It’s time to confess. At some point, all of us claim to have read – and have subsequently agreed to – excessively long lists of terms and conditions when signing up to an online service. Does it even occur to you to open these lists, let alone give them any of your time?
Diligent online users – who, let’s face it, are few and far between – might not be so quick to drag their cursors over that ‘agree’ box.
However, the recent overturning of the Federal Communications Commission (FCC) ruling in the United States, which now allows ISPs to monetise user data, has prompted Internet users worldwide to question the whereabouts of their personal details when they submit their data to an online service.
The ruling indicates that ISPs would like to do what Google, not covered by the new FCC rules, is already doing: selling anonymised profiles – based on data that companies gather – to third parties for ad targeting. But while the average citizen cannot begin to comprehend the amount of data that Google collects, it can only track you across the sites that it owns or has contributed code to. What is more concerning is that ISPs can track your entire Internet-browsing history.
“What you’re seeing in the FCC’s change of policy is a philosophical shift that aligns with the current US administration,” says Eamon Holley, legal director, DLA Piper. “In other words, letting free market economics regulate things rather than requiring government intervention.”
Europe, on the other hand, has a fundamentally different attitude to data protection, and the recent launch of the General Data Protection Regulation (GDPR) means that there is less expectation of such a broad-brush approach to data privacy across the continent.
Here in the Middle East, things don’t seem to be quite so clear-cut, and what appears to be lacking is a uniformed approach to the matter across the GCC.
In the UAE, there is no general federal data protection law comparable to those applicable in Europe, as there is also no single national regulator. Instead, the UAE has provisions in place within its respective general laws, such as the Penal Code that makes the publishing of private information a criminal offence, and the Privacy of Consumer Information Policy, initiated by the Telecommunications Regulatory Authority (TRA), that requires a licensee to obtain consumer consent before sharing their data.
“Even though there isn’t a dedicated, comprehensive data protection law in many countries in the region, regulations in other countries are raising the compliance bar to a degree anyway,” adds Holley.
However, Nicolai Solling, chief technology officer, Help AG, believes this isn’t enough. “Given the complexity of the digital age that we are in, safety and privacy of data can only be guaranteed through the implementation of unified data protection laws,” he says.
In Dubai, certain areas are more regulated than others. For example, Dubai International Financial Centre (DIFC) is unique in that under the terms of the UAE’s Federal Law No. 8 of 2004, it is recognised as an independent jurisdiction within the country, and is therefore empowered to create its own legal and regulatory framework for both civil and commercial affairs.
The DIFC Data Protection Law is designed to balance the legitimate needs of businesses and organisations to process personal information while upholding an individual’s right to privacy. “As a large number of entities operating in DIFC work with data that is very sensitive in nature, the application of data protection laws seems natural,” Solling adds. “It would, of course, be encouraging to see these laws find their way out of these zones, as privacy concerns are not just limited to these confinements.”
There are a number of factors that could contribute to the lack of data protection frameworks outside of certain areas in Dubai, but the cost of implementation, setting up a new regulator and staffing it to actively enforce laws remain key inhibitors.
“It may be that the government’s position on this matter is that what is in place now is sufficient,” says Holley. “But as we’re being engulfed by the data tsunami, this thinking appears to be changing.”
Elsewhere in the region, Qatar has recently rolled out the first country-wide data protection law in the GCC, which requires companies to protect the personal information that they gather from customers, or face stiff penalties.
There is said to be scope for this framework to be replicated across other GCC countries, although there is no timeframe in mind for when this may be. “Its not uncommon for there to be a ‘domino effect’ around the region with new initiatives, including legislative developments,” says Holley.
A primary concern around the unchartered sharing of data is users’ lack of education and awareness around the fact that it is happening. “What about the number of times you have to hand over a passport copy or credit card copy to a non-governmental organisation?” asks Solling. “How do they store this important information? Who has access to it? How, if ever, is the data discarded?”
While handing over a passport at a hotel for check-in purposes satisfies a reasonable level of expectation, why has it become the norm for an Emirates ID card to be left at the security desk of buildings across the UAE, if this card is supposed to be in your possession at all times?
Implications were revealed after 98 percent of respondents missed the ‘gotcha clauses’ about data sharing with the NSA, and about providing a first-born child as payment for access to the site.
Likewise, many would undoubtedly have a shock if they read the privacy policies of active social media sites, and discovered how a complete spectrum of personal information – including who you’ve been chatting with – can be shared across a variety of platforms, thanks to that tick of the ‘accept’ box.
Take Instagram, for example. Its terms of service total 17 pages in length and earlier this year a UK-based lawyer re-wrote the terms in child-friendly language to try and encourage users to take note. “Having critical user-related data collection or usage policies presented in simple, quick-to-read format would help understanding what the user actually signs up for,” says Kalle Bjorn, director, systems engineering, Fortinet Middle East.
The Instagram terms read, “Although you are responsible for the information you put on Instagram, we may keep, use and share your personal information with companies connected with Instagram. This information includes your name, email address, school, where you live, pictures, phone number, your likes and dislikes, where you go, who your friends are, how often you use Instagram, and any other personal information we find such as your birthday or who you are chatting with, including in private messages.” What’s yours truly is theirs.