Support Centre

Dubai International Financial Centre

Summary

Law: DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law')

Regulator: The Commissioner of Data Protection

Summary: The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters.

On 21 May 2020, the Data Protection Law was enacted in the DIFC and it came into effect on 1 July 2020 in addition to the Data Protection Regulations 2020 ('the 2020 Regulations'). The Data Protection Law introduces requirements for, data protection officer appointments, data protection impact assessments, and the right to data portability. As such, the Data Protection Law will move the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Data Protection Law became enforceable from 1 October 2020.

Notably, the DIFC Authority ('DIFCA') launched a public consultation on proposed amendments to the 2020 Regulations, ending on 17 May 2023, aiming to provide means for a better, safer, and more ethical management of data processing. In particular, the proposed amendments provide for new provisions regarding:

  • controller and processor obligations with regard to data breach incidents;
  • controller and processor obligations in connection with use of personal data for digital communications and services;
  • controller and processor obligations regarding controls and safeguards in connection with the use of digital enablement technology systems, including artificial intelligence ('AI') systems; and
  • concepts for organisations to incorporate Privacy by Design or by Default into generative, machine learning, or similar systems, which include fairness, ensuring ethical practices, transparency, security, and accountability.

Insights

In this Insight article, Maher Ghalloussi and Lucrezia Lorenzini, from Baker McKenzie LLP, delve into the significant amendments made to the Dubai International Financial Center (DIFC) Data Protection Law No. 5 of 2020 (the Data Protection Law). The updates aim to enhance data protection practices, with a focus on regulating the processing of personal data through autonomous and semi-autonomous systems, marking a pioneering move in the Middle East.

In this Insight article, Anne-Caroline Albrecht, Partner at Bonnard Lawson, Dubai, explores the evolving landscape of international data protection, with a focus on the Dubai International Financial Centre's (DIFC) pioneering efforts and its recent assessment of California's Data Protection Regime.

In this Insight Article, Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultancy, provide an update to part one of this series. As discussed previously, the Dubai International Financial Centre (DIFC) has a collection of tools for data processors and controllers to rely on, in terms of protection of data, specifically when they are transferring data outside of the DIFC.

In light of the global developments around data protection, specifically on the cross-border transfer of data, the Dubai International Financial Centre ('DIFC') seeks to provide enhanced tools to equip businesses and ensure compliance with both the DIFC, as well as international standards. Being a global business hub, the DIFC is home to international players that undertake both an inward and outward data flow, these businesses being at the crossroads of multiple jurisdictions when it comes to data compliance.

The DIFC has recently proposed updates to its data transfer guidance materials namely, the Standard Contractual Clauses ('SCCs'), the Ethical Data Management Risk Index ('EDMRI'), and the Data Export and Sharing Handbook ('DES Guide'). Dr. Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultants, provide an overview of the proposed updates and evaluates its impact in meeting the goals of the Data Protection Law, DIFC Law No.5 of 2020 ('the Law').

On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law') was enacted, came into effect on 1 July 2020, and became enforceable from 1 October 2020, in addition to the Data Protection Regulations 2020 ('the Regulations'), (collectively, 'the DIFC Legislation'). More recently, on 8 March 2022, the DIFC enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 20221 ('the Amendment Law'), which incorporates amendments to several DIFC laws, including the Data Protection Law. This Insight article provides a summary of the key changes introduced by the amendments to the Data Protection Law following the enactment of the Amendment Law.

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020, in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). Furthermore, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation.  The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the the Data Protection Law DIFC Law No.5 of 2020 (the DIFC Law 2020) and the the Data Protection Law 2007 DIFC Law No. 1 of 2007 (the DIFC Law 2007).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the DIFC Law 2020 and the DIFC Law 2007 with the  GDPR.

You can access the latest version of the report here.