Don't Threaten Me with a Good Time -- DPAs in Modern Business
We were a little surprised recently when we received a DPA that included requirements to comply with regulations in Dubai and New Zealand. Dubai? Why a city and not a country? Heck, why not just Burj Khalifa? New Zealand? We know this partner does business in Australia, so why kiwis and not kangaroos? Shouldn’t the Eye of Sauron be enough?
So are these the strictest DPAs? If not, why add Dubai and New Zealand? Most importantly, what kind of penalties could I incur if I don’t comply?
Background on DPAs
To paint with a broad brush, Data Privacy Agreements (DPAs) describe what personally identifiable information may be gathered and how it may be used by the organization which captures it.
You are probably familiar with the pop-ups on many websites that require you to acknowledge that you may get cookies on your machine if you continue onto the website. That is actually a requirement of the GDPR, the General Data Protection Regulation, which is the Data Privacy law for the European Union (EU).
DPAs are more than common practice these days, they’re often required to do business. That’s business within a country, or across international borders; business to business or business to consumer; or even as an assurance on how employee data will be handled.
Strictest DPA
Neither Dubai’s nor New Zealand’s Data Privacy Acts are considered the strictest in the world. That distinction goes to the land of the Sugarcubes and the best female CrossFitters. If you knew that was Iceland, then we are probably already friends.
Iceland views data protection as a human right,
“Enjoying the right to privacy concerning one's private life, e.g., with regard to the treatment of personal data, is a basic human right, which is protected under the Icelandic Constitution and also in human rights conventions.” (https://www.government.is/topics/personal-law/)
Iceland’s constitution states explicitly: “Everyone shall enjoy freedom from interference with privacy...” (Article 71 of the Constitution of the Republic of Iceland). Despite what many people believe, even we in the U.S. do not have an explicit right to privacy, it is derived from other rights.
Iceland is not part of the EU, but is part of the European Economic Area (EEA). Thus, Iceland requires compliance with GDPR and as well as with their privacy regulations if a company is to do business there.
Multiple European countries have their own laws in addition to the GDPR, many of which actually predated the implementation of GDPR. For example, Sweden had the first data privacy law in the world, the Data Act of 1973.
Why here?
Multi-national businesses often want to be sure they are working with an organization that is in compliance with the Data Privacy laws of *any* country in which they *might* do business. So the more jurisdictions covered in a DPA, the more places where business may be done. Not everywhere has Data Privacy Laws, but pretty much anywhere you want to do business does.
So here we come to Dubai. The UAE government aspires for Dubai to become a hub of international business. The DIFC is a special carve-out in a country whose laws are generally administered differently than those we are accustomed to in the West. Remember, Data Privacy is only one part of the system setup in the DIFC, all of which are intended to facilitate global business.
New Zealand’s Privacy Act is one of the most recently implemented, December 1, 2020. This may lead a company to believe it is the most modern, and thus up to date with current technology. However, the most distinguishing element of New Zealand’s law may be why it’s included. This is its extraterritorial scope. As a gross over-simplification, any company that does anything that impacts a Kiwi may be subject to the regulations. No physical presence is needed. To date, there has not been litigation to determine exactly what this means.
In general, DPAs are reciprocal. The company asking for it says, “we’re in compliance with these laws, and you need to be too.” So it is strategic to decide the laws to which you want to subject yourself and anticipate where you want to do business and will need to be able to say all of your vendors and suppliers agree to comply as well.
What follows does not, and is not intended to, constitute legal advice.
What if I don’t?
What are the penalties for being lazy, a liar, or a loser?
There seem to be three ways to “don’t”.
- I’m lazy. I don’t agree to comply.
- I’m a liar. I don’t take steps to comply after agreeing to.
- I’m a loser. I don’t succeed, even though I tried to comply.
Lazy: If I don’t agree to comply then I might not get to do business with the partner who has requested it. I could certainly ask for it to be removed if I don’t think we’ll be doing any business in those jurisdictions, but no guarantee that it’ll be taken out. So possibly forgone opportunities.
Liar: Let’s limit this to being found through an audit, e.g., no breach has occurred, but the partner has become aware of a potential problem and asks for proof of measures being taken. Failure to comply may give the partner company reason to terminate the contract right away and will also do a great deal of harm to my reputation.
In the eyes of Data Privacy laws, the more egregious violation would be to gather more information than you have told users you would. Along with the penalties above, the partner company may also have an obligation to report me to the authorities in the jurisdiction where we’re doing business. This can lead to monetary penalties and no longer be permitted to do business in that country.
Loser: Really, the only way anyone will know if I tried and failed is if there is a breach. At that point, I could still incur the penalties of being a Liar, and be obligated to pay any penalties that my business partner incurred. While most jurisdictions stick with monetary punishments, some jurisdictions treat data privacy violations as criminal matters.
Remember Iceland, with what’s considered to be the strictest privacy laws in the world? Failure to comply there can lead to 3 years in prison.
In Conclusion
Like most contracts, a DPA can be summed up as: that which you don’t want to be done with your stuff, don’t do to someone else’s. That does not mean DPAs are easy to comply with, but they’re a standard part of doing business these days. So run your updates, create back-ups, and comply with DPAs. They’re the foundation of keeping your systems safe.
Regulations and links to full text
United Arab Emirates
The Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020. https://www.difc.ae/application/files/6115/9358/6486/Data_Protection_Law_DIFC_Law_No.5_of_2020.pdf
New Zealand
The Privacy Act 2020 https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
European Union
General Data Protection Regulation (GDPR) https://gdpr-info.eu/
Iceland
Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/2000 https://www.government.is/Publications/Legislation/Lex/?newsid=fadb4b17-f467-11e7-9423-005056bc530c
Sweden
First in the World (not current): The Swedish Data Bank Statute and Regulation of May 11, 1973 (The Data Act of 1973) https://www.loc.gov/resource/llglrdppub.2019668695/?st=gallery
Explanations of rhetorical questions and references
(Because nothing makes a joke funnier than having to explain it):
In overly simplified terms, an Emirate is to the UAE as a State is to the USA.
It turns out Dubai is a city *and* an Emirate, think of New York, New York. Dubai is to the United Arab Emirates as New York is to the United States of America.
Burj Khalifa is currently the tallest building in the world. It is in Dubai. So why not just focus on a single building if your regulations are only going to apply to a city anyway. This was my attempt at sarcasm.
People from New Zealand are called Kiwis (not the fruit – which Kiwis call a kiwifruit). The Kiwi is the National Bird of New Zealand. People in Australia are not called Kangaroos, but the animal is on the country’s Coat of Arms and is closely associated with the island nation. This was my attempt at an analogy.
Eye of Sauron is a reference to a quasi-omnipotent being in The Lord of the Rings. The Lord of the Rings movies were filmed in New Zealand. This was my attempt at gaining Geek Cred.