DIFC Law No. 5/2020 (the "DIFC Data Protection Law") was brought into force on 1 July 2020, bringing the DIFC more closely into line with existing established data protection regimes including the EU General Data Protection Regulation (the "GDPR"), from which the UK legislation also originates. There are therefore significant similarities between the data protection regimes in the DIFC and the UK. As a result, commentary and guidance on the European Union and UK data protection legislation are likely to be of use to DIFC entities subject to the DIFC Data Protection Law.
The DIFC Data Protection Law places a number of obligations on controllers. For example:
- Pursuant to Article 9, controllers must not collect or handle excessive personal data about data subjects and must keep personal data appropriately secure.
- Pursuant to Article 10, controllers must have a legal basis for processing personal data. This includes consent which, in line with developments in Europe and the UK, 'must be freely given by a clear affirmative act that shows an unambiguous indication of consent' (see Article 12). Data subjects must also have the option to withdraw their consent. Where controllers process special categories of personal data, Article 11 specifies that they must demonstrate an additional ground for doing so. These additional grounds include where processing is necessary to protect the public against malpractice or misconduct in certain professional services, to protect people from bias and where required by applicable law.
- Article 14 contains a key concept of accountability which obliges controllers to establish a programme to demonstrate compliance with the DIFC Data Protection Law, to maintain records and policies implementing this, and to put in place appropriate technical and organisational measures to demonstrate that processing is performed in accordance with the requirements of the DIFC Data Protection Law.
- Controllers that transfer personal data from the DIFC to a third country or to an international organisation must ensure that one of a number of possible safeguards is applied to any personal data being exported (see Articles 26 to 28).
- Under Article 29, controllers must provide information to data subjects about how they process their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language at the time of collecting personal data. An example of compliance with this obligation is sending a privacy notice directly to the data subject.
- Pursuant to Article 33, data subjects can request access to any of their personal data that is being held or processed by the controller.
- Data subjects also have a right of non-discrimination under Article 39, which means data subjects cannot be discriminated against as a result of a choice to exercise their rights in relation to their personal data under the DIFC Data Protection Law.
(References above to 'schedules' or 'articles' are to schedules/articles in the DIFC Data Protection Law. All definitions can be found in Schedule 1 of the DIFC Data Protection Law.)
The DIFC Data Protection Law is supplemented by the DIFC Data Protection Regulations 2020. Certain federal laws also continue to apply within the DIFC.
In February 2021 the Dubai International Financial Centre Authority launched a consultation on proposed amendments to the DIFC Data Protection Law to bring it in line with international best practice (the "DIFC Laws Amendment Law"). The proposed amendments were outlined in the consultation paper, with the intention that such amendments would:
- clarify the judicial redress process for individuals;
- improve and clarify the accountability requirements for controllers and processors;
- refine the powers available to the Commissioner when reviewing a direction or determination of contravention of the DIFC Data Protection Law; and
- align with the intention of DIFC Courts law regarding the imposition and payment of Court costs by DIFC bodies.
The DIFC Laws Amendment Law is in draft form only and no changes to the DIFC Data Protection Law or Regulations have come into force following this consultation process.
Our experienced team in Dubai and London can advise clients in relation to each of the areas referred to above and assist with the practical steps necessary to ensure compliance with the applicable laws and regulations and international best practice, including:
- Advising on data protection/privacy related issues;
- Advising on the conduct of data protection impact assessments;
- Drafting bespoke data protection policies and procedures, privacy notices and related contract terms;
- Harmonising existing global data protection policies;
- Advising organisations on complying with data subject access requests;
- Advising on data protection/privacy related issues in the context of corporate transactions;
- Advising on cross-border data transfers of personal data;
- Advising on data protection/privacy issues in the context of employment, including disciplinary investigations, employment disputes, and on termination of employment generally when processing and disclosing data to prospective employers, government agencies, and other third parties.
Example commentary on the DIFC Data Protection Law provided by the team includes the following: