Digital regulations: Key to unlocking digital growth in the Middle East

In today’s world, emerging technologies, such as AI are creating new ways for consumers to interact and disrupting traditional business models. It’s an era in which machines teach themselves to learn; autonomous vehicles communicate with one another; and smart devices respond to and anticipate consumer needs. This necessitates the need for digital regulations to govern these new-age technologies. We are yet to witness the establishment of global or even pan-regional agencies or organisations that would govern digital regulations for the globe or a group of countries (we will explore this in the second part of our series  on digital regulations).

That said, there have been some successes at both global and regional levels. Sharing of data is quintessential for today’s technology, which has rightly resulted in consumers globally being concerned about the privacy and security of their data. In the UK, for example, the Competition and Markets Authority (CMA) and the Information Commissioner’s Office (ICO) are cross-sectoral competition and data protection agencies that set standards across the entire economy, and are redefining markets and market power. The EU's General Data Protection Regulation (GDPR) requires companies to ask for some permissions to share data and gives individuals rights to access, delete, or control the use of that data. It emerged as one of the first multi-national regulations that has emerged as a global success, even when put to test during the pandemic. 

In the Middle East, Qatar was the first GCC member nation to issue a law in accordance with the GDPR adoption in Europe in 2016. KSA has recently enforced its first-ever comprehensive data protection law. The Personal Data Protection Law (PDPL) provides comprehensive requirements related to processing principles, data subjects' rights, organisations' obligations while processing the personal data of individuals, and cross-border data transfer mechanisms and lays out penalties for organisations in case of non-compliance with the PDPL.

Another application of digital regulations is for AI, wherein the EU has recently launched AI Regulatory Framework and its AI act⁵ has been approved by the EU parliament in March 2024. This framework classifies potential risks due to the AI systems and states that all AI systems need to be analysed and classified according to potential risks. The AI systems which possess unacceptable risk needs to be banned (e.g. - cognitive behavioural manipulation or social scoring). Similarly, high risk AI systems (for example, critical infrastructure management) needs to be assessed before launching them in  the market, as well as throughout their lifecycle.

Companies must adopt new processes and tools to comply with the increasingly rigorous regulations governing the use of emerging technologies. Failure to comply can result in severe financial penalties and significant damage to an organisation's reputation. Article 83(4) of the GDPR⁶ specifies that violations can lead to fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover from the preceding financial year, whichever is higher. These stringent penalties underscore the importance of adhering to GDPR requirements to avoid substantial economic and reputational repercussions.

Advancements in technology make it easier to comply with regulations by automating and streamlining labour-intensive compliance processes and offering a proactive, data-driven approach to identifying and mitigating compliance risks in real-time. AI can be used to automate monitoring, issue fines and penalties in real-time, and adjust variables in response to changes in ongoing laws. 

RegTech solutions, such as AI chatbots, can be used to provide automated responses to regulatory inquiries, while SupTech solutions⁷, such as machine learning algorithms, can predict potential non-compliance risks for decision-makers. Automated regulation can be beneficial for organisations that process sensitive information or adhere to strict rules and standards for protecting customer data, such as hospitals and banks.  New solutions are being built to ensure compliance in highly regulated use cases such as for automated identity verification. For example, Berlin based bank Solaris used a regtech solution from IDNow⁸ to ensure compliance with various cross-geographic regulations about automatic identity verification and to enhance its  customer onboarding process.

The potential of using digital for regulation is limitless. For example, there can be a system in place for ‘Regulations as a Platform’  (more details in our upcoming publication) which would enable entities to release regulations in a machine readable format (such as, JSON/XML). A potential use case of such a solution is to enable modification of tax rates or tariffs in real-time for all merchants across a country or even region, and avoid the hassle of merchants adjusting their respective systems and ensure compliance according to the latest regulations.