10. PERSONAL DATA PROCESSED THROUGH AUTONOMOUS AND SEMI-AUTONOMOUS SYSTEMS


10.1 Autonomous and Semi-Autonomous Systems


10.1.1 For the purposes of this Regulation 10, unless otherwise specified herein:
(a) “System” or “Systems” shall mean any machine-based system operating in an autonomous or semiautonomous manner, that can:
(i) Process Personal Data for human-defined purposes or purposes that the system itself defines, or both; and
(ii) generate output as a result of or on the basis of such Processing.


(b) “Deployer” means, with respect to a System, the natural or legal person
(i) under whose authority or on whose direction or for whose benefit the System is operated, or
(ii) who receives the benefit of the operation of the System or any output generated by the System in each case without regard to whether or not the System is operated, supervised or hosted by such person, or such person defines or determines any of the purposes of which Personal Data is Processed by such System.


(c) “Operator” means a Provider that operates or supervises a System on behalf or otherwise for the benefit, and on the direction of a Deployer, in each case without regard to whether or not that Provider exercises any control over the Processing of Personal Data by the System.


(d) “Provider” means a natural or legal person that develops a System, or procures that a System is developed for or on behalf of such person, in each case with a view to providing, commercialising or otherwise making such System available to Operators or Deployers.


10.2 Obligations of Deployers and Operators of Systems


10.2.1 Without limiting any other provision in this Regulation 10, where Personal Data is Processed for use in, or to enable the learning processes of, any System, a Deployer or an Operator of the Systems involved in such Processing must in each case adhere to the general requirements and principles for Processing Personal Data set out in Article 9 of the Law.


10.2.2 Where an application or website service employing Systems to Process Personal Data is used, the following actions must be undertaken by a Deployer or an Operator in respect of such Processing:
(a) notice must be provided in clear and explicit terms upon the initial use of, or access to, the System, alerting users to any underlying technology and processes comprising the System that may undertake any Processing of Personal Data by the System that is not human-initiated, controlled or directed (for example, if the System is restricted to only Processing Personal Data for specific human-defined purposes, or if the System is capable of defining further purposes for Processing on its own, or can otherwise Process Personal Data for purposes that are not human-defined), as well as indicating the impact of the use of the System on the exercise of individual rights as provided under the Law in Article 29(1)(h)(ix);


(b) the notice referred to in the previous sub-paragraph must also include a comprehensive, true and plain description of:
(i) the human-defined purposes for which Personal Data is Processed by the System;
(ii) all human-defined principles on the basis of which, and all human-defined limits within which, the System is capable of itself defining further purposes for Processing of Personal Data;
(iii) the output which the System produces on the basis of such Processing and the manner in which such output is used;
(iv) the principles on the basis of which the System has been developed and designed to operate, including a description of any safeguards built into the System by design to ensure
compliance of the Processing of Personal Data by the System with the Law and this Regulation 10; and
(v) the codes, certifications or principles upon which the System is designed or developed , which may include those promulgated by the Dubai Digital Authority, the Organisation for Economic Cooperation and Development (OECD), the United Nations Educational, Scientific and Cultural Organisation (UNESCO), the National Institute of Standards and Technology (NIST) AI Framework, or the Guidelines for Financial Institutions adopting Enabling Technologies published by the Central Bank of the UAE, Securities and Commodities Authority, Dubai Financial Services Authority, the Financial Services Regulatory Authority and such other codes, certifications and/or principles established by national or international regulatory authorities or bodies as the Commissioner may designate from time to time;


(c) evidence, to be provided upon request by any affected party, of the System’s compliance with any applicable audit and/or certification requirements that may be established by the Commissioner from time to time; 


(d) evidence, to be provided upon request by any affected party, of any algorithm(s) that causes the System to seek human intervention when Processing of Personal Data by the System may result in an unfair or discriminatory impact on a Data Subject, as well as a risk and impact assessment of the risk that Processing by the System of information made available to the System may result in unjust bias or High Risk Processing;


(e) evidence, to be provided upon request by any relevant party, of an algorithm or algorithms that cause the Systems to seek human intervention in the event any Personal Data Processed by the System must be accessed by, or on behalf of, competent government authorities, including law enforcement, for the purposes of prevention or prosecution of alleged or confirmed criminal offenses, as well as a risk and impact assessment in that respect;


(f) evidence, to be provided upon request by any relevant party, of an algorithm or algorithms that instruct the Systems to seek human intervention in the event any Processing of Personal Data by the System may result in non-compliance with Regulation 9, as well as conducting a risk and impact
assessment in that respect; and


