The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted on June 1, 2020 by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in capacity as the Ruler of Dubai. Like its predecessor, the geographic scope of the law is limited to the Dubai International Financial Centre (DIFC) rather than the entire territory of the Dubai emirate. The new 50-page law, which modernizes the current data protection law, law N. 1 of 2007, will come into effect on July 1, 2020, at which time the pre-existing law of 2007 and all related regulations will be repealed.
DIFC Law No. 5 of 2020 is the third law adopted in the DIFC to address the protection of personal data. The first DIFC data protection law was passed in 2004, and the second one in 2007. With the enactment of Law No. 5 of 2020, the DIFC reacts to the enactment of the EU General Data Protection Regulation (GDPR) and California’s Consumer Protection Act (CCPA) by introducing the concepts of accountability, enhancing individuals’ control over their personal data and prohibiting discrimination of individuals who elect to restrict the use of their personal data by a data controller.
According to its Article 5, the purpose of Law No. 5 of 2020 is to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of the data subjects. Interestingly, Article 5 also specifies that the purpose of the law is to protect the fundamental rights of data subject “including how such rights apply to the protection of personal data in emerging technologies.”
The DIFC Data Protection Law applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC or not. It also applies to a controller or processor, regardless of its place of incorporation, that processes personal data in the DIFC as part of stable arrangements, other than on an occasional basis. The law applies to such controller or processor in the context of its processing activity in the DIFC, including transfers of Personal Data out of the DIFC.
Nine Data Protection Principles
The law sets out nine data protection principles, which are outlined in a manner similar to that which is used in the EU’s GDPR. Also like in the GDPR, the requirements include a separate obligation for accountability whereby the data controller or processor is responsible for, and must be able to demonstrate, its compliance with those nine principles.
Lawfulness of the Processing
Law No. 5 of 2020 identifies six bases for what constitutes “lawful processing”. These bases include consent, necessity (the processing is necessary to perform certain specified tasks), and legitimate interest. In the same manner as provided in the GDPR, the processing can be justified by a “legitimate interest” only if the interest of data controller is not overridden by the rights or interests of the data subject. Article 13 of the law defines circumstances that would be considered “legitimate interest”, including the prevention of fraud, or ensuring security.
The law details accountability obligations for controllers and processors, including requirements for the development of a program to demonstrate compliance with the law and the implementation of appropriate technical and organizational measures to demonstrate that the processing is performed in accordance with the law.
A written “data protection policy”, and controllers and processors must follow the principle of data protection by design and by default. There are also requirements for the development of a record of processing activities, appointment of data protection officers (in specified circumstances, including for example, “high risk processing activities”), conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data.
Notification of the Data Protection Commissioner
Unlike the EU GDPR, which removed the obligation under prior law to notify the country’s data supervisory authority, the new DIFC data protection law retains the existing obligation for data controllers to register their processing activities with the DIFC’s data protection commissioner by filing a “notification of processing operations” and it extends that obligation to data processors. The notification must be kept up to date through amended notifications.
Cessation of Processing
Article 22 details the procedures that the data controller must follow when it must cease the processing of the data. “Cessation of processing” may occur when the basis for processing changes or ceases to exist, or when the controller is required to cease processing due to the exercise of the data subject’s rights. The obligation also extends to ensuring that all data processors perform similar activities on the data held by them. This useful and practical provision does not appear to resemble any other provision in other similar laws in other countries.
Rights of Individuals
Article 32 to 38 of DIFC Law No. 5 of 2020 grants enhanced rights to individuals. These rights include, for instance, right to withdraw consent, right to access, rectification and erasure of personal data, right to object to the processing, right to restrict the processing, right to data portability, right to object to any decision based solely on automated processing, including profiling. These rights are generally comparable to those outlined in the EU GDPR or Brazil LGPD, for example.
Right of Non-Discrimination
Article 39 provides a right of “non-discrimination” which resembles some aspects of California’s CCPA. It prohibits discrimination against an individual who has exercised her rights (for example, right to restrict the processing of her data) by denying any goods or services to that individual, or charging different prices, or providing goods of less quality. Like the California CCPA, the clause allows controllers to offer financial and other incentives to data subjects for their willingness to allow the controller to use personal information about them.
Crossborder data transfers
The new law contains the usual restrictions to the transfer of personal data out of the territory, and requires that the country of the recipient provide “adequate protection” or in the absence of such laws that the data exporter and data importer provide adequate safeguard, such as those that would come from binding corporate rules, standard contractual clauses, and the like, unless a derogation applies.
The new DIFC data protection law introduces comprehensive provisions regarding the notification of data breaches. Like the GDPR, the law distinguishes notification to be provided to the data commissioner from notification to be provided to the data subjects. Unlike GDPR or some US laws, there is no set maximum number of days for making the notification to the Commissioner. The time frame for making the initial notification is “as soon as possible” and the triggering event is measured by how or whether the incident “compromises confidentiality, security or privacy”.
Notification to data subjects is triggered only when the breach “is likely to result in a high risk to the security or rights of a data subject”. In this case, there is also no maximum time frame for making the notification. It would be ”as soon as practicable” in most circumstances, or “promptly” when there is “an immediate risk of damages”.
Remedies, Liability and Sanctions
Part 9 of the DIFC Law N. 5 of 2020 addresses remedies, liability and sanctions. A wide variety of sanctions is provided, going from warnings to the issuance of a “direction” requiring a controller or processor to do or refrain from doing certain acts, to fines, payment of damages and compensation to the data subject, or payment of the costs incurred by the data commissioner or other person. The new law leaves to the Board of Directors of the DIFCA to draft regulations on this matter.
Data Sharing; Response to Request from Public Authority
Article 28 of Law No. 5 of 2020 provides guidance for the procedures to be followed when a data controller or processor receives a request from a public authority regarding the disclosure and/or transfer of personal data. The guidance provided is practical and detailed.
According to the press release issued by the DIFC, these provisions may form the first step towards data sharing standards within the UAE and the region.
Code of Conduct and Certification
Article 48 of the law provides for the use of “codes of conduct” and Article 49 provides for “certification schemes”. Both concepts will be familiar to those companies that operate in, or do business with, the European Union or European Economic Area.
In light of the current global pandemic, while the Data Protection Law is effective from July 1, 2020, businesses to which it applies will have a grace period of three months, until October 1, 2020, to prepare to comply with it, after which the new data protection law will becomes enforceable.
According to the DIFC press release, the Board of Directors of the DIFC Authority is issuing new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.