Overview of DIFC Data Protection Law 2020
On May 21, 2020, the Ruler of Dubai Emirate, His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President & Prime Minister of the UAE, enacted the Dubai International Financial Centre Data Protection Law (DIFC Law No. 5 of 2020). This law repeals and replaces the previously existing Data Protection Law (DIFC Law No. 1 of 2007). The press release for announcing the enactment of this law is available here.
With the enactment of this law, DIFC, being the dominant financial centre in the Middle East, Africa, and South Asia (MEASA) region, has bolstered its reputation in improvising data protection practices. This data protection law lays down the processes regarding accountability, record maintenance, general fines, applicable jurisdictions for cross-border data transfer, notifications to the data protection commissioner, etc.
Background
DIFC data protection law appears to be an amalgamation of various data protection laws across the world, notably the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). With this law, DIFC seeks to consolidate its reputation as a global financial hub by strengthening its strong regulatory ecosystem based on security, integrity, and globally accepted compliance standards. This enactment shows a clear direction for the businesses to improvise their data protection practices. It lays down several obligations for data controllers and processors. The new DIFC data protection law aims to:
- provide standards and controls for the processing and free movement of personal data by a controller or processor; and
- protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies.
This law will be applicable to all the companies that are registered with DIFC. Besides, the scope of applicability of this law includes processing personal data by automated means and processing activities whether personal data is or intends to be a part of any filing system.
Key changes brought in by the new DIFC Data Protection Law
This law has made significant changes to the previous Data Protection Law of 2007. Some of the key changes include
1. Accountability: Controllers and processors are now required to show compliance with Data Protection Law. One of the requirements talks about maintaining records of processing activities. Moreover, the law also imposes direct compliance obligation on the processors to ensure that mandatory contractual requirements are fulfilled in their arrangement with controllers.
2. DPO: Companies involved in high risk processing activities will have to mandatorily appoint data protection officers. High risk processing covers processing activities which
- involve the adoption of new/different technologies that increase the risk to data subjects or makes it difficult for them to exercise their data protection rights
- result in a high risk to data subjects when a large amount of personal data (including employee data and contractor data) is processed
- include profiling along with systematic and extensive automated processing
- involve special categories of personal data, i.e., sensitive data on a large scale
3. DPIA: Before a data controller initiates any high risk processing activity, conducting a data protection impact assessment is prescribed.
4. Privacy and consent: Companies will need to update their privacy notices to incorporate more information such as lawful grounds of processing, whether data will be transferred out of DIFC, and other information as specified in the Data Protection Law.
5. Data breach notification: Under this law, there will be a DIFC Commissioner of Data Protection. Controllers are under a legal obligation to notify the commissioner if a data breach compromises confidentiality, privacy, and security of any data subject. In addition, if the risk posed to a data subject by the said data breach is high, they must also be informed.
6. Rights of data subject: Apart from already recognized rights earlier, the Data Protection Law also recognizes the rights to data portability and withdraw consent. Also, the law specifies a time limit in which data subject access request must be responded to.
7. Fines and penalties: The Commissioner is empowered to issue fines to parties that violate the Data Protection Law or fail to comply with the direction(s) issued by the Commissioner. Both processors and controllers may be subject to maximum fines up to $100,000. Additionally, they may be found liable by the DIFC courts to compensate individual data subjects. Not only affected data subjects can approach the relevant DIFC court, but the Commissioner can also bring an action on behalf of the data subjects who have suffered material harm due to a data breach. There is no prescribed cap for compensation under other applicable laws.
Enactment
The new Data Protection Law has come into force on July 01, 2020, and businesses have a grace period of three months to comply with the given requirements. Until October 01, 2020, the previous law, i.e., the Data Protection Law (DIFC Law No. 1 of 2007) will continue to remain in force.
For any questions related to DIFC Data Protection Law or other similar laws, feel free to write to us at [email protected].
An initial draft of this article was prepared by Sachet Sahni. With inputs from Raj Pagariya.