DIFC data protection law requires business action

The new Data Protection Law, DIFC No. 5 of 2020 (the DP Law), comes into force on 1 July 2020 and replaces DIFC Law No.1 of 2007. Businesses subject to the legislation have until 1 October 2020 to bring their organisations into compliance with the new requirements, which include expanded rules on the processing of personal data, new rights for data subjects, and notification of data breaches.

A new law with global business in mind

The new DP Law has been aligned with data protection regimes elsewhere in the world, including the GDPR in the EU and the California Consumer Privacy Act. It is to be hoped that the adoption of international data privacy concepts will lead authorities in other territories to recognise the DIFC as providing sufficient regulatory protection for personal data to allow the transfer of that data transfers in and out of the DIFC with relative ease.

The DIFC commissioner of data protection (the commissioner) has published a number of guides to assist firms with their implementation of the new requirements. These are not binding and do not have the force of law, but instead are indicative of the approach the commissioner will take to enforcement. Supporting regulations have still to be published.

This update picks up on some of the new developments in the data protection regime in the DIFC and highlights the need for businesses to become aware of their new compliance requirements as soon as possible in order to give ample time to prepare for the 1 October 2020 deadline.

Effect on non-DIFC businesses

The DP Law applies to:

• all businesses incorporated in the DIFC who are processing personal data, regardless of where the personal data is being processed; and
• any business which processes personal data in the DIFC as part of "stable arrangements", rather than just on occasion, regardless of the business' place of incorporation.

In this context, "in the DIFC" means when the personnel used to conduct the processing or the means of doing so are physically located in the DIFC.

This means that payroll providers, cloud software providers and other suppliers will need to be aware of their obligations under the DP Law. Non-compliance could lead to the enforcement of fines, and damages imposed by the DIFC courts may be sought through the UAE court system.  

Higher penalties for non-compliance

The commissioner has the power to issue fines for contraventions of the DP Law which may be enforced through the courts if businesses fail to pay. In addition, a data subject may apply to the court for compensation if they suffer damage as a result of a breach of the DP Law.

The maximum fines that can be imposed has increased under the new DP Law.

For example, failure to:

• notify the commissioner of an unauthorised data intrusion has increased from $5,000 to $50,000;
• implement and maintain technical and organisational measures to protect personal data has increased from $10,000 to $50,000; and
• maintain records of processing has increased from $5,000 to $25,000;

In addition, the new DP Law expands the range of offences for which fines can be issued. Fines of up to $100,000 can be imposed for failure to comply with the following:

• data subject rights of access, rectification and erasure of personal data;
• new requirements relating to data portability; and
• the new right of a data subject to object to any decision based solely on automated processing, including profiling, which produces legal or other seriously impactful consequences.

The commissioner also has the power to inspect and audit businesses subject to the DP Law to verify compliance.

Personal data

Personal data is any information referring to an identified or identifiable natural person.

Identified or Identifiable means, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to an individual's biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

The references to "location data" and "online identifier" in the definition are new and similar to wording in the EU GDPR. Online identifiers can include IP addresses or cookie identifiers. Not all location data will be considered personal data for the purposes of the DP Law; it will depend on the context. However, the broader definition of personal data is likely to capture data not previously considered to subject to the DIFC's data privacy regime.

Rights of data subjects

The DP Law largely mirrors the rights granted to data subjects in the EU GDPR. Data subjects have various rights including the right to request copies of their personal data at any time, the right to rectify data and the right to withdraw consent and request erasure of their personal data. 

Data protection officers

A business conducting "high risk processing activities" has additional compliance requirements under the new DP Law, including an obligation to appoint a data protection officer (DPO). DPOs are responsible for monitoring compliance with the DP Law and other applicable privacy laws, and to act as a contact point for the commissioner as well as oversee all data protection impact assessments the business undertakes. The contact details of the DPO must be given to data subjects when collecting their personal data.

A DPO is permitted to hold other roles or titles within the business provided those additional tasks and duties do not result in a conflict of interest or otherwise prevent the proper performance of the DPO role. The role of DPO can also be outsourced to an external party provided they have access to all relevant resources.

Generally, the DP Law requires the DPO to be resident in the UAE. However, if the person is an individual employed by a group of members and performs a similar function for the group on an international basis elsewhere, the residency requirement does not apply. In such cases, the DPO must be easily accessible to each member in the group. 

The DPO is required to complete an annual assessment and submit that assessment to the commissioner. This is not intended to be an onerous obligation and will be integrated into existing DIFC compliance and reporting cycles.

The definition of 'high risk processing activities' pools together certain types of processing activity and includes:

• processing that includes the adoption of new or different technologies or methods which increase the risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise its rights;
• processing a large amount of personal data, including staff and contractor personal data, where such processing is likely to result in a high risk to the data subject;
• systematic and extensive automated processing, including profiling, with significant effects; or
• processing a material amount of sensitive data (referred to as "special categories of personal data").

