The Dubai International Financial Centre (DIFC), a financial services free zone in the Emirate of Dubai in the UAE, has issued a new Data Protection Law (DIFC Law No. 5 of 2020, hereafter referred to as the DPL 2020) that aligns the DIFC more closely with the data protection landscape in Europe.

DPL 2020 replaces the existing data protection law, DIFC Law No. 1 of 2007 (DPL 2007). Like its predecessor legislation, DPL 2020 will regulate the collection, handling, disclosure and use of personal data in DIFC. However, DPL 2020 includes enhanced governance and transparency obligations that mirror many of the principles of the EU General Data Protection Regulation (GDPR), a European Union data protection law that has sparked privacy and data law reform worldwide.

DPL 2020 will come into force on 1 July 2020, however the Commissioner of Data Protection is not expected to actively enforce the law until 1 October, giving businesses an implementation window of four months in which to review their data protection processing activities and to prepare.

DPL 2020 aims to further DIFC's desire to be recognised internationally as a top-tier jurisdiction for data protection. The law could be a step on the road towards the DIFC achieving "adequacy" status as a destination for free transfers of personal data from Europe.

Overview

DPL 2020 increases privacy compliance requirements for businesses registered in DIFC or which process personal data within the DIFC as part of "stable arrangements". DPL operates using core concepts such as "Controller", "Processor" and "Data Subjects" that are consistent with the equivalent European concepts.

Key changes brought about by DPL 2020 include:

  • Accountability: Controllers and Processors will have to be in a position to demonstrate compliance with DPL 2020. This requires higher governance standards including the maintenance of a record of processing activities.
  • Data Protection Officers: Some companies will have to appoint a data protection officer (DPO), depending on whether they conduct High Risk Processing Activities. High Risk Processing Activities include:
    • processing that includes the adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights;
    • processing of a large amount of personal data (including staff and contractor data) where such processing is likely to result in a high risk to the data subject;
    • systematic and extensive automated processing, including profiling, with significant effects; or
    • processing of special categories of personal data (i.e. sensitive data) on a large scale.
  • Data Protection Impact Assessments: Controllers will have to conduct data protection impact assessments before undertaking any new High Risk Processing Activity.
  • Information notices: Privacy notices will have to be updated to include more information, such as the lawful basis on which personal data is processed by the Controller, the fact that personal data is intended to be transferred outside DIFC (if applicable) and other information specified in DPL 2020.
  • Breach notification: Controllers will have to notify the DIFC Commissioner of Data Protection (Commissioner) if a data breach compromises any data subject's confidentiality, security or privacy. If the risk to the data subject is high, the data subject must also be informed.
  • Data subject rights: DPL 2020 enhances the rights of data subjects with respect to their personal data, adding the right to data portability, the right to withdraw consent and a time limit in which to respond to a data subject access request.
  • Processors: DPL 2020 imposes direct compliance obligations on Processors and also stipulates that mandatory contractual requirements that apply to arrangements between Controllers and Processors.
  • Joint Controllers: Two or more Controllers who process personal data jointly must enter into legally binding written agreements that clearly define each of their responsibilities.
  • Notification requirement: Whilst the DPL 2020 does not remove the requirement established under the DPL 2007 to register with the Commissioner, it does limit the scope of organisations that have to notify to the Commissioner.

Sanctions

As is the case under DPL 2007, the Commissioner has the ability to issue administrative fines to parties who violate the law or fail to comply with a direction issued by the Commissioner.

Both Controllers and Processors may be subject to fines of up to USD 100,000 imposed by the Commissioner and may be found liable by the DIFC Courts to pay compensation directly to data subjects (in addition to the fine from the Commissioner). An action for compensation can be initiated by the data subject but can also be initiated by the Commissioner on behalf of data subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim. Compensation awards are not subject to a cap under the law.

A Processor will only be liable for damage caused by processing where it has not complied with the obligations of the law specifically directed to Processors, or where the Processor has acted outside the lawful instructions of the Controller. In all other circumstances, the Controller is liable for the damage suffered.

Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and are responsible for any breach of DPL 2020, each shall be held jointly and severally liable for the entire damage.

The Commissioner retains discretion to seek publication of additional regulations relating to fines and is not solely bound to comply with the provisions of the administrative fine schedule for serious breaches of the DPL 2020. Controllers and Processors should therefore beware of viewing the schedule of administrative fines as representing the "price" of breaching the law (not least because fines are only one small part of the overall cost of a data breach and there is a possibility of further compensation claims).

