Dubai International Financial Centre
Law: DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law')
Regulator: The Commissioner of Data Protection
Summary: The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters.
On 21 May 2020, the Data Protection Law was enacted in the DIFC and it came into effect on 1 July 2020 in addition to the Data Protection Regulations 2020 ('the 2020 Regulations'). The Data Protection Law introduces requirements for, data protection officer appointments, data protection impact assessments, and the right to data portability. As such, the Data Protection Law will move the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Data Protection Law became enforceable from 1 October 2020.
Notably, the DIFC Authority ('DIFCA') launched a public consultation on proposed amendments to the 2020 Regulations, ending on 17 May 2023, aiming to provide means for a better, safer, and more ethical management of data processing. In particular, the proposed amendments provide for new provisions regarding:
- controller and processor obligations with regard to data breach incidents;
- controller and processor obligations in connection with use of personal data for digital communications and services;
- controller and processor obligations regarding controls and safeguards in connection with the use of digital enablement technology systems, including artificial intelligence ('AI') systems; and
- concepts for organisations to incorporate Privacy by Design or by Default into generative, machine learning, or similar systems, which include fairness, ensuring ethical practices, transparency, security, and accountability.