DIFC targets EU equivalence from new data protection law

Out-Law News | 03 Jun 2020 | 8:45 am | 1 min. read

Changes to data protection laws in the Dubai International Financial Centre (DIFC) will come into force on 1 July 2020, the Ruler of Dubai, His Highness Sheikh Mohammed bin Rashid Al Maktoum has announced.

DIFC Data Protection Law No. 5 of 2020 draws from international best practice, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act. It is accompanied by new regulations which take effect on the same date and cover data breach notification requirements, accountability, record keeping, fines and cross-border data transfers.

Financial services expert Marie Chowdhry of Pinsent Masons, the law firm behind Out-Law, said that the new law “seeks to provide a compelling backdrop for the DIFC to obtain ‘adequacy and equivalency recognition’ from the European Commission, the UK and other jurisdictions around the world”.

Chowdhry Marie August_2019

Marie Chowdhry

Senior Associate

If the changes to the law are seen to provide an adequate level of protection to data, then businesses operating in the DIFC will be able to transfer data into and out of the DIFC with much more ease.

“What this means in practice is that if the changes to the law are seen to provide an ‘adequate’ level of protection to data, which is recognised as being of an equivalent standard to the protections afforded in each of these jurisdictions, then businesses operating in the DIFC will be able to transfer data into and out of the DIFC with much more ease,” she said. “This is likely to eventually lead to lower compliance costs, provided they comply with the rules set out in the new DIFC Data Protection Law.”

“We understand the changes introduced through the new law are the culmination of over 18 months of hard work led by the DIFC Office of the Commissioner in collating feedback, consulting and analysing different data protection regimes worldwide. Although it will be effective from 1 July 2020, the DIFC Commissioner has acknowledged that in light of the current global pandemic, businesses to which it applies will have a grace period of three months, until 1 October 2020, to prepare to comply with it, after which it becomes enforceable,” she said.

The new law updates the principles by which personal data can be processed and increases the accountability of data controllers and processors including through data protection impact assessment obligations and compliance programmes for businesses and the requirement to appoint data protection officers in certain circumstances. The law also establishes new rights for data subjects, including in relation to accessing their personal data and data portability.

The law and regulations introduce new data sharing structures between government authorities and provide for contractual clarity around individuals’ rights over their personal data when engaging with vendors of emerging technologies such as artificial intelligence and blockchain. The new requirements are backed by general fines, in addition to or instead of administrative fines, for serious breaches of the law, as well as increased maximum fine limits.