The Commissioner also has powers to issue public reprimands in relation to violators of the law, which have the potential to damage customer and supplier confidence in the offending entity.

Distinct features of DPL 2020

Emerging tech and friction with data protection laws

DPL 2020 largely mirrors the GDPR. One area, however, where it takes a new approach is in recognising that technology may develop in a way which creates tension with data protection principles and obligations and data subject rights. By way of example, a key advantage of blockchain technology is the creation of an irreversible record. This could be considered to conflict with the principles of storage limitation (where personal data should be retained for a certain period of time and no longer than is necessary) and the right of data subjects to request the erasure of their personal data.

DPL 2020 allows companies to limit data subjects from exercising certain rights, provided that, at the outset, the data subject was provided with clear and prominent information that describes the data processing techniques used by the company. The Controller must also make clear to the data subject that if it proceeds with the processing of the data on such a basis, it would not be possible for the data subject to exercise certain rights that would otherwise be available (for example, to request the erasure of the data).

Non-discrimination

DPL 2020 contains non-discrimination provisions similar to those in the California Consumer Privacy Act, which do not allow data subjects to be discriminated against for exercising their rights.

Comparing the old, the new and the GDPR

We have compiled the following table to assist you in understanding the changes introduced by DPL 2020 and, particularly, how it compares with the GDPR.

Key features

DPL 2007

DPL 2020

GDPR

Who does it apply to?

Any business registered in the DIFC.

  • Any business registered in DIFC;
  • Any business which processes personal data within the DIFC as part of stable arrangements; and
  • Any business which processes data on behalf of either of the above.
  • Organisations that are established in the EU and process personal data in the context of that EU establishment; and
  • Organisations established outside the EU that process personal data of individuals in the EU when (a) offering them goods or services or (b) when monitoring their behaviour.

Data Protection Officer

Not required

Controllers or Processors may appoint a DPO.

DPOs are mandatory for:

  • DIFC bodies (other than courts acting in their judicial capacity); and
  • A controller or processor performing High Risk Processing Activities on a systematic or regular basis.

A DPO is mandatory if:

  • the organisation is a public authority or body;
  • the organisation's core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale; or
  • the organisation's core activities consist of large-scale processing of special categories of data.

Data Protection Principles

Personal data should be:

  1. Processed fairly and lawfully;
  2. Securely;
  3. Collected for a specific purpose (purpose limitation), and adequate, relevant and not excessive for that purpose (data minimisation);
  4. Accurate; and
  5. Not retained for longer than is necessary for the purposes for which they were collected (storage limitation).

DPL 2020 adds:

  • the accountability principle;
  • requirement to process personal data in a transparent manner; and
  • requirement to process personal data in accordance with the application of data subject rights.

The GDPR sets out seven key principles that should be at the heart of a Controller's processing activities:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability.

Accountability

Not required

Controllers and Processors must demonstrate compliance with the data protection principles.

The Controller must demonstrate compliance with the data protection principles.

Rights of Individuals

  • Right to access personal data;
  • Right to rectification of personal data;
  • Right to erasure or blocking of personal data;
  • Right to object to the processing of personal data under certain circumstances, including for the purposes of direct marketing.

DPL 2020 adds:

  • Right to withdraw consent at any time: an absolute right available to a data subject if the basis for the processing of the personal data is consent.
  • Right to access: the DPL 2020 sets a timeframe of one (1) month to respond to data subject access requests (SARs) at no charge. Complex requests can be extended by a maximum of two (2) further months.
  • Right to data portability: where processing of personal data is based on consent, the performance of a contract or carried out by automated means, the data subject has the right to receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use.
  • Right to object to automated decision making, including profiling: the right not to be subject to decisions based solely on automated processing which significantly affects them (including profiling).
  • Non-discrimination: The right not to be discriminated against when the data subject exercises any of its rights set out under Part 6 of the DPL 2020. Controllers may not: (i) deny any goods or service; (ii) charge different prices or rates, including through the use of discounts or other benefits or imposing penalties; (iii) providing a less favourable level or quality of goods or services; or (iv) suggesting any of the above to the data subject.

Data subject have the right to:

  • access their personal data;
  • to rectify inaccurate or incomplete personal data;
  • erase their personal data if specific circumstances apply;
  • restrict processing if specific circumstances apply;
  • right to data portability;
  • right to object to processing where the basis of data processing is either public interest or legitimate interests of controller, or if for direct marketing or scientific, historical, statistical purposes;
  • right not to be evaluated on the basis of automated processing;

The GDPR requires Controllers to respond within one (1) month of receiving any request made under the above rights.

