DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 3
The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020, in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). Furthermore, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.
Part 1 of this Insight series on DIFC legislation and available guidance and materials focused particularly on data protection principles, data security, notification, breach, and Data Protection Impact Assessment ('DPIAs') requirements under DIFC legislation.
Part 2 of this Insight series on DIFC legislation and available guidance and materials focused particularly on valid consent, individuals' rights, and data protection officers ('DPOs') under DIFC Legislation.
This Insight article provides a round-up of the relevant available guidance and materials in relation to data transfers as well as fines and other sanctions under DIFC Legislation, with a particular focus on the following guides:
- A Guide to Data Protection Law, DIFC Law No. 5 of 2020 and the Data Protection Regulations ('the Guide')4;
- Data Export Guidance 2020 ('the Export Guidance')5; and
- Fines and Sanctions Guidance 20206 ('the Sanctions Guidance').
The Law stipulates that transfers of personal data from the DIFC to a third country or international organisation may take place only if:
- an adequate level of protection for that personal data, and onward transfers of such data, is ensured pursuant to the Law as follows:
- if the Commissioner determines a third country, a territory, one or more specified sectors within a third country, or an international organisation, ensures an adequate level of data protection taking into account several factors listed in the Law (Article 26(1) and (2) of the Law); or
- if the Commissioner makes a determination that any third country, a territory, one or more specified sectors within a third country, or an international organisation, ensures an adequate level of data protection based on adequacy decisions made by other competent data protection authorities where such decisions have taken into account the relevant factors listed under the Law (Article 26(1) and (3) of the Law); or
- the controller or processor has provided appropriate safeguards, described in Article 27(2) of the Law, and enforceable data subject rights and effective legal remedies are available to data subjects (Articles 26(1) and 27(1)(a) of the Law);
- one of the derogations in Article 27(3) apply (Articles 26(1) and 27(1)(b) of the Law); or
- the transfer cannot be based on one of the aforementioned provisions, a transfer may take place only if (Articles 26(1), 27(1)(c), and 27(4) of the Law):
- the transfer is not repeating or part of a repetitive course of transfers;
- the transfer concerns only a limited number of data subjects;
- the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller that are not overridden by the interests or rights of data subjects; and
- the controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has on that basis provided suitable safeguards with regards to the protection of personal data.
Notably, the Commissioner has published a checklist7 for data exports to a non-DIFC jurisdiction which entities may use to ensure they transfer personal data lawfully.
Adequate level of protection
Article 26(1)(a) of the Law makes reference to an 'adequate level of protection' in relation to permitted third party data transfers. In this regard, the Guide notes that this requires an assessment of all the circumstances surrounding a personal data transfer, which include (Page 17 of the Guide):
- the nature of the personal data;
- the purpose and duration of the proposed processing operation(s);
- if the personal data does not emanate from the DIFC, the country of origin, and the country of destination of the personal data; and
- any relevant laws to which the recipient is subject, including professional rules and security measures.
Absence of adequate level of protection
In assessing whether personal data may be transferred to non-adequate jurisdictions, the Guide notes that entities should set out a consistent policy or approach to ensure secure transfers including those to other parts of their business that are onshore in the UAE (Page 18 of the Guide). The Guide further advises that entities should seek to choose an appropriate transfer mechanism under Article 27 of the Law, and if using the standard data protection clauses, should review those regularly and ensure they are properly completed and executed (Page 18 of the Guide).
Of the appropriate safeguards listed in Article 27(2) of the Law with regards to data transfers absent of an adequate level of protection, standard data protection clauses may be used by entities for secure transfers of personal data. In this regard, the Commissioner has provided a set of Standard Contractual Clauses ('SCCs') to be applied to contractual or other arrangements that require the transfer of personal data outside the DIFC (Page 18 of the Guide):
- Standard Contractual Clauses for sharing data in such manner between a DIFC Controller and non-DIFC Processor8; and
- Standard Contractual Clauses for sharing data in such manner between a DIFC Controller and a non-DIFC Controller9.
Notably, the Guide states that the SCCs may not be altered other than to complete basic information or provide additional commercial requirements and if any alteration to the standard clauses is contemplated by the entity utilising them, the Commissioner should be consulted first and such alterations agreed in writing (Page 18 of the Guide). In this regard, the Guide notes that the Commissioner reserves the right to reject at their own discretion any such application for alterations (Page 18 of the Guide).
