The Dubai International Financial Centre (DIFC), a financial services free zone in the Emirate of Dubai in the UAE, has issued a new Data Protection Law (DIFC Law No. 5 of 2020, hereafter referred to as the DPL 2020) that aligns the DIFC more closely with the data protection landscape in Europe.
DPL 2020 replaces the existing data protection law, DIFC Law No. 1 of 2007 (DPL 2007). Like its predecessor legislation, DPL 2020 will regulate the collection, handling, disclosure and use of personal data in DIFC. However, DPL 2020 includes enhanced governance and transparency obligations that mirror many of the principles of the EU General Data Protection Regulation (GDPR), a European Union data protection law that has sparked privacy and data law reform worldwide.
DPL 2020 will come into force on 1 July 2020, however the Commissioner of Data Protection is not expected to actively enforce the law until 1 October, giving businesses an implementation window of four months in which to review their data protection processing activities and to prepare.
DPL 2020 aims to further DIFC's desire to be recognised internationally as a top-tier jurisdiction for data protection. The law could be a step on the road towards the DIFC achieving "adequacy" status as a destination for free transfers of personal data from Europe.
Overview
DPL 2020 increases privacy compliance requirements for businesses registered in DIFC or which process personal data within the DIFC as part of "stable arrangements". DPL operates using core concepts such as "Controller", "Processor" and "Data Subjects" that are consistent with the equivalent European concepts.
Key changes brought about by DPL 2020 include:
- Accountability: Controllers and Processors will have to be in a position to demonstrate compliance with DPL 2020. This requires higher governance standards including the maintenance of a record of processing activities.
- Data Protection Officers: Some companies will
have to appoint a data protection officer (DPO),
depending on whether they conduct High Risk Processing Activities.
High Risk Processing Activities include:
- processing that includes the adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights;
- processing of a large amount of personal data (including staff and contractor data) where such processing is likely to result in a high risk to the data subject;
- systematic and extensive automated processing, including profiling, with significant effects; or
- processing of special categories of personal data (i.e. sensitive data) on a large scale.
- Data Protection Impact Assessments: Controllers will have to conduct data protection impact assessments before undertaking any new High Risk Processing Activity.
- Information notices: Privacy notices will have to be updated to include more information, such as the lawful basis on which personal data is processed by the Controller, the fact that personal data is intended to be transferred outside DIFC (if applicable) and other information specified in DPL 2020.
- Breach notification: Controllers will have to notify the DIFC Commissioner of Data Protection (Commissioner) if a data breach compromises any data subject's confidentiality, security or privacy. If the risk to the data subject is high, the data subject must also be informed.
- Data subject rights: DPL 2020 enhances the rights of data subjects with respect to their personal data, adding the right to data portability, the right to withdraw consent and a time limit in which to respond to a data subject access request.
- Processors: DPL 2020 imposes direct compliance obligations on Processors and also stipulates that mandatory contractual requirements that apply to arrangements between Controllers and Processors.
- Joint Controllers: Two or more Controllers who process personal data jointly must enter into legally binding written agreements that clearly define each of their responsibilities.
- Notification requirement: Whilst the DPL 2020 does not remove the requirement established under the DPL 2007 to register with the Commissioner, it does limit the scope of organisations that have to notify to the Commissioner.
Sanctions
As is the case under DPL 2007, the Commissioner has the ability to issue administrative fines to parties who violate the law or fail to comply with a direction issued by the Commissioner.
Both Controllers and Processors may be subject to fines of up to USD 100,000 imposed by the Commissioner and may be found liable by the DIFC Courts to pay compensation directly to data subjects (in addition to the fine from the Commissioner). An action for compensation can be initiated by the data subject but can also be initiated by the Commissioner on behalf of data subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim. Compensation awards are not subject to a cap under the law.
A Processor will only be liable for damage caused by processing where it has not complied with the obligations of the law specifically directed to Processors, or where the Processor has acted outside the lawful instructions of the Controller. In all other circumstances, the Controller is liable for the damage suffered.
Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same processing and are responsible for any breach of DPL 2020, each shall be held jointly and severally liable for the entire damage.
The Commissioner retains discretion to seek publication of additional regulations relating to fines and is not solely bound to comply with the provisions of the administrative fine schedule for serious breaches of the DPL 2020. Controllers and Processors should therefore beware of viewing the schedule of administrative fines as representing the "price" of breaching the law (not least because fines are only one small part of the overall cost of a data breach and there is a possibility of further compensation claims).
The Commissioner also has powers to issue public reprimands in relation to violators of the law, which have the potential to damage customer and supplier confidence in the offending entity.
Distinct features of DPL 2020
Emerging tech and friction with data protection laws
DPL 2020 largely mirrors the GDPR. One area, however, where it takes a new approach is in recognising that technology may develop in a way which creates tension with data protection principles and obligations and data subject rights. By way of example, a key advantage of blockchain technology is the creation of an irreversible record. This could be considered to conflict with the principles of storage limitation (where personal data should be retained for a certain period of time and no longer than is necessary) and the right of data subjects to request the erasure of their personal data.
