The New DIFC Data Protection Law of 2020

Introduction to DIFC Law No. 5 of 2020

Dubai International Financial Center (DIFC), Dubai’s financial services free zone, has issued a new Data Protection Law (DIFC Law No. 5 of 2020), replacing the current regime. The purpose of this law is to provide enhanced standards and controls for the processing and free movement of personal data by controllers or processors and to protect the fundamental rights of data subjects. It includes how such rights apply to the protection of personal data in emerging technologies. The law aligns DIFC’s data protection landscape with measures adopted globally, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. The goal is to establish enhanced governance and transparency requirements that will place DIFC on par with international laws and regulations.

It is a clear step towards DIFC establishing itself as an internationally recognized jurisdiction for data protection. In turn, this will contribute to achieving “adequacy” status, thus facilitating the transfer of personal data from Europe.

When does the new law come into effect?

The new law comes into force on 1 July 2020. However, the DIFC Commissioner of Data Protection (the Commissioner) is not expected to actively enforce the law until 1 October 2020. This gives organizations a window of four months in which to review their data protection and processing activities and implement the latest compliance measures.

What does the law cover?

General Requirements: A Controller or Processor is required to establish a program to demonstrate compliance with this Law, the level and detail of which will depend on the scale and resources of the Controller or the Processor, the categories of Personal Data being Processed and the risks to the Data Subjects.
Data Controllers and processors: Roles and Responsibilities of the Data Controller, Processor, and Subprocessor.
Data Export \ Download and Sharing: Data controllers may transfer personal data out of the DIFC if the personal data is being transferred to a Recipient in a jurisdiction that has laws that ensure an adequate level of protection for that personal data (DPL, Article 11(1)(a)). An adequate level of protection is when the level of protection in that jurisdiction is acceptable according to the DPR or any other jurisdiction approved by the CDP (DPL, Article 11(2)).
Providing the Information: Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the information that has been captured by the Data Controller.
Data Subject Rights: The right to be informed, The right of access, The right to rectification, The right to erasure, The right to restrict processing, The right to data portability, The right to object, Rights in relation to automated decision making and profiling.
Breach Notification: There is no mandatory requirement under UAE Federal Law to report data security breaches.Data subjects based in the UAE, however, may be entitled to hold the entities in possession of their data liable under the principles of the UAE Civil Code for their negligence in taking proper security measures to prevent the breach, if such breach has resulted in actual losses being suffered by the data subjects. In relation to telecommunication services, the Telecoms Law and most Policies do not include an explicit requirement on service providers to take the initiative in notifying the TRA of a breach or alleged breach, unless a subscriber complains to a service provider about the unauthorized disclosure of his or her data. Such a notification would be included in the monthly reporting which is submitted to the TRA (Article 15.10.2 of the TRA Consumer Protection Regulations).

Applicability of the Law

(1)This Law applies in the jurisdiction of the DIFC.

(2) Law applies to the Processing of Personal Data:

(a) by automated means; and

(b) other than by automated means where the Personal Data forms part of a Filing System or is intended to form part of a Filing System.

(3) This Law applies as follows:

(a) This Law applies to the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not, Companies or businesses registered under DIFC.

(b) This Law applies to a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. This Law applies to such a Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), including transfers of Personal Data out of the DIFC.

(c) For this Article 6(3), Processing “in the DIFC” occurs when the means or personnel used to conduct the Processing activity are physically located in the DIFC, and Processing “outside the DIFC” is to be interpreted accordingly.

(4) This Law does not apply to the Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.

(5) This Law is without prejudice to agreements entered into between one (1) or more DIFC Bodies and:

(a) Third Country governments or governmental authorities;

(b) regulatory bodies or public authorities established under the law of a Third Country; or

(c) International Organisations that address regulating the transfer of Personal Data and include appropriate safeguards for the relevant Data Subjects.

What has Changed while comparing the earlier DIFC Data Protection Law 2007?