(g) provide upon request by any relevant party a register listing the following information, including but not limited to:
(i) use cases, necessity and proportionality of Processing activities, or Processing activities or categories in which such Systems are used;
(ii) how information in the System can be accessed by Data Subjects in accordance with Articles 32 to 40 of the Law;
(iii) whether the System will be used solely to make automated decisions;
(iv) with which Third Parties or, to the extent permitted by applicable laws, which Requesting Authorities any Personal Data used in the Systems is Processed as part of stable arrangements, other than on an occasional basis,
(v) with which Third Parties or, to the extent permitted by applicable laws, which Requesting Authorities, any Personal Data used in the Systems is Processed in accordance with one or more of the lawful bases set out in Article 10 or Article 11 of the Law;
(vi) contractual obligations of Joint Controllers, Processors or Sub-processors; and
(vii) where Third Parties or Regulatory Authorities engaged in Processing Personal Data used in the Systems are located and appropriate safeguards for exporting the Personal Data thereto; and


(h) any other information the Commissioner requests to demonstrate compliance with the Law, these Regulations or other applicable laws. Information provided in accordance with Regulation 10.2.2(c), 10.2.2(d), 10.2.2(e) or 10.2.2(f) may be redacted or summarised, as reasonably determined by the Deployer or Operator, solely to the minimum extent necessary to protect their intellectual property rights in, or comply with restrictions under applicable laws, in respect of, the System or any raw data used to train the System, provided that the Deployer or Operator undertaking the summary or redacting (as applicable) must provide to the Commissioner, upon request, the full and unredacted underlying information, and implement any revisions to the summary or redactions that are required by the Commissioner. The Deployer or Operator may consult with the Commissioner regarding any relevant evidentiary requests or directions at any
time.


10.3 General Requirements for Artificial Intelligence Autonomous and Semi-Autonomous Systems


10.3.1 A System developed and utilised in products, services, or other use cases that may impact a Data Subject, negatively or positively, must be designed in accordance with the following concepts:
(a) Ethical: algorithmic decisions and the associated data lineage of a System should be unbiased and mitigated. This principle is closely linked with the principles of fairness and transparency.


(b) Fairness: Systems should be designed to treat all individuals equally and fairly, regardless of race, gender, or other specifically subjective factors. Additionally, Systems should be designed to avoid potential biases, including unjust bias, or where possible, mitigate bias that could lead to unfair outcomes.


(c) Transparent: a System must ensure that Processing of Personal Data is explainable to Data Subjects and other stakeholders in non-technical terms, with appropriate supporting evidence.


(d) Secure: a System must keep Personal Data protected and kept confidential and prevent data breaches which could cause reputational, psychological, financial, professional or other types of harm.


(e) Accountability: a System must have mechanisms in place to ensure responsibility and accountability for enabling its Systems and outcomes. Such mechanisms may include internal governance and control frameworks in place for monitoring the System, processes and projects regularly or external organisation auditing processes regularly, enabling the assessment of algorithms, data and design processes.


10.3.2 No person may use, operate, provide, offer or otherwise make available for commercial use a System to Process Personal Data (or receive the benefit of, or output from, the operation of such System), unless such System:
(a) is capable of Processing Personal Data only for purposes that are human-defined or humanapproved, or are defined by the System itself solely on the basis of human-defined principles and solely within the limits of human-defined constraints; and


(b) is designed in compliance with Regulation 10.3.1 and complies with any other applicable audit and certification requirements that may be established by the Commissioner from time to time.


10.3.3 No person may use, operate, provide, offer or otherwise make available for commercial use a System to engage in High Risk Processing Activities set out the Defined Term, sub-clause (a) in Schedule 1, Article 3 of the Law, unless:
(a) the Commissioner has established audit and certification requirements applicable to Systems used in High Risk Processing Activities;


(b) the System complies with all such requirements;


(c) the System Processes Personal Data solely for human-defined or human-approved purposes; and


(d) the Deployer or Operator has appointed an Autonomous Systems Officer (ASO), who will have the same or substantially similar competencies, status, role and task of a DPO as set out in Article 17 and Article 18 of the Law.


10.3.4 For the purposes of Regulation 10 and the Law:12
(a) a Deployer of a System shall be deemed to act as a Controller (or, mutatis mutandis, a Joint Controller) in respect of the Processing of Personal Data by that System; and


(b) an Operator of a System shall be deemed to act as a Processor (or, mutatis mutandis, a Subprocessor) in respect of the Processing of Personal Data by that System.


10.3.5 Data Subjects may submit a complaint challenging the outcome of Processing of Personal Data by such Systems in accordance with Parts 9 and 10 of the Law.