Our knowledge, experience, and expertise are now available on the go.
My Tamimi App, a convenient new tool for anyone with an interest in the legal sector, from law students to General Counsel.Find out more
Nick O' Connell
The Data Protection Law 2007 (DIFC Law No. 1 of 2007), was recently amended by the Data Protection Law Amendment Law 2012 (DIFC Law No. 5 of 2012), which became effective on 20 December 2012. The ‘new’ Data Protection Law amends the ‘old’ Data Protection Law, which prescribed rules and regulations regarding the collection, handling, disclosure and use of personal data in the DIFC, the rights of individuals to whom the personal data relates, and the role of the DIFC Authority with regard to data protection. The amended Data Protection Law retains the international best practice standards found in the 2007 law, and is broadly consistent with the 1995 EU Data Protection Directive. It is designed to balance the legitimate needs of businesses and organizations to process personal information with the importance of upholding an individual’s right to privacy.
Besides miscellaneous amendments aimed at improving drafting and clarity, the key changes in the amendedData Protection Law can be summarised as follows:
Duty to notify changes: A Data Controller must notify the Commissioner of Data Protection of any changes to the particulars of the Data Controller’s notification to the Commissioner. Failure to notify the Commissioner of such changes as soon as possible – and in any event within 14 days from the date upon which the particulars becomes inaccurate or incomplete – is a contravention of the law.
Delegation powers of the Commissioner of Data Protection: The Commissioner may delegate functions and powers to officers and employees of the Dubai International Financial Centre Authority.
General contravention and administrative imposition of fines: The proposed changes set out provisions relating to contraventions of the law and the administrative imposition of fines.
As part of the set-up process in the DIFC, an entity is required to notify the DIFC’s Commissioner of Data Protection if it intends to process personal information. This notification has to be updated when the entity’s commercial licence is renewed, or if at any time the entity changes the way in which it will process personal information. The apparent absence of this requirement from the amended Data Protection Law is one aspect that would have benefitted from more detailed consideration.
An entity that wishes to process ‘Sensitive Personal Data’ (being personal information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life), or that wishes to transfer personal information outside the DIFC to a jurisdiction that is not recognised by the DIFC as offering an adequate level of protection to personal information, needs to seek a permit from the Commissioner of Data Protection.
It remains to be seen whether the amendments to the DIFC Data Protection Law indicates that the Commissioner of Data Protection is going to become more active in policing the data protection compliance of entities operating in the DIFC.
Interestingly, in January this year, the European Commission published its proposal for a new Data Protection Regulation. The EU’s current rules, which the DIFC Data Protection Law emulates to some degree, are about 17 years old, and the revision is intended, to some extent, to ‘future proof’ the EU’s data protection regime. It will be interesting to see if further changes to the DIFC Data Protection Law will be considered once new European rules make it through the European legislative process.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data protection issues in the Middle East, including in on-shore Dubai and free zones such as DIFC. For any data protection related queries, please contact Nick O’Connell (firstname.lastname@example.org).
Disclaimer: This chat service should not be relied upon as a substitute for professional advice which takes account of your specific circumstances and any changes in the law and practice. No warranty is made as to the accuracy or completeness of the information provided via this service and no liability is accepted by Al Tamimi & Company Limited, its affiliates, partners or employees for any loss arising as a result of reliance upon the information provided.
Kindly accept the disclaimer to proceed to a live chat.
Thank you for your inquiry. We will connect you to one of our agents now.
Thank you for your interest in working with Al Tamimi & Company. Please click here to view our latest job openings.