Trowers Tech News - October 2025
Saleem Adam, Partner, Alex Ford-Cox, Senior Associate, and Xin Yi Yu, Associate.
Privacy Compliance - the GCC and Beyond: Navigating Emerging Rules and Regulatory Divergence
The data privacy regulatory landscape across Southeast Asia and the Gulf Cooperation Council (GCC) is experiencing significant development.
The Malaysian Personal Data Protection Act 2010 (MY PDPA) – the primary legislation governing personal data in Malaysia – was recently subject to significant reforms through the Personal Data Protection (Amendment) Bill 2024, which introduced provisions addressing the mandatory appointment of data protection officers; mandatory data breach notification requirements; a new data portability right; direct legal obligations for data processors; and enhanced penalties for non-compliance with the MY PDPA. These amendments were followed by the release of a suite of supplementary regulatory instruments and updates and we expect more regulatory activity to follow in Q4 of 2025 and beyond.
These recent regulatory developments illustrate a growing global trend toward robust data privacy standards, often inspired by the EU GDPR. Notably, GCC frameworks in UAE freezones (i.e. Dubai International Financial Centre (DIFC) and Abu Dhabi Global Markets (ADGM), which contain their own set of data privacy regulations) closely resemble GDPR-style regulation.
Despite GDPR influences, data privacy requirements remain localised and adapted to national contexts and expectations, and while key compliance alignments exist in part, key divergences should not be ignored. For example, Malaysian data privacy requirements provide that data transfer impact assessments shall be refreshed every three (3) years, which are not mirrored in GDPR requirements; the compliance requirements and timelines for data subject access rights in ADGM and under the MY PDPA also vary; and Bahrain data privacy laws require notifications to be made to the Bahrain Personal Data Protection Authority in respect of most "automated processing operations", in contrast with more limited data controller registration requirements administered by the Malaysian Personal Data Protection Department. These distinctions highlight the necessity for bespoke multinational privacy strategies rather than one-size-fits-all solutions, an undertaking that is made more complex when considering the interplay between data privacy requirements and wider regulatory considerations (including data localisation requirements, sector-specific regulatory obligations, and extraterritorial regulatory application).
Read the full article here.
Dubai International Financial Centre introduces data subject rights of private action and enhanced regulator penalties
The Dubai International Financial Centre (DIFC), which administers its own set of data protection legislation separate to the data protection legislation applicable in respect of on-shore UAE, announced the publication of a suite of amendments to its Data Protection Law (DIFC Law No. 5 of 2020) (DIFC DPL). Of these amendments, which came into effect on 15 July 2025, the key amendment that controllers and processors subject to the DIFC DPL should be noting is the introduction of a new right of private action which enables data subjects to apply to courts to seek compensation from controllers / processors (as applicable) for damage (which may be financial or non-financial) resulting from the controller / processor's contravention of the DIFC DPL. Additionally, processors may also be liable for damage caused by the processor acting outside / contrary to the controller's lawful instructions.
These changes, which sit alongside enhanced regulatory penalties introduced under the same set of amendments (e.g. for failure to perform data protection impact assessments for high-risk processing activities) increases the regulatory and enforcement risk exposure for controllers / processors subject to the DIFC DPL. While the practical uptake of the rights of private action remains to be observed, affected controllers and processors are advised to review their internal processes and procedures in light of these changes and ensure due compliance with the DIFC DPL requirements.
Abu Dhabi global market expand conditions for processing special categories of personal data under "Substantial Public Interest" rounds
The Abu Dhabi Global Market (ADGM), like the DIFC, administers its own set of data protection legislation separate to the data protection legislation applicable in respect of on-shore UAE, the primary legislation being the Data Protection Regulations 2021 (ADGM DPR). Under the ADGM DPR, the processing of special categories of personal data (which are similar in scope to the GDPR-equivalent), is generally prohibited under the ADGM DPR unless a prescribed basis under ADGM DPR applies (e.g. data subject's explicit consent is obtained; processing is necessary for reasons of substantial public interest etc.).
On 9 September 2025, the Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025 (Rules) was published, introducing additional conditions under which special categories of personal data may be processed pursuant to the "substantial public interest" ground under the ADGM DPR. These additional conditions expressly capture instances where the processing is necessary for:
(i) an insurance related purpose (e.g. advising on or administering insurance contracts); or
(ii) to safeguard children and individuals at risk (e.g. protecting physical, mental or emotional well-being of an individual), and will apply subject to the prescribed caveats / conditions under the Rules.
While we expect the Rules to be welcomed by the insurance sector in particular, entities that process special categories of personal data more generally are still advised to consider the impact of these changes to any existing internal frameworks adopted for managing the processing of special categories of personal data and to incorporate the additional condition relating to individuals at risk / children accordingly.