Dubai: DIFC- ‘New Data Protection Law’

Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in his capacity as Ruler of Dubai, has recently enacted the Dubai International Financial Centre (hereinafter referred to as “DIFC”) Data Protection Law No. 5 of 2020 (hereinafter referred to as “DPL 2020”), that will come into effect from 1 July 2020.
The DPL 2020 is stated combine the best practices from a variety of current, world class data protection laws, such as the General Data Protection Regulation (hereinafter referred to as “GDPR”), the California Consumer Privacy Act and other forward-thinking, technology agnostic concepts.

Background

The processing of personal data in the DIFC is governed by the Data Protection Law 2007 DIFC Law No. 1 of 2007 (hereinafter referred to as ‘the DIFC Law’).The DIFC Law applies to any entity registered to carry out business in the DIFC, or any relevant individual where a partnership or sole trader holds the registration.

The Data Protection Law and Regulations include appropriate data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region. General fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits, have been introduced.

The DIFC law was subsequently amended by DIFC Law No. 5 of 2012 Data Protection Law Amendment Law (hereinafter referred to as “DPAL”). In addition, under the powers granted to the Commissioner of Data Protection under Article 28 of the DIFC Law, the Commissioner has issued the Data Protection Regulations (hereinafter referred to as “DPR”).

The current law, Data Protection Law DIFC Law, will remain in effect until 1 July 2020.

The New Law

The DPL 2020 replaces the existing DIFC data protection law and brings the DIFC more closely into-line with internationally-accepted data protection laws, such as the GDPR and other similar laws. The law will supplement data protection compliance for DIFC businesses which are already subject to such laws, and for those that are not, it will provide a solid foundation for ethical data management in an advancing tech environment.

Key Changes

Key changes include direct obligations on data processors, enhanced provisions dealing with processing on the basis of consent and legitimate interests, and enhanced accountability requirements. The DPL 2020 also imposes obligations on controllers and processors to appoint a data protection officer if certain criteria are met as well as enhanced obligations where a controller appoints a processor. It brings new clarification regarding international transfers and removal of the permit-to-transfer process under the previous law.

The changes legislate for accountability of Controllers and Processors through compliance programmes requirements, appointing data protection officers where necessary, conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data. Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity of such rights when engaging with vendors of emerging technologies, such as Blockchain and Artificial Intelligence (hereinafter referred to as “AI”). Permit options for cross-border data transfers and special category personal data processing have been removed. The Data Protection Law and Regulations include appropriate data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region. General fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits, have been introduced.

DATA PROTECTION REGULATIONS

The Board of Directors of the DIFC Authority has also issued new Data Protection Regulations (hereinafter referred to as “DPR2020”) that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.

DIFC’s updated Data Protection Law and Regulations set out expectations for Controllers and Processors in the Centre regarding several key privacy and security principles. The requirements reflect the DIFC’s commitment to developing an enabling business ecosystem with robust regulatory and compliance guidelines for all organisations operating from the Centre. They will enable DIFC to continue to build upon the Centre’s reputation as a leading global financial centre focused on innovation and collaboration, whilst also promoting ethical data sharing. Importantly, the Data Protection Law and Regulations provide a framework that will support DIFC’s bid for adequacy recognition by the European Commission, the United Kingdom and other jurisdictions, easing data transfer compliance requirements for DIFC businesses.