A variety of local regulations and international agreements have recently affected the way sensitive private data is both disclosed and protected in private and commercial domains.
These have created some tension; on the one hand, there are new requirements to divulge information to regulators to comply with prevailing corporate transparency laws; on the other, legislation designed to safeguard an individual’s right to privacy.
In light of this, how can you protect your clients’ data for their own legitimate purposes, while ensuring that they fully comply with existing legislation?
1. Ultimate Beneficial Ownership (UBO)
Ever since data breaches such as the Panama Papers in 2016, there have been growing calls in certain jurisdictions for public UBO registers, ultimately resulting in the EU’s 5th Anti-Money Laundering (AML) Directive.
The G8 and EU were quick to initiate public registers as the norm, relying on the following principle: in return for the benefits of protection from personal liability that a stake in a company confers, owners should be willing to reveal their identity.
Regardless of whether such a proposition enjoys broad support or not, the rush to satisfy a questionable public interest in Beneficial Ownership has created grey areas. Legislation such as the EU’s General Data Protection Regulation (GDPR) (see point #2 below), has arguably been trumped by the rights of governments and civil society to demand absolute transparency in ownership.
As a result of these grey areas or loopholes, clients with operations or subsidiaries in any jurisdictions with public UBO registers are liable to find that individual privacy has now been relegated to a principle, not an absolute right. Transparency has usurped privacy to become the dominant and prevailing right.
How do UAE free zones protect legitimate data privacy?
Insofar as UBO relates to the UAE, free zone authorities have implemented their own individual UBO regulations requiring companies to keep a private register of Ultimate Beneficial Owners (UBOs) and to notify free zone authorities or regulators of UBO details, and any changes to those private registers.
Within many UAE free zones, entities will be required to divulge UBOs only to relevant government regulatory authorities, or to the registrar. Unlike EU member states, for example, there is no requirement for UAE free zone authorities to divulge private data to public UBO registers. It is held on a confidential basis only and is not made available to any public register.
Furthermore, the sharing of private data between private regulatory registries and foreign authorities only happens as a result of specific requests for information from the Ministry of Finance.
This is on a case-by-case basis only, so the only thing that even comes close to a public registry is a record only of company status and director information, not of shareholders.
In the case of clients with operations across different EU countries, they will need advice on the subtleties of access and regulations between jurisdictions, because each individual EU member state can determine exactly who can access the UBO register and whether it is accessible to the public.
2. Data protection and GDPR
Introduced in response to the EU’s General Data Protection Regulation (GDPR) legislation, the UAE federal government has announced supplementary policies to bring the UAE up to global standards in data protection.
The first of these policies was passed in September 2019 and regulates data sharing in the healthcare sector. UAE Financial Centres have introduced their own robust regulation on data protection that enshrines best practice worldwide.
What can you do to protect your clients’ data?
In theory, any legislation to restrict or eliminate the unauthorised flow of private data should be a welcome development; it protects your clients’ data from misuse by unauthorised parties. This presumes, of course, that your own data protection regime is robust and fit for purpose.
It therefore helps to initiate your own data protection checklist covering in-house and third-party personnel who may have authorised access. Start with a privacy impact assessment, so that staff understand the risks, and can make informed decisions accordingly. If you cover access, collection and use of data, you are more likely to avoid the issues that may arise from not having validated compliance with legislation or best practice.
Then moving forward, keep a close eye on any developments from government, to ensure you remain compliant.
3. Economic Substance Regulations (ESR)
The UAE introduced ESR in April 2019. Its goal is to ensure that UAE companies maintain a sufficient economic presence in the UAE, a prerequisite for removal from the EU’s blacklist of ‘non-cooperative jurisdictions for tax purposes’.
How might Economic Substance affect your clients?
If an organisation comes under the remit of Economic Substance, as of 30 April 2019 it is required to meet five economic substance tests to comply: If it conducts relevant Core Income-Generating
Activity (CIGA) in the UAE, it should be directed and managed in the UAE; it needs to demonstrate an adequate number of full-time employees in the UAE for a particular activity; it must incur adequate operating expenditure in the UAE, and it must be able to prove adequate physical assets in the UAE.
What can you do to protect your clients’ data?
Crucially, UAE free zone entities now have to submit information to each relevant regulatory authority. Within their annual return, your clients must provide details of the organisation’s activity, and if its activities are relevant, provide details such as expenses, income and assets, and make a declaration as to whether the Economic Substance Requirements are met.
You should therefore educate and advise your clients as to how they comply while avoiding oversharing data that is superfluous to compliance.
Finally, if your clients have operations in any of the 12 remaining jurisdictions that the EU deems to be “non-cooperative”, they will need to act on the EU Councils’ so-called defensive measures against those jurisdictions.
4. Cross-border data sharing (ESR)
While interoperability across jurisdictions can bring advantages, it pays to implement robust data protection checklists, given the legal implications of GDPR and other regulations. The Organisation for Economic Cooperation and Development (OECD) reports an increase in the number of worldwide data regulations from approximately 50 in 2,000 to around 250 in 2019.
So create checklists that will safeguard clients’ information in accordance with national and international legislation mandating its protection and sharing.
What can you do to protect your clients’ data, and their clients’ data?
Firstly, make sure you familiarise yourself and your clients with the varying obligations under international law. These might include US federal and state law (including California’s ‘Shine the Light’ privacy law) EU GDPR legislation, and additional EU laws such as the ‘right to be forgotten’.
Next, consider which operating countries may hold jurisdiction over your clients’ accounts; ensure your clients are well informed when it comes to how their own clients’ data is being shared.
Maintaining the in-house skills necessary to assess the quality of data protection in your organisation, as well as your clients’, is crucial to minimising risk.
It’s vital to provide good training to employees and third parties to help them understand their responsibilities and obligations to collect, use, share, store, alter or remove private data with the utmost care.