The Dubai International Financial Centre (DIFC) New DP Law
The Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 or the New DP Law for short is a comprehensive data privacy law that was passed in 2020. The New DP Law replaced the previous DIFC law No. 1 of 2007, and the law was updated in “ an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses)”. To this end, the New DP Law sets forth a guideline that businesses and organizations within the DIFC must adhere to when collecting the personal information of data subjects within the country.
What is the scope and application of the New DP Law?
The New DP Law, “applies to (i) the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC or not; and (ii) a Controller or Processor, regardless of its place of incorporation, that processes Personal Data in the DIFC (i.e. when the means or personnel used to conduct the Processing activity are physically located in the DIFC) as part of a “stable arrangement”, other than on an occasional basis, and in the context of its processing activity in the DIFC”. Under the previous DIFC law No .1 of 2007, the scope and application applied solely to data processing activities that took place within the DIFC. As such, the New DP Law adds extraterritorial reach and applicability.
What are the requirements of business agencies under the New DP Law?
The New DP was drafted and passed to provide Emirati citizens with a similar level of data protection to that of the EU’s General Data Protection Regulation or GDPR. As such, the New DP Law establishes the following requirements for data controllers:
- Data controllers must process personal data in a manner that is both fair and lawful.
- Personal data must be processed for a specific, explicit, and legitimate purpose that is determined at the time of collection, on the basis of lawful grounds for legitimate data processing.
- Data controllers must keep the personal data of data subjects both accurate and up to date at all times, through the means of erasure or rectification when such processes are necessary, without undue delay.
- Data controllers are responsible for appointing a Data Protection Officer or DPO if they are engaged in high-risk data processing activities. This DPO must also reside within the UAE, unless they are an individual employed within the applicable organizations or businesses group, and subsequently perform a similar function for this organization or business on an international basis.
- Data controllers are required to maintain a written record, which can also be in electronic forms, of all data processing activities that are undertaken including the name and contact details of the data controller, the DPO, and joint controller if applicable, and the intended purpose for processing personal data, a description detailing the categories of data subjects and personal data will be collected from them, details of the recipients or third parties with whom the data will also be shared with, whether this is within the DIFC our with the outside world, the data retention techniques that will be used in regards to the data that is collected, and a description of the technical and organizational measures that will be implemented by the data controller to safeguard the data that is collected.
- Data controllers must ensure that data subjects are aware of the identity of the data controller and how data subjects can go about contacting or connecting with them, the purpose for the collection of data, and that consent is provided to the data subjects at the time that their data is collected, as well as any other third parties who the data controller will also share a data subjects data with.
- Data controllers must ensure that all personal data that is collected is both kept secure and protected from unlawful or unauthorized processing, damage, accidental loss, or destruction at all times.
What are the rights of data subjects under the New DP Law?
Under the New DP Law, data subjects within the UAE are granted a variety of rights in relation to their privacy and data protection. These rights include:
- The right to withdraw consent.
- The right access, rectification, and erasure of personal data.
- The right to object to data processing.
- The right to restrict the processing of personal data.
- The right to data portability.
- The right to automated individual decision-making, including profiling.
In terms of penalties for violating the law, data controllers who fail to meet compliance are subject to monetary penalties ranging from $25,000 to $100,000 per violation, depending on the severity and scope of said violation. Furthermore, the New DP Law also granted data subjects the right to bring private rights of action lawsuits against data controllers who violate their rights under the law. The New DP Law is enforced by the Commissioner of Data Protection or the Commissioner for short, and the Commissioner also has the authority to issue public demands to data controllers who violate the law, as well as monetary penalties greater than those outlined by the law at their sole discretion.
The New DP Law is unique in that it was passed largely in the context of protecting the personal information that is collected and processed within Dubai’s International Financial Centre. This, coupled with the lack of overall data protection legislation within the Middle East, places the New DP Law in a class of its own in many respects. Despite this, the New DP Law was written in a manner that is similar to that of the EU’s General Data Protection Regulation or GDPR. In this way, the New DP Law is similar to other data privacy laws around the world, as the overall objective is to protect the data privacy rights of Emirati citizens.