MIDDLE EAST FOCUS: PRIVSEC BRIEFING ON DIFC DATA PROTECTION LAW

Purpose: Understand the changes in Dubai data protection law, how it compares to GDPR and its wider impact on the MEASA region.

Key points

  • DIFC updated its Data Protection Law 1 June 2020
  • The Data Protection Regulations increase privacy compliance requirements for businesses registered in the DIFC and expands data subjects’ rights
  • It provides a strong basis for an adequacy decision from the European Commission
  • The promulgation of the law enables the DIFC to strengthen its leadership in enhancing data protection practices in the Middle East, Africa and South Asia (MEASA) region

Background

Dubai is the second largest emirate in the United Arab Emirates (UAE) with a population of over two million, is strategically located at the intersection of trade and commerce between Europe, the US, Africa, and Asia. The Dubai International Financial Centre is its free economic zone, the most important organisation of its type across the MEASA region with 2400 registered companies. Its legal framework therefore has an impact across many sectors and in many countries outside the Middle East.

Over the years a patchwork of data protection regulation has grown across the Middle East. In 2004, the DIFC implemented the first extensive data protection law in the Middle East. In 2007, this was replaced by Law No.1. In 2005, the Qatar Financial Centre adopted Data Protection Regulations No.6. In 2016, Qatar proposed the Personal Information Privacy Protection Law which was implemented in 2018. In 2015, Abu Dhabi Global Market (ADGM) introduced its Data Protection Regulations and was amended in 2018 to include recognition of the DIFC for data exports and an increase in the maximum fine for breaches. The DIFC does not currently reciprocate recognition of ADGM in its own list of permitted jurisdictions for data export. Turkey followed in 2016 with its Law on Protection of Personal Data and Bahrain adopted Personal Data Protection Law No.30 in 2018.

Status

DIFC updated its Data Protection Law (DPL 2020) on 1 June 2020 to strengthen its leadership in enacting data protection practices in MEASA. Its main amendments of its predecessor, DIFC Law No.1 of 2007, include increased privacy compliance requirements for any businesses registered within the DIFC, and its harmonisation with GDPR principles. It has worked in close association with the ICO in the UK.

The DIFC Authority also issued new Data Protection Regulations that set key expectations such as, processing personal data in accordance with the application of data subject rights, and the accountability of both controllers and processors operating within the DIFC. This will be achieved through appointing DPOs where necessary, conducting DPIAs, updating Privacy Notices, notifying the DIFC of breaches, and enhancing data protection rights of individuals through contractual obligations. Maximum fines for administrative breaches have been increased from $25,000 to $100,000 with the possibility of unlimited fines for very serious violations against DPL 2020.

Similarities with GDPR

As with GDPR, DPL 2020 refers to “data subjects” as well as “controllers” and “processors”. Data subject rights have been enhanced to match the standards of GDPR. Additions include, right to give and withdraw consent, right to access, right to data portability, right to object to automated decision making, non-discrimination, and a time limit on responding to SARs.

Data processors are now subject to legal obligations, like data controllers. Both must enter into a binding written agreement. Data processors must report security breaches and the data subject must be informed in some cases. Data controllers must keep records of processing activities.

Like GDPR, cross-border transfers can be made if the receiver is outside of the DIFC and within a territory that does not have an adequacy decision. This will be permitted so long as appropriate safeguards are met. These include, a legal binding instrument between public authorities, binding corporate rules, and/or standard data protection clauses as adopted by the Commissioner.

As intended, the new Regulations provide DIFC with a strong basis for an adequacy decision from the European Commission. This would allow for businesses operating within the DIFC to transfer data into and out of the DIFC more freely.

Wider impact

DIFC is well placed to export its financial services expertise internationally, however, it relies heavily on investment from Europe. Unrest within the Middle East region presents a significant risk to the success of Dubai as an IFC. If Dubai were to fall back into depression due to external political instability, European funding would cease. An adequacy decision would strengthen Dubai’s relationship with the EU.

The DIFC is central to the UAE’s financial services competitiveness. It also acts as a gateway to the Middle East region, meaning that the success of Dubai directly impacts the success of other regions such as Qatar and Saudi Arabia.

Conclusion 

The promulgation of the law enables the international financial hub in the Middle East, Africa and South Asia (MEASA) region to strengthen its leadership in enhancing data protection practices. Aligning its data protection laws with GDPR is expected to strengthen its relationship with the EU. The effect on the Middle East is likely to be larger in countries which have already opened up their economies rather than Saudi Arabia, for instance, which has only very recently started to operate special economic zones.

 


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.