DIFC Data Protection Law



Following a series of consultations, the Dubai International Financial Centre (DIFC) has issued Data Protection Law No.5 of 2020 (DPL), which increases privacy compliance requirements for businesses operating or conducting business in or from the DIFC.

The DPL will come into effect from 1 July 2020, however, affected businesses have been granted until 1 October 2020 to undertake the necessary compliance measures in respect of the requirements of this new law.

The DPL has been designed to update the DIFC’s existing Data Protection regime, first enacted in 2007, to reflect ongoing changes across the current global data protection landscape captured in the European General Data Protection Regulation (GDPR) and the Californian Consumer Privacy Act (CCPA).

Guide to the new Provisions:

The DPL introduces a range of new concepts and obligations that businesses based in the DIFC need to be aware of. We have summarised these in a quick A-Z guide below:

  • Application: The DPL now extends to the processing of personal data by organisations operating or conducting business in or from the DIFC, regardless of where the actual processing takes place and whether the business processing personal data is incorporated in the DIFC. Therefore businesses conducting activities within the DIFC can no longer seek to avoid the reach of these obligations by processing personal data outside of the DIFC;
  • Breaches: For those businesses registered as a Data Controller’ with the DIFC Data Protection Commissioner (Commissioner), the DPL may require that they notify both the Commissioner and any affected individuals in the event of a breach or if any personal data they hold is compromised. Certain time restrictions have been placed on such notification requirements and fines may be imposed for any failure to notify, when required;
  • Business Accountability: Those organisations that undertake ‘high risk processing’ (e.g. large-scale processing of sensitive personal data, or processing using Blockchain, A.I., machine learning or other emerging technologies) may need to appoint a Data Protection Officer (DPO), in line with certain specific conditions and requirements of the DPL;
  • Consent: Stricter rules have been put in place around the circumstances in which the consent of an individual can be relied upon as a ground for processing personal data;
  • Data Processors: Compliance obligations under the DPL have been extended, with those businesses conducting data processing now also being held directly accountable by the Commissioner for any activities they undertake in breach of the DPL;
  • Data Subjects: Broader rights have been granted to individuals with respect to their personal data, including a new ‘non-discrimination right’;
  • Export: The transfer of personal data to certain jurisdictions outside the DIFC that are deemed ‘non-adequate countries’ is now permitted, provided certain safeguards are put in place with respect to the transfer (in a similar vein to the GDPR with non-EU based transfers);
  • Governance: Businesses conducting certain high-risk processing activities may now be required to undertake a ‘data protection impact assessment’ (DPIA) in a prescribed format prior to the activity. Businesses will also need to keep detailed records of the personal data they process in a designated register, a full record of each DPIA and should maintain data protection policies designed to ensure compliance with the DPL;
  • Privacy Notices: These are now required to set out additional information in a concise and transparent form, including the lawful basis relied upon to process an individual’s personal data and the name(s) of those third parties personal data may be transferred to;
  • Outsourcing: Businesses to whom data processing activities have been outsourced must provide sufficient commitments to protecting personal data. This should be done by entering into a suitably drafted legally binding contract with the relevant business whose data they are handling; and
  • $$$ - Fines: The maximum fine for an administrative breach under the DPL is equivalent to USD$100,000. However, the Commissioner retains discretion to issue larger fines for more serious contraventions and has commented that further regulations concerning fines may be issued. Businesses should also be aware that individuals may seek to claim compensation for individual breaches of their rights under the DPL by bringing legal proceedings before the DIFC courts.

Practical Compliance Steps – Here to Help:

Businesses will need to: understand how they currently use and process personal data and update existing contracts with third parties, privacy notices and interactions with customers, and think about employee awareness around the handling of personal data.

The grace period afforded by the DPL means that businesses have just under 4 months from now to prepare for compliance. Should you wish to receive further updates and insights on the impact and application of the DPL, how it may affect your business and information on how we can help, please feel free to get in touch with our Middle East Data Protection Team of Rob Flaws and Dan Hope.