The Dubai International Financial Centre (‘DIFC’) announced, on 18 June 2019, that it had launched a public consultation on a draft data protection law (‘the Draft Law’) to replace the Data Protection Law DIFC Law No.1 of 2007. In particular, the Draft Law seeks to incorporate international data protection standards, including elements of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the California Consumer Privacy Act of 2018 (‘CCPA’), and seeks to expand the compliance framework to include, among other things, principles of accountability, data breach notification, and prior consultation.
Haroun Khwaja, Senior Associate at Al Tamimi & Company, told DataGuidance by OneTrust, “the intent is not for complete harmonisation of EU and DIFC data protection laws, but rather significantly bridging the gap. […] The Draft Law is based on concepts and principles found in the GDPR and the CCPA so as to more closely reflect international developments in the data protection sphere, whilst accounting for the unique circumstances of the DIFC as a free zone within mainland UAE. […] As for mainland UAE, it does not have a comprehensive modern data protection legislation yet [and so] it will be interesting to see what form the [mainland] ultimately takes and how transfers of data between the mainland and the various free zones (including DIFC) will be treated.”
In addition, the Draft Law provides for a data breach notification obligation for breaches which compromise a data subject’s confidentiality, security or privacy. Article 41 of the Draft Law states that breaches must be reported to the DIFC Commissioner of Data Protection, and personal data breaches which are ‘likely to result in a high risk’ must be reported to the data subject, in accordance with Article 42 of the Draft Law. Moreover, the Draft Law further highlights, under Article 42, that a data controller does not have to disclose a data breach if it would involve a ‘disproportionate effort’, similarly to Recital 62 of the GDPR.
The interplay of, for example AML and data protection, is always a very interesting one
Dino Wilkinson, Partner at Clyde & Co, told DataGuidance by OneTrust “Data breach notification obligations are becoming commonplace in international legislation. The Draft Law […] recognises that notification to all affected persons may (in some cases) involve disproportionate effort. Companies complying with the Draft Law will be required to start taking into account the principles of data protection by default and by design, which should include mitigating the risk of data breach and implementing mechanisms that can help to ensure recovery and mitigation, should a breach occur. Such elements should also form part of the data protection impact assessment and prior consultation concepts introduced [in] Articles 20 and 21 [of the Draft Law].”
Furthermore, Article 11(1) of the Draft Law defines the situations in which special categories of personal data can be processed, which include processing for compliance with laws relating to anti-money laundering (‘AML’) or the prevention or detection of any crime that applies to a data controller, and for protecting members of the public against financial loss due to dishonesty, malpractice or other seriously improper conduct by persons in certain professions (such as banking, insurance, investment, and financial services).
Gordon Wade, Data Protection and Privacy Lawyer at PwC Middle East, told DataGuidance by OneTrust, “[t]he interplay of, for example AML and data protection, is always a very interesting one – it can be compared to an almost tug-of-war at times. […] The information provision requirements under Articles 29 and 30 of the Draft Law, could create tension with attempts […] to combat money laundering and terrorist financing. Having to inform individuals that their data is being processed for [AML or counter terrorist financing] reasons may have the unintended consequence of tipping them off. […] The proposed inclusion of AML reasons as a lawful ground to process special categories of data could create an interesting situation for DIFC organisations.’
RHIANNON GIBBS-HARRIS Junior Privacy Analyst