The Ruler of Dubai has enacted the new DIFC Data Protection DIFC Law No. 5/ 2020. The new law will come into effect from 1 July 2020 and current DIFC Data Protection Law, DIFC Law No. 1/2007, will remain in effect until this date. New DIFC Data Protection Regulations which set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data have also been issued.

The DIFC’s updated Data Protection Law and Regulations set out expectations for Controllers and Processors in the DIFC on several key privacy and security principles. The Data Protection Law combines the best practices from a variety of current, global data protection laws, including the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act and other advance technology agnostic concepts. They will enable DIFC to continue to build upon the Centre’s reputation as a leading global financial centre while also promoting ethical data sharing. The new Data Protection Law and Regulations provide a framework that will support DIFC’s bid for adequacy recognition by the European Commission, the UUK and other jurisdictions, easing data transfer compliance requirements for DIFC businesses.

The changes legislate for accountability of Controllers and Processors through compliance programmes requirements, appointing data protection officers where necessary, conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data. Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity on such rights when engaging with vendors of emerging technologies, such as Blockchain and Artificial Intelligence (AI). Permit options for cross-border data transfers and special category personal data processing have been removed. The new Law and Regulations include appropriate data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region.

General fines for serious breaches of the Law, in addition to or instead of administrative fines, and ncreased maximum fine limits, have been introduced. In light of the current global pandemic, while DIFC Law No. 5/ 2020 will be effective from 1 July 2020, businesses to which it applies have a grace period of three months, until 1 October 2020, to prepare to comply with it, after which it becomes enforceable.