Article 28(1) of the Law provides that where a controller or processor receives a request from any public authority ('a Requesting Authority') for the disclosure and transfer of any personal data, it should:
- exercise reasonable caution and diligence to determine the validity and proportionality of the request, including to ensure that any disclosure of personal data in such circumstances is made solely for the purpose of meeting the objectives identified in the request from the Requesting Authority;
- assess the impact of the proposed transfer in light of the potential risks to the rights of any affected data subject and, where appropriate, implement measures to minimise such risks, including by redacting or minimising the personal data transferred to the extent possible, or utilising appropriate technical or other measures to safeguard the transfer; and
- where reasonably practicable, obtain appropriate written and binding assurances from the Requesting Authority that it will respect the rights of data subjects and comply with the general data protection principles in relation to the processing of personal data by the Requesting Authority.
In this regard, Article 28(2) of the Law notes that a controller, processor, or sub-processor, having provided reasonable notice to the controller, may disclose or transfer personal data to the Requesting Authority where it has taken reasonable steps to satisfy itself that:
- the request is valid and proportionate; and
- the Requesting Authority will respect the rights of data subjects in the processing of any personal data transferred.
Further to this, the Guide states that while the Commissioner encourages such sharing with public authorities, entities receiving such requests must consider what controls should be in place to govern such sharing and ensure all parties involved apply them. Furthermore, the Guide notes that if a request to an entity is deemed too broad, it may ask for specificity or request written binding assurances that the data will be ethically and responsibly managed (Page 19 of the Guide).
Fines and other sanctions in connection with DIFC legislation
In relation to enforcement of DIFC legislation, the Commissioner has the following powers (Page 4 of the Sanctions Guidance) :
- ability to audit controllers and processors;
- ability to conduct investigations and inspections;
- ability to issue directions requiring a controller or processor to do or refrain from doing anything;
- ability to issue warnings or admonishments;
- ability to make recommendations to a controller or processor including ordering the appointment of a DPO;
- ability to initiate court proceedings for contraventions of the Law;
- ability to impose fines for non-compliance with a direction, the Law, and any Regulations;
- ability to initiate compensation claims on behalf of data subjects where there has been a material contravention of the Law;
- ability to prepare Regulations, standards or codes of practice and guidance;
- ability to request provision of information from controllers and processors; and
- duty to receive and consider complaints lodged by data subjects.
Moreover, in connection to the Commissioner's ability to impose fines,
the administrative fines that may be imposed range from $10,000 to $100,000 depending on which of the Law's provisions are being violated. An example of the following being fines related to data exports and data sharing discussed above where (Schedule 2 of the Law):
- a violation of Article 26 of the Law relating to data transfers may amount to maximum fine of $25,000;
- a violation of Article 27 of the Law relating to data transfers may amount to a maximum fine of $50,000; and
- a violation of Article 28 of the Law relating to data sharing may amount to a maximum of $10,000.
Notably the highest fine relates to violations of provisions governing data subject rights, where the impact on the data subject is most direct (Page 5 of the Sanctions Guidance and Schedule 2 of the Law).
In this regard, the Sanctions Guidance notes that each violation that is investigated by the Commissioner will be assessed on its own merits, taking into account all circumstances, including (Page 5 of the Sanctions Guidance):
- previous violations;
- the status and activities of the offending party;
- the risk of harm to data subjects;
- the purpose of the processing and whether it upholds the principles of purpose specification and compatible use;
- the duration of the violation;
- whether the violation was intentional in nature; and
- the extent to which the offending party cooperates with the investigation.
Further information relating to some of the Commissioner's other powers may also be found in the Sanctions Guidance.
Alice Muasher Privacy Analyst
1. Available at: https://www.dataguidance.com/legal-research/data-protection-law-difc-law-no5-2020
2. Available at: https://www.dataguidance.com/legal-research/data-protection-regulations-2020
3. Available at: https://www.difc.ae/business/operating/data-protection/guidance/
4. Available at: https://www.dataguidance.com/legal-research/guide-data-protection-law-difc-law-no-5-2020
5. Available at: https://www.dataguidance.com/legal-research/data-export-and-sharing
6. Available at: https://www.dataguidance.com/legal-research/fines-and-other-sanctions
7. Available at: https://www.difc.ae/files/6015/9514/6923/Data_Export_Guidance.pdf
8. Available at: https://www.dataguidance.com/legal-research/standard-contractual-clauses-sharing-data
9. Available at: https://www.dataguidance.com/legal-research/standard-contractual-clauses-sharing-data-0