Conditions for Consent

Not specified

Consent must be freely given and unambiguous indication of consent.

Consent can be withdrawn at any time.

Consent must be freely given, specific, informed and unambiguous indication of the Data Subject's agreement to the processing of his or her Personal Data.

Consent can be withdrawn at any time.

Data Processors

No obligation on processors.

DPL 2020 imposes legal obligations on processors as well as controllers. Any breach of their obligations can result in a fine or judicial remedy for data subjects.

Controllers and processors must enter into a binding written agreement, which must contain prescribed terms reflecting those set out under Article 24, including that the processor does not appoint sub-processors without the written authorisation of the Controller and that the processor (and any sub-processor) only acts on the Controller's document instructions.

Controllers must appoint processors in the form of a binding written agreement which includes requirements set out under Article 28(3).

Cross-border transfers

Transfers can take place if made to a location that provides an adequate level of protection, where the Commissioner has granted a permit or written authorisation, or where other circumstances apply.

DPL 2020 adds the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, including:

  • a legal binding instrument between public authorities;
  • binding corporate rules; or
  • standard data protection clauses as adopted by the Commissioner.

DPL 2020 mirrors the GDPR, which allows transfers of personal data outside the European Union if:

  • the transfer is to a country or international organisation that provides an adequate level of data protection as determined by European Commission;
  • if appropriate safeguards are put in place (standard clauses, binding corporate rules, etc.);or
  • derogations or other specific circumstances apply.

Breach notifications

No requirement

Notification to the Commissioner:

As soon as practicable in the circumstances, where the breach compromises a data subject's confidentiality, security or privacy.

Notification to the data subject:

As soon as practicable in the circumstances, where the breach is likely to result in a high risk to the security or rights of the data subject.

Notification to a data protection authority:

Without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.

Notification to data subjects:

Without undue delay in the event of a data breach that causes high risk to Data Subjects.

Penalties

Maximum fine of $25,000.

Maximum fine of $100,000 for an administrative breach with scope for larger (unlimited) fines for more serious violations.

Compensation claims may be made by or on behalf of data subjects.

Scope for adverse public statements to be made by the Commissioner.

The maximum fine that can be imposed for serious infringements of the GDPR is the greater of ?20 million or four percent (4%) of an undertaking's global turnover for the preceding financial year.

How to get ready

Organisations need to consider how they will address the requirements of the DPL 2020. For large organisations, this is likely to require the involvement and buy-in of a number of business units, not just limited to the legal team, but also including teams such as HR, marketing, sales, customer service and IT.

Full compliance will require more than just a paper-based approach and should involve methodical assessment, planning and implementation. If you have updated your data procedures and policies in line with the GDPR, then you should already be compliant with key aspects of DPL 2020; however, you should still consider how your DIFC operations are conducted and whether there any specific features of the DPL 2020 that need close attention.

Suggested activities for all organisations operating in the DIFC include:

  1. Raise awareness across your organisation: making staff aware of the new requirements under DPL 2020 will be critical to ongoing compliance.
  2. Audit all data flows: you should document what personal data you hold, where it comes from and who you share it with. This will be a key foundation for the record of processing activities that needs to be maintained as a requirement under the new law.
  3. Update your privacy notices: you should ensure that your notices for customers, staff and other individuals are updated in line with the requirements set out in DPL 2020.
  4. Assess contracts for compliance: commercial agreements (particularly with third party data processors) and employment contracts should be reviewed for compliance with the new legal requirements. There are more detailed obligations to provide information in processing agreements and consideration should be given to the new legal grounds for processing employee data.
  5. Review your procedures supporting data subjects' rights: DPL 2020 provides data subjects with an increased set of rights. It is important that you review your procedures supporting requests from data subjects (including employees) as DPL 2020 prescribes specific time periods by which you must respond to SARs.
  6. Review how you seek, obtain and record consent: you may choose to collect personal data on the basis of consent. If so, DPL 2020 prescribes specific conditions for consent. It is important that you put in place a procedure for obtaining and documenting consent, particularly if consent is withdrawn.
  7. Establish a data breach procedure: establish a robust data breach procedure in order to detect, report and investigate personal data breaches, as these may have to be reported to the Commissioner or data subjects.
  8. Consider the appointment of a Data Protection Director: consider whether you need to or should appoint a Data Protection Officer to be responsible for monitoring and ensuring the safety of the systems and procedures of your organisation.

Originally published June 02 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.