The commissioner has published comprehensive guidance and a list of activities that are considered to be 'high risk processing activities'. Although this guidance is comprehensive, it will often be a judgment call as to whether certain activities fall within the definition. Businesses should regularly assess whether their processing activities would be considered 'high risk' and stay on top of any updates issued by the commissioner.

Failure to appoint a DPO when required or requested to do so may result in a fine of up to $50,000.

Breach notifications

Breach notifications to the commissioner

Under the DP Law, businesses are required to notify certain personal data breaches to the commissioner and sometimes to data subjects too.

A "personal data breach" is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In cases where a personal data breach compromises a data subject's right to security or confidentiality, then expeditious notifications are required. 

Examples of personal data breaches could include the infiltration of an IT system by a virus or third parties, an employee leaking information to third parties, incorrect use of email, or where laptops or devices are stolen or lost. This is a much wider definition than the previous DIFC data privacy regime which merely required notifications to the commissioner in the event of an "unauthorised intrusion" to a personal data "database".

The new DP Law does not include any 'de minimus' limits for which a report must be made, so a strict technical interpretation of the requirements suggests that any breach, however small, would trigger a notification requirement to the commissioner. In this respect the data breach notification obligations are different from those set out in the GDPR.

Any business that processes information on behalf of a "controller" – this being any person who determines the purposes and means of processing personal data – must notify the controller of the personal data breach "without undue delay". A controller must notify the commissioner of the breach "as soon as reasonably practicable". Failure to so notify may result in a fine of up to $50,000 on either or both of the controller and processor.

As well as including details of the number of data subjects affected and the likely consequences of the data breach, the controller's notification to the commissioner must also include details of measures taken or proposed to be taken to mitigate the adverse affects of the personal data breach. While businesses will be expected to make an initial notification of their breach to the commissioner, the DP Law provides leeway for businesses to report further details of the breach in stages thereafter as more information becomes available.

Breach notifications to data subject

A new requirement to notify data subjects has also been introduced in line with the requirements in the GDPR. Notification is required if it is "likely to result in high risk to the security or rights" of the data subject. A controller must make such notification as soon as practicable. However, if there is an "immediate risk of danger", such notification must be made promptly.

The DP Law also contains a derogation which means that where a notification to an affected data subject could involve a disproportionate effort, a public communication or similar measure will be sufficient to satisfy the new provisions.

Failure to notify in accordance with these requirements can result in a fine of up to $50,000. A data subject can also apply to the court for compensation or damages where they have suffered loss as a result of the failure to notify.

Written agreements required for processors

Where services involving the processing of personal data are provided by other parties, contracts must contain much more robust contractual provisions. If the service provider appoints another company to carry out such services, then they must obtain the consent of the controller and the sub-contract must also contain similar robust contractual provisions. 

Such contractual provisions must include commitments to:

• process the personal data following documented instructions from the controller;
• permit and assist with audits and inspections and make certain information available upon request by the commissioner, the counterparty or an auditor;
• ensure that all persons authorised to process personal data are under legally binding written agreements or duties of confidentiality;
• keep a program that demonstrates compliance with the DP Law; and
• provide appropriate technical and organisational measures to meet the controller's obligation to respond to requests from data subjects.

Provision is made in the DP Law for the commissioner to publish standard contractual provisions for businesses to use in their contracts.

Failure to ensure that such contracts are in place with all relevant processors of personal data may result in a fine of up to $25,000.

Immediate actions for businesses

Responsibility for meeting the new requirements of the DP Law cannot be left solely to legal and compliance teams. Instead, compliance with data privacy obligations requires everyone in an organisation to understand their role and responsibility to keep data safe and secure.

There are a number of actions businesses should consider between now and 1 October 2020 to ensure they are prepared for and compliant with the new DP Law:

• review your current and future planned processing activities to identify what personal data you collect and ensure that it is being processed in accordance with a legitimate reason,including that it is relevant, accurate and being processed for the specific purpose for which it was collected and that all justifications for processing such data, including data subject consents, where relevant, remain valid;
• populate registers of processing activities that record personal data use;
• update privacy notices and customer facing terms and conditions to address the changes in the new DP Law – this will include alerting customers to their new data subject rights;
• review and remediate your existing controller / processor contractual arrangements – putting contracts into place with processors that contain the mandatory provisions as required by the DP Law;
• evaluate whether you are conducting 'high risk processing activities' and consider appointing a DPO;
• review the terms of your employment contracts;
• implement new data breach procedures to ensure that notifications are made to the commissioner and data subject, as required, in a timely manner in accordance with the DP Law;
• establish processes for dealing with data subject requests within the time required; and
• raise internal awareness of new requirements.

Additional contributions from Charlotte Holden of Pinsent Masons.