The Dubai International Financial Centre (DIFC) New DP Law

The Dubai International Financial Centre (DIFC) New DP Law

The Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 or the New DP Law for short is a comprehensive data privacy law that was passed in 2020. The New DP Law replaced the previous DIFC law No. 1 of 2007, and the law was updated in “ an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses)”. To this end, the New DP Law sets forth a guideline that businesses and organizations within the DIFC must adhere to when collecting the personal information of data subjects within the country.

What is the scope and application of the New DP Law?

The New DP Law, “applies to (i) the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC or not; and (ii) a Controller or Processor, regardless of its place of incorporation, that processes Personal Data in the DIFC (i.e. when the means or personnel used to conduct the Processing activity are physically located in the DIFC) as part of a “stable arrangement”, other than on an occasional basis, and in the context of its processing activity in the DIFC”. Under the previous DIFC law No .1 of 2007, the scope and application applied solely to data processing activities that took place within the DIFC. As such, the New DP Law adds extraterritorial reach and applicability.

What are the requirements of business agencies under the New DP Law?

The New DP was drafted and passed to provide Emirati citizens with a similar level of data protection to that of the EU’s General Data Protection Regulation or GDPR. As such, the New DP Law establishes the following requirements for data controllers:

What are the rights of data subjects under the New DP Law?

Under the New DP Law, data subjects within the UAE are granted a variety of rights in relation to their privacy and data protection. These rights include:

In terms of penalties for violating the law, data controllers who fail to meet compliance are subject to monetary penalties ranging from $25,000 to $100,000 per violation, depending on the severity and scope of said violation. Furthermore, the New DP Law also granted data subjects the right to bring private rights of action lawsuits against data controllers who violate their rights under the law. The New DP Law is enforced by the Commissioner of Data Protection or the Commissioner for short, and the Commissioner also has the authority to issue public demands to data controllers who violate the law, as well as monetary penalties greater than those outlined by the law at their sole discretion.

The New DP Law is unique in that it was passed largely in the context of protecting the personal information that is collected and processed within Dubai’s International Financial Centre. This, coupled with the lack of overall data protection legislation within the Middle East, places the New DP Law in a class of its own in many respects. Despite this, the New DP Law was written in a manner that is similar to that of the EU’s General Data Protection Regulation or GDPR. In this way, the New DP Law is similar to other data privacy laws around the world, as the overall objective is to protect the data privacy rights of Emirati citizens.

Related Reads