UAE Dubai: DIFC Data Protection Law 2020

Dubai’s International Financial Centre, the world class financial hub and free zone established in 2004, has an updated data protection law (“Updated Law”).  The Updated Law builds upon the DIFC’s 2007 data protection law (“Old Data Protection Law”) and now includes concepts from the EU’s GDPR, as well as other laws from around the world, notably the California Consumer Privacy Act.  It also introduces some other concepts that factor in the anticipated uptake of artificial intelligence.

The Updated Law is a much anticipated step in the evolution of the data protection landscape in the Gulf Co-operation Council (“GCC”) landscape.  It may also be heralding the introduction of  a national data protection law in the UAE, something which has reportedly been under consideration for some time now.  In the event that  a national law is published, it is hoped that it will be compatible with the DIFC’s Updated Law, which certainly raises the bar significantly for similar legislation across the region.

Although the Updated Law  will come into effect from 1 July 2020,  affected businesses will have a transition period of three months, until 1 October 2020. This gives affected businesses a very short time frame in which to consider the Updated Law and implement any required changes to their regulatory compliance program, particularly for those DIFC businesses that do not already have a GDPR compliant framework.  Businesses located in the DIFC, or even those outside the DIFC processing personal data within the DIFC, should take immediate steps to consider their exposure to the Updated Law, and conduct a gap analysis regarding their compliance before taking the necessary measures to meet the enhanced obligations.

What are the key changes?

For those familiar with the GDPR many of the key changes will not be surprising. These include:

  • provisions regarding the applicability of the Updated Law. Whilst under the Old Data Protection Law there was only a broad statement that the rules applied “in the jurisdiction of the DIFC”, Article 6 (3) of the Updated Law states that the law applies to:
  1. controllers and processors incorporated in the DIFC, regardless of whether the processing takes place within the DIFC;
  2. controller or processors, regardless of their place of incorporation, that processes personal data in the DIFC as part of stable arrangements, other than on an occasional basis.

Subparagraph (c) of article 6(3) notes that processing occurs “in the DIFC” when the means or personnel used to conduct the processing activity are physically located in the DIFC, and  processing “outside the DIFC” is to be interpreted accordingly.

This latter clarification appears to be a half-way house of extraterritorial application, meaning that non-DIFC entities may still be covered by the Updated Law where their people physically process data within the DIFC, or use systems located within the DIFC.  It remains to be seen how this will apply in practice.

  • heightened obligations with regards to the information which must be provided to data subjects with regards to the processing of their personal data, as per Part 5 of the Updated Law;
  • a requirement to appoint a data protection officer (“DPO”) where a controller or processor performs “High Risk Processing Activities” (as defined within the Updated Law) on a systematic or regular basis. Even in the event that a controller or processor is not required to appoint a DPO, it must clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations under the Updated Law (or “any other applicable data protection law”) within its organisation and be able to provide details of the persons with such responsibility to the DIFC Data Protection Commissioner (“Commissioner”) upon request. There are detailed requirements set out with regards to the appointment of the DPO under the Updated Law, including with regards to his or her: independence, ability to perform the tasks required and access to senior management;
  • a requirement for data controllers to produce a Record of Processing Activities (“ROPA”) which meets the specific requirements set out under Article 15 of the Updated Law;
  • a requirement to conduct a data protection impact assessment (“DPIA”) in relation to “High Risk Processing Activities”, as per Article 20 of the Updated Law;
  • the introduction of a concept of joint controllership, with an obligation for joint controllers to put in place a legally binding written agreement which defines their respective responsibilities for ensuring compliance with the obligations under the Updated Law (as per Part 3A of the Updated Law), similar to that which is set out under Article 26 GDPR;
  • an express obligation to ensure that where a controller is offering online services through a platform, that the default privacy preferences of the platform must be set such that no more than the minimum personal data necessary to deliver or receive the relevant services is obtained or collected, and a data subject should be:
  1. prompted to actively select his privacy preferences on first use; and
  2. able to easily change such preferences.
  • increased clarity around the exercise of the rights of data subjects, as well as the introduction of the express right to withdraw consent and the right to data portability;
  • enhanced breach notification requirements, including an obligation placed upon controllers to notify the Commissioner “as soon as reasonably possible” in the event of a Personal Data Breach (as defined therein) as well as specific content requirements applicable to such notifications;
  • a requirement for controllers to enter into a legally binding agreement with each of their processors which meet a set of carefully defined conditions, comparable to those set out under Article 28 GDPR;
  • the removal of the option to apply to the Commissioner for permission to make cross-border data transfers. Cross-border transfers will now only be permitted to: (a) certain countries,; (b) one (1) or more specified sectors within certain countries; or (c) International Organisations (as defined within Updated Law), which have been deemed to provide an adequate level of protection by the Commissioner; where “appropriate safeguards” (defined under Article 27(2) of the Updated Law) are in place; or where one of the derogations set out under Article 27(3) applies;
  • the removal of the option to apply to the Commissioner for permission in respect of the processing of “Special Category Personal Data”  (i.e. Personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person). Special Category Personal Data may now only be processed where one or more of the specific legal bases for processing set out under Article 11 of the Updated Law are met; and
  • the Commissioner now has the power to:
  1. issue fines for breaches of specific articles under the Updated Law. The fines range from USD 25,000 to USD 100,000 in respect of each infringement. Under the Old Data Protection Law the fines ranged from USD 5000 to USD 25,000. Whereas under the Old Data Protection Law there were only nine specific fines, there are now a total of 35 under the Updated Law; and
  2. issue general fines for a contravention of the Updated Law in an amount he considers “appropriate and proportionate, taking into account the seriousness of the contravention and the risk of actual harm to any relevant data subject”.

