The first of its kind data protection and AI governance conference in the GCC

Reflections from RISK GCC

  • Blog
  • 3 minute read
  • November 28, 2023

This article was jointly written by Richard Chudzynski, Data Privacy & Protection Legal Leader, PwC Legal Middle East; and Lori Baker, Vice President Legal and Director of Data Protection, DIFC Authority.


Reflecting on the recently concluded RISK GCC, the first of its kind data protection and AI governance conference in the GCC, it is safe to say that a lot of the objectives set, and even some that were not initially envisioned, were achieved. RISK GCC provided a combination of timely and topical session subjects tailored for the Gulf Cooperation Council (GCC) and presenters who are experts in their fields. They contributed their time, passion and energy in bringing these subjects to life. One of the highlights were the keynote speakers, with His Excellency Omar Sultan Al Olama, UAE Minister of State for Artificial Intelligence kicking the conference off and Elizabeth Denham CBE, former Information Commissioner of the UK closing day one.

The reason for asking His Excellency Omar Sultan AlOlama to address RISK GCC as the kick off keynote speaker probably goes without saying. In addition to being named among Time Magazine’s 100 most influential people in AI 2023, his team, under His Excellency’s superb leadership, crafted the UAE’s first, comprehensive national data protection law, UAE Decree Law 45. He is leading the AI and technology governance evolution in the region and globally, emphasising how important getting to grips with this subject matter is, and the data protection implications it entails, in every aspect of our lives.

The reason for asking Elizabeth Denham, CBE, to come all the way from Canada to spend about 20 minutes speaking and a further few days in Dubai may not be as obvious. Most little girls don’t necessarily dream of growing up to be the DIFC Data Protection Commissioner’s delegate and a Regulatory Compliance leader in the GCC. But here we are, and for what better reason than inviting a role model and let’s face it, one of many a privacy professional’s personal heroes, on the off chance she would be happy to travel 24 hours one way for her first trip to the region to present to a first-ever conference? There is only one better reason, in fact and that was to share her experience of transformation and ignition in the ICO in the UK with a region in a similar position now – new laws to implement, new economic and political landscapes to come to terms with, and new, very new, lightning-fast technology developments across a regulatory playing field at varying levels of regulatory maturity.  And deliver this message she did, very well.

Now that stage is set, the following gives us a sparkling overview of what she discussed with us and lessons to be learned.  If you missed RISK GCC or Liz Denham’s address, the summary below illuminates an outstanding example of how to transform, ignite and get ready for acceleration!


Recalling the ICO: Elizabeth Denham's path of regulatory transformation

In the realm of data privacy and regulation, the indelible imprint of Elizabeth Denham, CBE, stands as a testament to transformative leadership. In her keynote address, "Recalling the ICO," presented at the Risk GCC conference, Denham regaled us with the narrative of her illustrious career as the UK's Information Commissioner, showcasing the evolution she fostered during her tenure.

Elizabeth Denham assumed the mantle of the UK's Information Commissioner in 2016, a pivotal moment marked by towering challenges, including the shadow of Brexit. During a time when the UK contemplated its separation from European Union regulations, Denham, a Canadian by origin, brought a fresh, outsider's perspective. Her arrival, although accompanied by raised eyebrows due to her distinctive accent, injected a much-needed global outlook into the sphere of data protection in the UK.

Remarkably, Denham's tenure coincided with a momentous juncture in British history. As the UK Parliament mirrored the EU's General Data Protection Regulation (GDPR) into its legal framework, her leadership mirrored the nation's adaptation. This mirrored transformation underlined the deep-rooted connections between the UK and the European Union, particularly in the context of business relationships and the flow of personal data.

The Information Commissioner's Office (ICO), under Denham's guidance, embarked on a rapid transformation to accommodate the formidable powers vested in it by the GDPR and to realign policy-making functions for the coming of the UK GDPR. The multifaceted challenges included expanding the office's regulatory capacity, upgrading systems and processes, and revitalising a workforce that had historically adhered to a more traditional model of governance.

At the outset of Denham's tenure, the absence of technologists was glaring, demanding immediate attention. Denham spearheaded an innovative hiring spree, infusing the ICO with technologists, engineers, and economists. This strategic move aligned the ICO with contemporary business models and corporate demands, increasing the ICO workforce from 300 to 900, thereby infusing fresh intellectual capital into the organisation.

For a regulator fostering responsible technology, collaboration is paramount, as Denham underscored. This approach emphasises interactive guidance and presuming good intentions, leading to the creation of the Age-Appropriate Design Code and other key guidance and governance outputs. It stands as a testament to the ICO’s commitment to engage with stakeholders and take measured steps towards compliance.

Elizabeth Denham recognised the significance of cultural understanding in navigating her role, embracing the nuances of British society and business culture. Her outsider’s perspective enabled her to navigate the political divisions of the era with impartiality. Her role on the EU Data Protection Board, informed by her Canadian background, acted as a moderating influence during a period of growing discord between the UK and EU. Her dedication to international outreach, particularly through chairing the Global Privacy Assembly, ensured the ICO's continued global prominence, a strategic asset during the challenges posed by the global health crisis.


On the Global Privacy Assembly: A new paradigm for data protection

Continuing her captivating keynote speech, Elizabeth Denham guided us through her journey, from the challenges she faced as the UK's Information Commissioner to her pivotal role as Chair of the Global Privacy Assembly (GPA). Her leadership of the GPA ushered in a paradigm shift in global data protection regulatory cooperation.

