DIFC enacts new data protection law to ensure best sharing practices

Revised provisions will come into effect on July 1 and businesses will have a grace period of three months to comply

Samba Financial has had a licence from the Central Bank of the UAE to operate since 2008 but can now also offer services from the emirate's financial free zone after gaining approval from the Dubai Financial Services Authority. Courtesy DIFC
Beta V.1.0 - Powered by automated translation

Dubai issued a new data protection law, which combined best practices of data protection regulations across the world, for companies operating within the Dubai International Financial Centre.

The DIFC Data Protection Law - No 5 of 2020 - will come into effect on July 1, the Dubai government’s media office said in a press statement Monday. The current law, Data Protection Law - No 1 of 2007, will be valid till then.

“DIFC continues to develop its robust regulatory ecosystem built on the principles of compliance, integrity and security,” said Essa Kazim, governor of DIFC.

“DIFC also sets a clear requirement for all organisations to follow best practice relating to data and privacy.”

The new law holds controllers and processors of data accountable through compliance programmes and allows for the appointment of data protection officers where necessary.

The legislation also requires  the rights of users to be made clear, especially when their data are being shared with vendors of emerging technologies, such as blockchain and artificial intelligence.

Meanwhile, permit options for cross-border data transfers and special category personal data processing have been removed.

The law also introduced fines for serious breaches of the regulation, in addition to or instead of administrative fines. The data law will also increase maximum fine limits.

In the wake of the ongoing Covid-19 pandemic, businesses will have a grace period of three months, until October 1, before it becomes enforceable in order to allow organisations to prepare to comply with the new law.

The board of directors of the DIFC Authority has also issued new data protection regulations. They have set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.

The new regulations also include data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region.

“It demonstrates our position as a forward thinking international financial hub shaping the future of finance across the region … enables us to further consolidate the centre’s reputation,” said Mr Kazim.

The new law and regulations provide a framework that will support DIFC’s bid for adequacy recognition by the European Commission, the United Kingdom and other jurisdictions, easing data transfer compliance requirements for DIFC businesses, said Dubai government’s media office.

“The Data Protection Law combines the best practices from a variety of world class data protection laws, such as the General Data Protection Regulation, the California Consumer Privacy Act and other forward-thinking, technology agnostic concepts,” it added.