Dubai International Financial Centre (DIFC) Enacts New Data Protection Law
The new DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) (“New Law”) has now been enacted and comes into force on 1 July, 2020. The New Law repeals the existing DIFC Data Protection Law (Law No. 1 of 2007 (as amended) (“Old Law”)). The New Law aims at enhancing the existing legal framework on data protection in the DIFC and is closely aligned with the EU’s General Data Protection Regulation (GDPR).
Although the New Law comes into force on 1 July, 2020, there is a three-month transition period. DIFC businesses will have until 1 October, 2020 to prepare to comply with the New Law.
Key Features of the New Law
We set out below some key features of the New Law that will likely affect the Processing of Personal Data that is already being carried out in relation to DIFC related activities. (Capitalised terms are as defined under the New Law available here.
- Who is covered by the New Law? The New Law includes within its scope Processing of Personal Data carried out by either a Controller or a Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC. The New Law also applies to regular, formal, Processing activities in the DIFC, regardless of whether the Controller or Processor undertaking the Processing is incorporated in the DIFC.
- Consent needs to clear and freely given: The New Law requires consent to be freely given, through a clear affirmative act showing an unambiguous indication of consent, if it is to be relied on as a basis for Processing. Where a Controller relies on a Data Subject’s consent for Processing, the Controller should implement appropriate and proportionate measures to assess the ongoing validity of the consent. A Controller must be able to demonstrate that appropriate methods and procedures are in place to manage the recording of consent and the withdrawal of consent, and that periodic evaluations of the same are conducted.
- Records of Processing activities: As part of the New Law’s accountability requirements, the Controller must maintain a written record (which may be in electronic form) of its Processing activities, which has to contain at least the information prescribed in the New Law.
- High Risk Processing: The New Law introduces the concept of ‘High-Risk Processing Activities’ where Processing of Personal Data will result in a high risk to the Data Subject due, amongst other things, to the adoption of new, emerging technologies (e.g. AI or Blockchain) or methods of Processing which materially increase the risk to the security or rights of a Data Subject. Prior to undertaking High-Risk Processing Activities, Controllers must conduct data protection impact assessments on the proposed Processing operations.
- Appointing a DPO: Generally, it is not mandatory for Controllers or Processors to appoint a Data Protection Officer (DPO). However, a DPO must be appointed by Controllers and Processors who undertake High Risk Processing Activities on a systematic and regular basis. The New Law regulates the requirements and the legal status of a DPO.
- New requirements for transfers outside of the DIFC: The Commissioner will determine if a Third Country meets the adequacy requirements for data transfers, based on a number of factors listed in the New Law. A new list of countries considered to have an adequate level of protection for Personal Data transfers out of DIFC has also been issued. For data transfers to jurisdictions lacking adequate levels of protection, a permit or the Commissioner’s written authorisation is no longer required and Controllers or Processors need to have in place appropriate safeguards as set out in the New Law (e.g. the use of standard data protection clauses as adopted by the Commissioner or an approved code of conduct or approved certification together with Controller/Processor’s commitment to provide appropriate safeguards).
- New and enhanced Data Subject rights: In addition to the Old Law rights to access, rectify and erase Personal Data and the right to object to Processing, the New Law introduces new GDPR-style rights which Controllers must observe and inform Data Subjects about. These new rights include:
- right to withdraw consent;
- right to the restriction of processing;
- right to know the recipients of the personal data;
- right to data portability
- right to not be subject to automated decision making, including profiling
- right to non-discrimination against a Data Subject for exercising any of the Data Subject rights.
- Personal Data Breaches. The language governing Controller’s obligations to respond to personal data breaches has been amended and Controllers must notify the Commissioner as soon as practicable in the circumstances where Data Subjects’ security and rights have been compromised. Where the Personal Data Breach is likely to result in high risk to the security and rights of the Data Subject, the Controller must also notify the Data Subject as soon as practicable in the circumstances.
- A new fines regime: Where the Commissioner considers that a Controller or Processor (including a sub-processor) has contravened the New Law, the Commissioner may issue an administrative fine in an amount he considers appropriate but not exceeding the amount specified in Schedule 2 of the New Law (such fines range from USD10,000 to 100,000 depending on the contravention of the New Law with the most substantial fines focused on breaches of Data Subject rights). The Commissioner may also issue a general fine for a contravention of the New Law by an appropriate and proportionate amount, taking into account the seriousness of the contravention and the risk of actual harm to any relevant Data Subjects. Data Subjects also have direct rights under the New Law to claim compensation.
Please do not hesitate to contact our TMT team if you have any specific questions relating to the New Law and how it affects your business.
To hear more, please click here to listen to our webinar.