Key features	DIFC Data Protection Law 2007	DIFC Data Protection Law 2020
Scope	Any type of business registered in the DIFC	In addition to any business registered in the DIFC, the 2020 Law applies to: Any business which processes personal data within the DIFC as part of stable arrangements Any business which processes data on behalf of either or of the above
Appointing a Data Protection Officer	Not required	DIFC bodies and companies conducting High-Risk Processing Activities will need to appoint a DPO. The definition of High-Risk Processing Activities includes Adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights; Processing a large amount of personal data (including staff and contractor data) where such processing is likely to result in a high risk to the data subject; Systematic and extensive automated processing, including profiling, with significant effects; and Processing of special categories of personal data (i.e. sensitive data) on a large scale.
Principles of data protection	As per the 2007 Law, personal data should be: Processed fairly and lawfully Processed securely Collected for a specific purpose (i.e., purpose limitation), and adequate, relevant and not excessive for that purpose (i.e., data minimization) Accurate Not retained for longer than is necessary for the purposes for which they were collected (storage limitation)	The new law adds the accountability principle, and adds that personal data must be: Processed in a transparent manner Processed following the application of subject’s data rights
Data subject rights	The 2007 law detailed the following data subject rights: Right to access personal data Right to rectification of personal data Right to erasure or blocking of personal data Right to object to the processing of personal data under certain circumstances, (such as when it is used for direct marketing)	Following are the Changes in the new Law: to withdraw consent at any time. An absolute right available to a data subject if the basis for the processing of the personal data is consent; to access information on their data. There is a timeframe of one month to respond to data subject access requests at no charge. Complex requests can be extended by a maximum of two further months; to data portability, where the processing of personal data is based on consent, the performance of a contract, or is carried out by automated means. The data subject has the right to receive a copy of their data in a structured, commonly used, machine-readable format that supports re-use; to object to automated decision making, including profiling, and the right not to be subject to decisions based solely on automated processing which significantly affects them; to non-discrimination. If individuals exercise any of their rights under the DP Law, controllers may not deny any goods or services; charge different prices or rates, including through the use of discounts or other benefits or imposing penalties; or provide a lesser quality of goods or level of services
Data Processor obligations	No obligation on Processors	The new law adds the following: Obligations on Data Processors – any breach of the obligations may result in the Data Processors facing fines or judicial remedies for data subjects Binding written agreements between Controllers and Processors are now required, with the prescribed term Processors may not appoint sub-processors without the written authorization of the Controller Processors (and any sub-processors) must only act on the Controller’s documented instructions
Cross-border transfers	Transfers could previously take place: If made towards a location that provides an adequate level of protection (as deemed by the Commissioner) Where the Commissioner has granted a permit or written authorization Where other circumstances apply	The 2020 law allows for the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, such as · Personal data can be transferred outside of the DIFC without permission from the Commissioner if a country falls under the ‘adequate jurisdiction’ list. Otherwise, it is permitted to transfer the data, so long as appropriate safeguards are in place (e.g. by adopting standard data protection clauses approved by the Commissioner, by legally binding instruments between public authorities, and through (approved) binding corporate rules within the same group of companies).
Breach notifications	No requirement	Breach notifications are now required: — To the commissioner: As soon as possible in the circumstances, when the breach compromises a data subject’s confidentiality, security, or privacy. — To the data subject(s): As soon as practicable in the circumstances, when the breach is likely to result in a high risk to the security or rights of the data subject.
Penalties	A maximum fine of USD 25,000 for contraventions	The new law sets a maximum fine of USD 100,000 for administrative breaches, with additional scope for larger fines (unlimited) for more serious violations. The law adds the ability for compensation claims to be made by or on behalf of data subjects.

Penalties as per the New UAE Data Protection law 2020

Fines vary from USD 10,000 to USD 100,000 depending on the corresponding contraventions of the law

The following table sets out administrative fines that may be applied for non-compliance. Fines vary from USD 10,000 to USD 100,000, depending on the corresponding contraventions of the law:

Relevant article(s)	Key requirements	Maximum fine range in case of contravention
Articles 9 – 12	— Process data on a lawful basis — Obtain data subject’s consent	USD 50,000
Article 14	— Maintain technical and organizational measures to protect personal data — Comply with accountability requirements — Register with commissioner	USD 25,000 to USD 50,000
Articles 15 – 26	— Maintain records of processing activities — Designation of DPO — Fulfilment of DPO tasks — Perform assessments — Perform prior consultation — Cease processing when required	USD 20,000 to USD 50,000
Articles 27 – 28	— Third country or international organization personal data transfer	USD 10,000 to USD 50,000
Articles 29 – 32	— Data subject access rights — Disclosure of personal data — Nature of processing information — Withdrawal of data subject consent	USD 75,000
Articles 33 – 38	— Request for rectification or erasure of personal data — Right to restriction of processing of personal data — Right to data portability — Automated individual decision-making, including profiling	USD 100,000
Articles 39, 40,41,42,65	— Failure to report data breach — Non-discrimination towards data subject — General exemptions of compliance	USD 25,000 to USD 75,000

How Can Network Intelligence Help?

Phase 1: Assess
Phase 2: Implement
Phase 3: Assistance in Registration

Phase 1: Assess

Purpose: The purpose of this phase is to assess the security controls implemented at the organization against the principles of the DIFC Data Protection Law with the help of the Data Protection Law self-assessment questionnaire. The consultant from Network Intelligence will carry out the following activities as part of gap assessment:

Data privacy maturity assessments
Data privacy gap assessments against applicable laws and regulations
Data privacy audits

Deliverables:

Overall gap assessment report

Phase 2: Implementation

Purpose: To close the gaps found during the gap assessment phase and to conduct data protection privacy impact assessment.

Network Intelligence Consultant will help the organization in the following areas based on the outcome of gap assessment phase:

Data privacy framework implementation
Data privacy initiatives implementation
Data discovery, mapping, and classification, in line with the register of processing
Data breach management

Phase 3: Assistance in Registration

Purpose: To aid the organization for getting it registered with the national data protection authority in the area where it intends to do business with DIFC:

Network Intelligence Consultant provides consultation for getting the organization registered within the DIFC, Data Protection authority:

Identifies the area in DIFC where the organization intends to do business
Identifies the national data protection authority of that region, International Commissioner Office
Helped the organization in getting registered with the national data protection authority
Provided formal notification of the enrollment
Provide DPO as a Service to Monitor and Manage

Conclusion

Network intelligence will assist in overall compliance for the organization with the DIFC, Data Protection Law 2020 by improvising awareness amongst the stakeholders about the processing and movement of the personal data by the controllers or processors and henceforth protect the fundamental rights of data subjects.

Swapnil Jariwala