New DIFC Data Protection Law to come into force on 1 July

Sheikh Mohammed bin Rashid Al Maktoum, the Ruler of Dubai, enacted a new data protection law for the Dubai International Finance Centre (DIFC) on 1 June 2020. The new law, which will enhance the regulatory framework in the DIFC and align it with international standards, is to come into effect on 1 July.

The DIFC Data Protection Law No. 5 of 2020 was a product of long-term consultations and analysis of similar legislation, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It also reflects the intention of the DIFC authorities to introduce a new data protection law that considers the specific needs of the DIFC, as well as the latest developments in technology.

The new law focuses on improvements to procedurals for notifications to the Commissioner of Data Protection, record-keeping and cross-border transfers of personal data. The system of special permits for cross-border data transfers outside DIFC have been removed in favour of data-sharing structures between government authorities. Punitive provisions, including penalties and administrative fines, have also been amended.

The scope of the new law extends to the processing of personal data in the context of the activities of a controller or processor operating or conducting business in or from the DIFC, regardless of whether the actual processing takes place in the DIFC or not. Some businesses will also be under a mandatory obligation to appoint a data protection officer (DPO) and compile data protection impact assessments where high risk processing activities are to take place.

Similar to the GDPR, both controllers and processors must be able to demonstrate compliance with the requirements of the new law and, in particular, processors must provide sufficient commitments to protecting personal data by entering into a legally binding contract with the controller.

Binding legal agreements that protect individuals and their personal data have also been introduced – for instance in the use of individuals’ data by entities that collect and manage personal data, when engaging with modern technologies such as blockchain and artificial intelligence.

DIFC governor Essa Kazim said: “DIFC continues to develop its robust regulatory ecosystem built on the principles of compliance, integrity and security. The enhanced Data Protection Law combines the best practices from world-class data protection laws. By setting out the regulation, DIFC also sets a clear requirement for all organisations to follow global best practice relating to data and privacy.”

The new law will replace the Data Protection Law DIFC Law No. 1 of 2007 when it comes into force on 1 July 2020. There will be a grace period of three months due to Covid-19 restrictions impacting businesses’ ability to prepare for compliance.

DIFC already had one of the most advanced data protection systems in the region. Implementation of the new legislation will strengthen the DIFC’s position as a leading financial centre in MENA region. If you have any concerns or would like further information, please contact Sovereign.

Contact Sovereign
Get in Touch

Please contact us if you have any questions or queries and your local representative will be in touch with you as soon as possible.