The GPA, often likened to the United Nations for privacy regulators, historically revolved around its annual conference, where regulators convened to establish shared policy positions, particularly concerning issues like the integration of privacy in artificial intelligence (AI) systems. Denham astutely recognized that the GPA had become somewhat insular, its membership exclusive to a select few.

Denham's approach as Chair was marked by inclusiveness. She envisioned a GPA that would truly represent the international community of data protection and privacy regulators. Diversifying the membership base was a key goal, and her vision materialised. The GPA now boasts representation from over 130 jurisdictions, with a commitment to cross-continent inclusion.

The inclusiveness paradigm extended beyond membership. Denham recognised that different regions had distinct ways of approaching data protection, rooted in cultural and historical contexts. The path to unity lay in acknowledging these differences and appreciating them for their diversity and legitimacy, as well as demonstrating a commitment to protecting the rights of their citizens independently and objectively. Her efforts led to success stories, such as the Dubai International Financial Centre (DIFC) being the first financial free zone in the region to receive accredited membership and promoted a more inclusive global dialogue.  It marked the early stages of recognition and appreciation of the diversity of regulatory bodies and the legal and regulatory methodologies by which they administer them.

In this context, Denham pointed out that a crucial aspect of data protection regulation is its international nature. She drew attention to the challenges associated with data flows, particularly in the context of the limited number of jurisdictions that had such decisions in place. This approach to data transfer, in her view, was unsustainable and posed a hurdle to the global flow of data.

Denham's assertion that the world needed to challenge the status quo found resonance in her recounting of Japan's reciprocity in adequacy agreements with the EU. This bold move exemplified a more balanced and reciprocal approach to data protection, where jurisdictions recognised each other's regulatory frameworks.

The keynote speech painted a hopeful picture of the future, with cross-border rules becoming a global norm, and the Organization for Economic Cooperation and Development (OECD) issuing governance standards for government access to private sector data. Furthermore, the evolving EU-US data privacy framework illustrated a shift toward recognising the congruence of different countries' data protection policy approaches.  These emerging voices, she believed, would infuse fresh perspectives that, while unfamiliar, held the potential to shape a more equitable and globally harmonised data protection landscape.


Opportunities for Dubai: Shaping the future of data protection

With this in mind Elizabeth Denham shared her perspective of the future for Dubai and the broader Middle East region. With her characteristic insight, Denham encourages this vibrant jurisdiction to avoid the primary impediment to progress in an innovation-driven landscape: lack of cooperation and compromise between jurisdictions. Instead, it will be key to capitalise on true convergence, rather than convergence conditioned on others aligning with one jurisdiction’s positions.

The way forward for the GCC and wider Middle East is a two-pronged approach to leadership. Firstly, developing jurisdictions should identify specialised domains for focused growth, such as AI governance or financial-services data protection within the digital economy. By making significant strides in these neglected or emergent areas, they can capture the attention of the world. Simultaneously, Dubai can closely observe how larger nations tackle complex, yet less commercially driven issues like children's privacy online. 

Denham observed that a distinctive feature of Dubai and the UAE as a whole is its agility and rapid response to legal changes. Unlike larger countries, where substantial change can take years, Dubai has a well-earned reputation for swiftly adapting to evolving needs and trends. This adaptability, exemplified by regulatory innovations like the Dubai International Financial Centre (DIFC) DP Law 2020 and Regulation 10, as well as the proposed data protection accelerator, positions the UAE as a dynamic player in the realm of data protection and technological progress.

On other fronts, the world currently grapples with issues surrounding surveillance technology and intelligence agencies that operate without adequate transparency and respect for citizens' rights. Denham commented that Gulf states, including the UAE, bring a unique perspective and their insights can potentially contribute to the definition of proper oversight of intelligence. This pivotal contribution could be game-changing, as a plurilateral agreement could redefine the landscape of international data protection.

Domestically, Dubai can also make significant strides by dismantling barriers between regulatory bodies, a trend championed by Denham in Canada and the UK. Effective regulation of the digital economy necessitates harmonising the mandates of financial, technological, communications, privacy, and antitrust authorities This approach mirrors international advances and complements regional and national innovations.

As the data protection landscape continues to evolve, Elizabeth Denham's parting message emphasises the critical philosophical stance that regulators ought to maintain. While it's essential to acknowledge that no single entity possesses all the answers, regulators and policymakers must serve as vigilant gatekeepers, watchful of the horizon and ready to ask the right questions. Their role extends beyond policing established practices; it requires embracing an unfamiliar future guided by clear ethics, realistic applications of the law, and a deep sense of real-world consequences.

In her insightful keynote speech, Elizabeth Denham has not only offered a glimpse into the evolution of data protection but also illuminated the path forward for the Middle East. This potential to lead in data protection innovation is undeniable, and its role in shaping a harmonious, global data protection landscape is both promising and inspiring.


Richard Chudzynski

Data Privacy and Protection Legal Leader, PwC Legal Middle East

+971 56 417 6591

Email

Phil Mennie

Partner, Digital Trust, PwC Middle East

+971 56 369 7736

Email

Contact us

Jade Hopkins

Middle East Marketing & Communications Leader, PwC Middle East

PR Team

Get in touch with the PR team, PwC Middle East

We unite expertise and tech so you can outthink, outpace and outperform
See how
Follow us