EU Adequacy

The revamp is a key part of the DIFC’s strategy to provide a regulatory framework that will support its bid for adequacy status with the European Commission, which would mean that personal data may be transferred in and out the DIFC as if it were a jurisdiction located within the European Union. The clear advantage of this is that it would reduce friction in business dealings between entities located within Europe and those located within the DIFC, further supporting the DIFC’s ambition to grow its international standing as a global financial hub. The process for seeking adequacy is lengthy, requiring a proposal from the European Commission, an opinion from the European Data Protection Board and approval from the representatives of EU countries.  During this process there will likely be considerations around granting such status to an economic free zone, which would represent the first instance in which the European Commission had done so.

New Data Protection Regulations

In its statement, the DIFC announced that it has also issued a new set of Data Protection Regulations that “set out the requirements for notification to the Commissioner of Data Protection, accountability, record-keeping, fines and adequate jurisdictions for cross-border transfers of personal data”. These however do not appear to be available at the date of writing. We will continue to monitor for release of these Regulations.

What should you do next?

For DIFC businesses which already have a data protection compliance program in place, the introduction of the Updated  Law should trigger a review and modification of those compliance measures. Given the similarities between the Updated Law and the GDPR, groups with DIFC entities  which have a GDPR compliance program in place could leverage off their existing GDPR program, whilst bearing in mind the differences that do exist between the two regimes.

For entities which do not have  a GDPR compliance program that can be easily leveraged,  those non-DIFC based entities that may work in the DIFC as part of a stable arrangement and have staff processing personal data within the DIFC, or entities that may use means within the DIFC to process personal data, an assessment of their data processing activities must be made as soon as possible, and compliance gaps resolved.  These will likely include:

  • creating a ROPA;
  • ensuring that DPIAs are undertaken, where necessary;
  • issuing privacy notices which meet the requirements set out under Part 5 of the Updated Law, both in respect of their employees and their customers;
  • reviewing supplier arrangements to ensure that a suitable data processing agreement is in place;
  • reviewing any international transfers of personal data to ensure that those are being made in line with the Updated Law;
  • ensuring that a data breach or security incident policy is in place and operationalised;
  • ensuring that adequate technical and organisational measures are in place to protect any personal data which the organisation holds; and
  • ensuring that processes are in place which enable data subjects to exercise their data subject rights under the Updated Law.

DLA Piper’s Middle East Data Protection team has in depth experience in assisting regional and international businesses with their compliance requirements, including compliance with the GDPR, DIFC and ADGM’s data protection laws, and laws around GCC region, including the data protection laws of Bahrain and Qatar.

If you would like to discuss any element of the changes to the DIFC’s updated data protection law, or your business’s data protection requirements through the GCC, please contact:

Eamon Holley (Partner)

Alex Mackay (Associate)