plausible.
Second, companies that process data from EU customers (read: vast majority of market leaders) are forced to rethink their data management policies. This fractures existing practices and opens up the debate about new ways of doing things.
Finally, infamous data breaches and systemic illegal practices of major social media platforms that are shaking the foundations of Western democracies forced politicians to take notice. Data privacy is — as of 2018 — no longer a dull technicality. It is a battlefield that will determine how humans interact with technology and each other.
Together these provide fertile ground to consider what are the desired, probable and actionable futures for data management and protection in the country. One obvious solution would be to enact legislation that resembles and implements similar measures to GDPR, just like the UK did.
This may prove to be a less than ideal for several reasons. First, it’s too early for a proper impact assessment. Some of the deficiencies of GDPR are self-evident: companies are creatively trying to shift the costs of compliancetowards consumers, while one poll has shown, that as much as 72% of users tend to blindly accept updated terms and conditions.
The lack of an overarching legal framework for consumer data protection in the UAE provides an unusual opportunity. There is a chance to bend the implicit rules of the digital economy: experiment with communally-owned data trusts, introduce collaborative data exchange infrastructures, and redefine and adapt the role of data controllers and processors to the values and needs of UAE’s residents.
It couldn’t be more exciting than this — the Middle East is at the critical juncture of individual data practices. In such rare moments of uncertainty, when existing practices are no longer enough, and emerging ones are not set in stone, dramatic normative change is possible: careful and timely choices can hugely affect outcomes, launching new pathways and transform even the sturdiest institutional practices.