New DIFC Data Protection Law
The Dubai International Financial Centre (DIFC) has introduced a new data protection law, Data Protection Law No.5 of 2020 (New DP Law), which came into force on 1 July 2020.
Whilst the UAE does not have comprehensive data protection laws, the DIFC, one of the free zones based in the UAE, has had broad data protection laws since its inception in 2002.
The primary purpose of the New DP Law is to align the DIFC's data protection framework with international developments, including the General Data Protection Regulation (GDPR) and beyond.
Dubai, and the UAE as a whole, has become a top global business hub and alignment of the data protection law with international regulatory framework will serve to maintain and further build on this momentum.
The key points of the New DP Law are as follows:
Grace Period: It came into force on 1 July 2020 but introduces a grace period of 3 months (ending 1 October 2020) which will afford businesses with ample time to comply with the new regulations.
Extra-territorial Application for Processing: The processing of personal data within the DIFC, whether or not the entity is situated within the DIFC, will also be caught by the New DP Law. Hence, processing outside the free zone will no longer be possible to sidestep the data protection rules.
Appoint Data Protection Officers: Under the New DP Law, certain activities have been categorised as "High Risk Processing Activities" - a non-exhaustive list of activities have been published although this information is purely guidance for now. Entities that engage in High Risk Processing Activities are required to carry out its data processing more cautiously and are required to conduct regular Data Protection Impact Assessments, which need to meet the minimum requirements set out by the New DP Law. Such businesses should also appoint a Data Protection Officer (DPO), although even if a company does not engage in such activities, it may still appoint a DPO if it chooses to. Failure to appoint a DPO can attract a maximum fine of USD 50,000.
Outsourcing Data Processing: DIFC-incorporated companies will now be required to enter into formal contracts with their outsourcing companies, with certain mandatory provisions. This requirement applies to all DIFC companies regardless of where the data processing actually takes place.
Data Transfers Outside DIFC-Approved List: Data transfers outside of the DIFC list of approved jurisdictions will no longer be allowed by obtaining a permit from the Data Commissioner. The DIFC has provided detailed guidance to help companies adopt appropriate safeguards in carrying out these data transfers.
Stricter Consent Requirements: In alignment with GDPR provisions, companies are now required to obtain a data subject's consent in relation to each data processing purpose. The onus is on companies to ensure that these consents remain valid and consequently generic consent provisions will no longer be valid; such provisions should specify the use of the data.
Data Breaches and Penalties: Potential data breaches which result in a high risk to the rights and security of data subjects now need to be reported to the Data Commissioner and data subjects as soon as practicable. These new requirements seek to encourage better protection and safeguarding of data. The Data Commissioner is able to impose fines on data controllers and processors for more serious violations and compensation may be payable directly to data subjects where the data subjects rights have been violated. Penalties for administrative breaches can range between USD 20,000 to USD 100,000.
The above is a preliminary review only and we will provide further insights in the coming months by affording practical implications of the New DP Law. In the meantime, should you have any questions, please get in touch.