Out-Law News 1 min. read
DIFC data protection law update increases claims risk
15 Aug 2025, 10:35 am
Businesses that breach data protection law in the Dubai International Financial Centre (DIFC) can now be pursued in the courts for compensation after the law was updated on 8 July 2025.
Amendments to the DIFC’s data protection law took effect on 15 July and include changes providing for a new private right of action. The DIFC authority said the change enhances “the rights and remedies” available to data subjects in cases where their personal data is processed in breach of the data protection law.
The private right of action exists alongside existing complaint and regulatory enforcement mechanisms and provides individuals who suffer damage as a result of a breach of DIFC data protection rules with an entitlement to compensation for that damage. The concept of damage includes both “financial loss and damage not involving financial loss, such as distress”.
The updated law provides a framework for determining which entity or entities will be liable for damage caused by data processing – controllers will be primarily liable, but processors can be liable in certain circumstances, including if they process data in a way that goes beyond a controller’s “lawful instructions”.
The scope of the DIFC data protection regime has also been updated. The data protection law now applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not, as well as to the processing of personal data in the DIFC by a controller or processor, or any of their sub-processors, regardless of its place of incorporation as part of stable arrangements, including transfers of personal data out of the DIFC.
The financial penalties that can be levied for certain breaches of the law have also been increased.
For example, businesses that breach Article 28 rules on data sharing with public authorities can now be fined up to $50,000. The previous fine for such a breach was $10,000. Failure to carry out a data protection impact assessment before undertaking data processing that constitutes ‘high risk’ processing will also now carry a higher penalty – $50,000 instead of $20,000.
The reforms follow a consultation on changes to the data protection regime in the DIFC that was published in February.
Data protection regulations sit alongside the amended data protection law in the DIFC. The DIFC’s data protection regime is just one set of data protection rules that businesses operating in the UAE may need to be familiar with.
Contact an adviser
