New DIFC Data Protection law comes into force

Nick O' Connell

The Data Protection Law 2007 (DIFC Law No. 1 of 2007), was recently amended by the Data Protection Law Amendment Law 2012 (DIFC Law No. 5 of 2012), which became effective on 20 December 2012. The ‘new’ Data Protection Law amends the ‘old’ Data Protection Law, which prescribed rules and regulations regarding the collection, handling, disclosure and use of personal data in the DIFC, the rights of individuals to whom the personal data relates, and the role of the DIFC Authority with regard to data protection. The amended Data Protection Law retains the international best practice standards found in the 2007 law, and is broadly consistent with the 1995 EU Data Protection Directive. It is designed to balance the legitimate needs of businesses and organizations to process personal information with the importance of upholding an individual’s right to privacy.

Besides miscellaneous amendments aimed at improving drafting and clarity, the key changes in the amendedData Protection Law can be summarised as follows:

Duty to notify changes: A Data Controller must notify the Commissioner of Data Protection of any changes to the particulars of the Data Controller’s notification to the Commissioner. Failure to notify the Commissioner of such changes as soon as possible – and in any event within 14 days from the date upon which the particulars becomes inaccurate or incomplete – is a contravention of the law.

Delegation powers of the Commissioner of Data Protection: The Commissioner may delegate functions and powers to officers and employees of the Dubai International Financial Centre Authority.

General contravention and administrative imposition of fines: The proposed changes set out provisions relating to contraventions of the law and the administrative imposition of fines.

As part of the set-up process in the DIFC, an entity is required to notify the DIFC’s Commissioner of Data Protection if it intends to process personal information. This notification has to be updated when the entity’s commercial licence is renewed, or if at any time the entity changes the way in which it will process personal information. The apparent absence of this requirement from the amended Data Protection Law is one aspect that would have benefitted from more detailed consideration.

An entity that wishes to process ‘Sensitive Personal Data’ (being personal information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life), or that wishes to transfer personal information outside the DIFC to a jurisdiction that is not recognised by the DIFC as offering an adequate level of protection to personal information, needs to seek a permit from the Commissioner of Data Protection.

It remains to be seen whether the amendments to the DIFC Data Protection Law indicates that the Commissioner of Data Protection is going to become more active in policing the data protection compliance of entities operating in the DIFC.

Interestingly, in January this year, the European Commission published its proposal for a new Data Protection Regulation. The EU’s current rules, which the DIFC Data Protection Law emulates to some degree, are about 17 years old, and the revision is intended, to some extent, to ‘future proof’ the EU’s data protection regime. It will be interesting to see if further changes to the DIFC Data Protection Law will be considered once new European rules make it through the European legislative process.

Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data protection issues in the Middle East, including in on-shore Dubai and free zones such as DIFC. For any data protection related queries, please contact Nick O’Connell (