New DIFC data protection law enacted

Background

The Dubai International Financial Centre (DIFC) has issued Data Protection Law No.5 of 2020 (the New DP Law), increasing privacy compliance requirements for businesses operating or conducting business in or from the DIFC.

The New DP Law will come into effect from 1 July 2020. Until then, the current Data Protection Law No.1 of 2007 (as subsequently amended) (the 2007 DP Law) remains fully in force.

Overall approach

Designed to update the 2007 DP Law to bring it in line with leading international best practices in data privacy regulation, many of the changes introduced by the New DP Law will be familiar to those businesses operating on an international scale who are already well acquainted with the privacy landscape in Europe and the General Data Protection Regulation (GDPR).

At the same time, however, the New DP Law also reflects the intention of the DIFC authorities to introduce a new data protection law that considers the specific needs of the DIFC, as well as the latest developments in technology. With this in mind, the New DP Law aims to introduce an appropriate and proportionate regulatory framework that is at the forefront of modern data management thought leadership. 

Some of the key changes brought in through the New DP Law are:

Expanded application of DIFC data privacy regulation

The scope of the New DP Law extends to the processing of personal data in the context of the activities of a Controller or Processor operating or conducting business in or from the DIFC, regardless of whether the actual processing takes place in the DIFC or not.  This new principle is designed to stop attempts to circumvent the application of the DIFC data privacy regime by taking processing out of the free zone, and is conceptually similar in principle to the extra-territorial application of the GDPR.

Appointment of Data Protection Officers

Under the New DP Law, some businesses will be under a mandatory obligation to appoint a data protection officer (DPO). In particular, any Controller or Processor performing High Risk Processing Activities systematically, regularly or by necessity will need to appoint a DPO. Generally, the DPO should be resident in the United Arab Emirates (UAE), however, the New DP Law recognises that, in some cases, organisations will already have an appointed DPO outside the UAE and so allows for this.

New requirements for privacy notices

In order to comply with the New DP Law, privacy notices will need to be updated. Broadly consistent with the GDPR, Controllers are now required to deliver additional information to Data Subjects in a concise and transparent form, including (among other things) the lawful basis on which personal data is processed and the recipients or categories of recipients of the Data Subject's personal data.

Notification requirements for data breaches

Although it will not be mandatory to notify every personal data breach, Controllers will need to notify both the DIFC Commissioner of Data Protection (the Commissioner) and the relevant Data Subjects in the event of a personal data breach in certain circumstances.

Data Protection Impact Assessments

Another new feature of the New DP Law is that, like under the GDPR, Controllers will be required to conduct data protection impact assessments (also known as privacy impact assessments or a PIA) where High Risk Processing Activities are to take place. Controllers will be pleased to know, however, that there is an exception to this requirement where another member of the Controller's group has conducted a suitable PIA in respect of other processing which is substantially similar to the processing activity in question and remains current and accurate.

Enhanced Data Subject rights

The New DP Law broadens the number of rights available to Data Subjects, including a non-discrimination right which is similar to that seen in the California Consumer Privacy Act and represents a major development. The New DP Law will therefore prevent companies from discriminating against customers who choose to exercise their rights under the law by, for example, charging them different pricing or refusing to provide to them products or services.

The New DP Law has also looked beyond the GDPR in order to reflect some of the challenges that may arise in respect of Data Subject rights as a result of the use of new technologies, recognising that the rights of rectification, erasure and objection may not always be easily compatible with certain modern ways of processing. Where this is the case, such Data Subject rights can be lawfully rendered un-exercisable, provided that sufficient information is provided to the Data Subjects concerned to enable the Data Subjects to understand the nature of the relevant processing and reach an informed decision.

Direct obligations on processors

The 2007 DP Law placed no compliance obligations on Processors. In contrast, however, the New DP Law imposes direct obligations on Processors in a manner similar to the approach in the GDPR.  This means that both Controllers and Processors must be able to demonstrate compliance with the requirements of the New DP Law. In particular, Processors must provide sufficient commitments to protecting personal data by entering into a legally binding contract with the Controller. Failure to do so is a violation on the part of both the Controller and Processor.

The New DP Law also creates direct statutory liability for a Processor where it fails to comply with the obligations imposed on it under the law, or where they act outside the scope of the Controller's instructions.

Cross border transfers

The New DP Law also permits the transfer of personal data to a non-adequate country outside the DIFC, provided that sufficient safeguard mechanisms are put in place, including (among other mechanisms): (a) a legal binding instrument between public authorities; (b) binding corporate rules; or (c) standard data protection clauses as adopted by the Commissioner. This mirrors the position under the GDPR.

Importantly, however, the New DP Law also creates a new exceptional basis for transferring personal data outside the DIFC, even to jurisdictions that do not offer adequate protection and without consent, where the Controller can demonstrate a compelling legitimate interest and subject to a number of other limitations, such as an impact assessment, notification to the regulator and non-recurrence of the transfer.

Penalties for non-compliance

Whilst the New DP Law aligns closely with the GDPR in many ways, businesses will be pleased to hear that it does not mirror the GDPR's turnover based regime for penalties in the event of non-compliance.

Unlike the GDPR (where the maximum fine that can be imposed is the greater of €20m or 4% of an undertaking's global turnover for the preceding financial year), the maximum fine for an administrative breach by either a Controller or a Processor under the New DP Law is $100,000, with the Commissioner retaining the discretion to issue larger fines for more serious contraventions. Additionally, where material harm is caused, compensation to be paid directly to Data Subjects may be awarded by the DIFC Courts.

The Commissioner has mentioned that additional regulations may be published in due course to clarify the parameters of the potential administrative fines in practice.

The New DP Law also deviates from the position in the GDPR which provides that a Controller or Processor is exempt from liability if it can prove that it is not in any way responsible for the event giving rise to the damage. The Commissioner does not consider this to be a helpful principle and, instead, under the New DP Law, Controllers are legally responsible to Data Subjects for all processing.

Concluding remarks

Crucially, once the New DP Law is in force from 1 July 2020, there will be a grace period of 3 months due to Covid-19 restrictions impacting businesses' ability to prepare for compliance. We can therefore expect to see no sign of enforcement by the Commissioner until 1 October 2020 at the earliest.

This means that businesses have 4 months from now in which to familiarise themselves with the New DP Law and consider how best to prepare for compliance.

Please look out for further updates and insights from us in which we will take a more detailed look at the changes and how they may affect your business. In the meantime, should you have any questions or would like to know more about how we can help, please get in touch.