DIFC: A look at the amendments to the Data Protection Law
On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law') was enacted, came into effect on 1 July 2020, and became enforceable from 1 October 2020, in addition to the Data Protection Regulations 2020 ('the Regulations'), (collectively, 'the DIFC Legislation'). More recently, on 8 March 2022, the DIFC enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 20221 ('the Amendment Law'), which incorporates amendments to several DIFC laws, including the Data Protection Law. This Insight article provides a summary of the key changes introduced by the amendments to the Data Protection Law following the enactment of the Amendment Law.
The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters.
The Data Protection Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Notably, the amendments to the Data Protection Law reflect the DIFC's commitment to maintain its position at the forefront of privacy legislation in the region, and include clarifications to the judicial redress process for individuals and rules of interpretation of the Data Protection Law, as well as strengthened accountability requirements for controllers and processors in the context of requests for access to data considered vexatious or repetitive.
General requirements for lawful processing
The Amendment Law introduces a new general requirement for legitimate and lawful processing under Article 9 of Data Protection Law, which requires personal data to be processed "in a manner that permits ready access to the personal data for compliance with the Law […]".
Data subject rights
With regards data subjects' rights to access personal data, the Amendment Law specifies, in Article 33(1)(b) of the Data Protection Law, that a copy of the data subject's personal data undergoing processing, as well as information available as to its source, should be provided in an appropriate format, including but not limited to electronic form or hard copy format.
Additionally, the amendments to Article 9 of the Data Protection Law now require controllers to maintain a register of instances where it relies on Articles 33(7) or 33(8), pertaining to complex or, among other things, vexatious requests, noting the reasons for relying on those articles.
In this regard, amendments to the Data Protection Law noted in Article 33(10) of the same that the Commissioner of Data Protection ('the Commissioner'), by inspecting the above-mentioned register, may request additional information or conduct an investigation to assess whether a controller's use of a variation or exemption under Article 33(7) or 33(8) is valid. Furthermore, Article 11 of the Data Protection Law further specifies that invalid reliance on either Article 33(7) or 33(8) will subject controllers to the remedies, liabilities, and sanctions set out in Part 9 of the Data Protection Law.
The Amendment Law also adds in Article 43(6) of the Data Protection Law, stating that with regards to the appointment of the Commissioner by the President of the DIFC, the Commissioner will not be required to pay any court fees for proceedings they initiate in relation to the Data Protection Law, however the court has the discretion to award costs against the Commissioner where they are the unsuccessful party and have acted in bad faith or in excess of statutory functions.
Moreover, the amendments include extensions to the Commissioner's powers. Firstly, in Article 46(3)(d) of the Data Protection Law which permits the Commissioner to issue a finding or make a declaration of contravention or non-contravention of the Data Protection Law. And secondly, in Article 60(4) of the Data Protection Law, which provides that where the Commissioner determines there has been a contravention of the law on the basis of a data subject's complaint, they may now mediate between the complainant and controller in respect of such a contravention.
Notably, with regards to the imposition of fines, the amendments to the Data Protection Law specify in Article 62(3) that the Commissioner may issue a general fine for a contravention of the Data Protection Law, in addition to an administrative fine pursuant to Article 62(2), in an amount not limited to those specified in Schedule 2 of the Data Protection Law.
Appeals to the Court
In relation to the rights of controllers and processors to appeal to the DIFC Court, as established under Dubai Law ('the Court'), against a specific finding within 30 days, the amendments to the Data Protection Law provide in Article 63(3) that appellants may only rely on the materials before the Commissioner at the time he/she made the relevant finding.
Moreover, the amendments to the Data Protection Law introduce Article 63(5) which notes that regarding any proceedings before the Court of First Instance to which the Commissioner is a party, parties to the proceedings may appeal the decision of the court:
- without the need to obtain leave to appeal from the Court of Appeal; and
- notwithstanding any rule of procedure limiting second appeals.
Alice Muasher Privacy Analyst