New DIFC Data Protection Law 2020 - What you need to know
Data Protection & Privacy
The Dubai International Financial Centre (DIFC), a financial services free zone in the Emirate of Dubai in the UAE, has issued a new Data Protection Law (DIFC Law No. 5 of 2020, hereafter referred to as the DPL 2020) that aligns the DIFC more closely with the data protection landscape in Europe.
Written by Dino Wilkinson, Ben Gibson and Masha Ooijevaar
DPL 2020 replaces the existing data protection law, DIFC Law No. 1 of 2007 (DPL 2007). Like its predecessor legislation, DPL 2020 will regulate the collection, handling, disclosure and use of personal data in DIFC. However, DPL 2020 includes enhanced governance and transparency obligations that mirror many of the principles of the EU General Data Protection Regulation (GDPR), a European Union data protection law that has sparked privacy and data law reform worldwide.
Full compliance will require more than just a paper-based approach and should involve methodical assessment, planning and implementation
DPL 2020 will come into force on 1 July 2020, however the Commissioner of Data Protection is not expected to actively enforce the law until 1 October, giving businesses an implementation window of four months in which to review their data protection processing activities and to prepare.
DPL 2020 aims to further DIFC's desire to be recognised internationally as a top-tier jurisdiction for data protection. The law could be a step on the road towards the DIFC achieving "adequacy" status as a destination for free transfers of personal data from Europe.
DPL 2020 increases privacy compliance requirements for businesses registered in DIFC or which process personal data within the DIFC as part of "stable arrangements". DPL operates using core concepts such as "Controller", "Processor" and "Data Subjects" that are consistent with the equivalent European concepts.
As is the case under DPL 2007, the Commissioner has the ability to issue administrative fines to parties who violate the law or fail to comply with a direction issued by the Commissioner.
Both Controllers and Processors may be subject to fines of up to USD 100,000 imposed by the Commissioner and may be found liable by the DIFC Courts to pay compensation directly to data subjects (in addition to the fine from the Commissioner). An action for compensation can be initiated by the data subject but can also be initiated by the Commissioner on behalf of data subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim. Compensation awards are not subject to a cap under the law.
A Processor will only be liable for damage caused by processing where it has not complied with the obligations of the law specifically directed to Processors, or where the Processor has acted outside the lawful instructions of the Controller. In all other circumstances, the Controller is liable for the damage suffered.
Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and are responsible for any breach of DPL 2020, each shall be held jointly and severally liable for the entire damage.
The Commissioner retains discretion to seek publication of additional regulations relating to fines and is not solely bound to comply with the provisions of the administrative fine schedule for serious breaches of the DPL 2020. Controllers and Processors should therefore beware of viewing the schedule of administrative fines as representing the "price" of breaching the law (not least because fines are only one small part of the overall cost of a data breach and there is a possibility of further compensation claims).
The Commissioner also has powers to issue public reprimands in relation to violators of the law, which have the potential to damage customer and supplier confidence in the offending entity.
DPL 2020 largely mirrors the GDPR. One area, however, where it takes a new approach is in recognising that technology may develop in a way which creates tension with data protection principles and obligations and data subject rights. By way of example, a key advantage of blockchain technology is the creation of an irreversible record. This could be considered to conflict with the principles of storage limitation (where personal data should be retained for a certain period of time and no longer than is necessary) and the right of data subjects to request the erasure of their personal data.
DPL 2020 allows companies to limit data subjects from exercising certain rights, provided that, at the outset, the data subject was provided with clear and prominent information that describes the data processing techniques used by the company. The Controller must also make clear to the data subject that if it proceeds with the processing of the data on such a basis, it would not be possible for the data subject to exercise certain rights that would otherwise be available (for example, to request the erasure of the data).
DPL 2020 contains non-discrimination provisions similar to those in the California Consumer Privacy Act, which do not allow data subjects to be discriminated against for exercising their rights.
We have compiled the following table to assist you in understanding the changes introduced by DPL 2020 and, particularly, how it compares with the GDPR.
|Key features||DPL 2007||DPL 2020||GDPR|
|Who does it apply to?||Any business registered in the DIFC.||
|Data Protection Officer||Not required||Controllers or Processors may appoint a DPO.
DPOs are mandatory for:
A DPO is mandatory if:
|Data Protection Principles||
Personal data should be:
DPL 2020 adds:
The GDPR sets out seven key principles that should be at the heart of a Controller's processing activities:
|Accountability||Not required||Controllers and Processors must demonstrate compliance with the data protection principles.||The Controller must demonstrate compliance with the data protection principles.|
|Rights of Individuals||
Data subject have the right to:
The GDPR requires Controllers to respond within one (1) month of receiving any request made under the above rights.
|Conditions for Consent||Not specified||
Consent must be freely given and unambiguous indication of consent.
Consent can be withdrawn at any time.
Consent must be freely given, specific, informed and unambiguous indication of the Data Subject's agreement to the processing of his or her Personal Data.
Consent can be withdrawn at any time.
|Data Processors||No obligation on processors.||
DPL 2020 imposes legal obligations on processors as well as controllers. Any breach of their obligations can result in a fine or judicial remedy for data subjects.
Controllers and processors must enter into a binding written agreement, which must contain prescribed terms reflecting those set out under Article 24, including that the processor does not appoint sub-processors without the written authorisation of the Controller and that the processor (and any sub-processor) only acts on the Controller's document instructions.
|Controllers must appoint processors in the form of a binding written agreement which includes requirements set out under Article 28(3).|
|Cross-border transfers||Transfers can take place if made to a location that provides an adequate level of protection, where the Commissioner has granted a permit or written authorisation, or where other circumstances apply.||
DPL 2020 adds the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, including:
DPL 2020 mirrors the GDPR, which allows transfers of personal data outside the European Union if:
|Breach notifications||No requirement||
Notification to the Commissioner:
As soon as practicable in the circumstances, where the breach compromises a data subject's confidentiality, security or privacy.
Notification to the data subject:
As soon as practicable in the circumstances, where the breach is likely to result in a high risk to the security or rights of the data subject.
Notification to a data protection authority:
Without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.
Notification to data subjects:
Without undue delay in the event of a data breach that causes high risk to Data Subjects.
|Penalties||Maximum fine of $25,000.||
Maximum fine of $100,000 for an administrative breach with scope for larger (unlimited) fines for more serious violations.
Compensation claims may be made by or on behalf of data subjects.
Scope for adverse public statements to be made by the Commissioner.
|The maximum fine that can be imposed for serious infringements of the GDPR is the greater of €20 million or four percent (4%) of an undertaking's global turnover for the preceding financial year.|
Organisations need to consider how they will address the requirements of the DPL 2020. For large organisations, this is likely to require the involvement and buy-in of a number of business units, not just limited to the legal team, but also including teams such as HR, marketing, sales, customer service and IT.
Full compliance will require more than just a paper-based approach and should involve methodical assessment, planning and implementation. If you have updated your data procedures and policies in line with the GDPR, then you should already be compliant with key aspects of DPL 2020; however, you should still consider how your DIFC operations are conducted and whether there any specific features of the DPL 2020 that need close attention.
Suggested activities for all organisations operating in the DIFC include: