DIFC Data Protection Law in effect from 01 July covers AI and blockchain


In his capacity as the Ruler of Dubai His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, has enacted the Dubai International Financial Centre, DIFC, Data Protection Law No 5 of 2020. The promulgation of the Law enables the pre-eminent international financial hub in the Middle East, Africa and South Asia region to strengthen its leadership in enhancing data protection practices. The new law came into effect from 1 July 2020. The Data Protection Law further develops the current DIFC Data Protection regime which was already one of the most advanced in the region.

The Board of Directors of the DIFC Authority has also issued new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.

DIFC’s updated Data Protection Law and Regulations set out expectations for Controllers and Processors in the Centre regarding several key privacy and security principles. The Data Protection Law combines the best practices from a variety of current, world class data protection laws, such as the General Data Protection Regulation, the California Consumer Privacy Act and other forward-thinking, technology agnostic concepts.

The Data Protection Law combines the best practices from a variety of current, world class data protection laws

The requirements reflect the DIFC’s commitment to developing an enabling business ecosystem with robust regulatory and compliance guidelines for all organisations operating from the Centre. They will enable DIFC to continue to build upon the Centre’s reputation as a leading global financial centre focused on innovation and collaboration, whilst also promoting ethical data sharing. Importantly, the Data Protection Law and Regulations provide a framework that will support DIFC’s bid for adequacy recognition by the European Commission, the United Kingdom and other jurisdictions, easing data transfer compliance requirements for DIFC businesses.

In more detail, the changes legislate for accountability of Controllers and Processors through compliance programmes requirements, appointing data protection officers where necessary, conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data.

Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity of such rights when engaging with vendors of emerging technologies, such as Blockchain and Artificial Intelligence. Permit options for cross-border data transfers and special category personal data processing have been removed. The Data Protection Law and Regulations include appropriate data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region.

General fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits, have been introduced.

In light of the current global pandemic, while the Data Protection Law will be effective from 1 July 2020, businesses to which it applies will have a grace period of three months, until 1 October 2020, to prepare to comply with it, after which it becomes enforceable.