DPL 2020 allows companies to limit data subjects from exercising certain rights, provided that, at the outset, the data subject was provided with clear and prominent information that describes the data processing techniques used by the company. The Controller must also make clear to the data subject that if it proceeds with the processing of the data on such a basis, it would not be possible for the data subject to exercise certain rights that would otherwise be available (for example, to request the erasure of the data).
Non-discrimination
DPL 2020 contains non-discrimination provisions similar to those in the California Consumer Privacy Act, which do not allow data subjects to be discriminated against for exercising their rights.
Comparing the old, the new and the GDPR
We have compiled the following table to assist you in understanding the changes introduced by DPL 2020 and, particularly, how it compares with the GDPR.
Key features |
DPL 2007 |
DPL 2020 |
GDPR |
Who does it apply to? |
Any business registered in the DIFC. |
|
|
Data Protection Officer |
Not required |
Controllers or Processors may appoint a DPO. DPOs are mandatory for:
|
A DPO is mandatory if:
|
Data Protection Principles |
Personal data should be:
|
DPL 2020 adds:
|
The GDPR sets out seven key principles that should be at the heart of a Controller's processing activities:
|
Accountability |
Not required |
Controllers and Processors must demonstrate compliance with the data protection principles. |
The Controller must demonstrate compliance with the data protection principles. |
Rights of Individuals |
|
DPL 2020 adds:
|
Data subject have the right to:
The GDPR requires Controllers to respond within one (1) month of receiving any request made under the above rights. |
Conditions for Consent |
Not specified |
Consent must be freely given and unambiguous indication of consent. Consent can be withdrawn at any time. |
Consent must be freely given, specific, informed and unambiguous indication of the Data Subject's agreement to the processing of his or her Personal Data. Consent can be withdrawn at any time. |
Data Processors |
No obligation on processors. |
DPL 2020 imposes legal obligations on processors as well as controllers. Any breach of their obligations can result in a fine or judicial remedy for data subjects. Controllers and processors must enter into a binding written agreement, which must contain prescribed terms reflecting those set out under Article 24, including that the processor does not appoint sub-processors without the written authorisation of the Controller and that the processor (and any sub-processor) only acts on the Controller's document instructions. |
Controllers must appoint processors in the form of a binding written agreement which includes requirements set out under Article 28(3). |
Cross-border transfers |
Transfers can take place if made to a location that provides an adequate level of protection, where the Commissioner has granted a permit or written authorisation, or where other circumstances apply. |
DPL 2020 adds the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, including:
|
DPL 2020 mirrors the GDPR, which allows transfers of personal data outside the European Union if:
|
Breach notifications |
No requirement |
Notification to the Commissioner: As soon as practicable in the circumstances, where the breach compromises a data subject's confidentiality, security or privacy. Notification to the data subject: As soon as practicable in the circumstances, where the breach is likely to result in a high risk to the security or rights of the data subject. |
Notification to a data protection authority: Without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects. Notification to data subjects: Without undue delay in the event of a data breach that causes high risk to Data Subjects. |
Penalties |
Maximum fine of $25,000. |
Maximum fine of $100,000 for an administrative breach with scope for larger (unlimited) fines for more serious violations. Compensation claims may be made by or on behalf of data subjects. Scope for adverse public statements to be made by the Commissioner. |
The maximum fine that can be imposed for serious infringements of the GDPR is the greater of ?20 million or four percent (4%) of an undertaking's global turnover for the preceding financial year. |
How to get ready
Organisations need to consider how they will address the requirements of the DPL 2020. For large organisations, this is likely to require the involvement and buy-in of a number of business units, not just limited to the legal team, but also including teams such as HR, marketing, sales, customer service and IT.
Full compliance will require more than just a paper-based approach and should involve methodical assessment, planning and implementation. If you have updated your data procedures and policies in line with the GDPR, then you should already be compliant with key aspects of DPL 2020; however, you should still consider how your DIFC operations are conducted and whether there any specific features of the DPL 2020 that need close attention.
Suggested activities for all organisations operating in the DIFC include:
- Raise awareness across your organisation: making staff aware of the new requirements under DPL 2020 will be critical to ongoing compliance.
- Audit all data flows: you should document what personal data you hold, where it comes from and who you share it with. This will be a key foundation for the record of processing activities that needs to be maintained as a requirement under the new law.
- Update your privacy notices: you should ensure that your notices for customers, staff and other individuals are updated in line with the requirements set out in DPL 2020.
- Assess contracts for compliance: commercial agreements (particularly with third party data processors) and employment contracts should be reviewed for compliance with the new legal requirements. There are more detailed obligations to provide information in processing agreements and consideration should be given to the new legal grounds for processing employee data.
- Review your procedures supporting data subjects' rights: DPL 2020 provides data subjects with an increased set of rights. It is important that you review your procedures supporting requests from data subjects (including employees) as DPL 2020 prescribes specific time periods by which you must respond to SARs.
- Review how you seek, obtain and record consent: you may choose to collect personal data on the basis of consent. If so, DPL 2020 prescribes specific conditions for consent. It is important that you put in place a procedure for obtaining and documenting consent, particularly if consent is withdrawn.
- Establish a data breach procedure: establish a robust data breach procedure in order to detect, report and investigate personal data breaches, as these may have to be reported to the Commissioner or data subjects.
- Consider the appointment of a Data Protection Director: consider whether you need to or should appoint a Data Protection Officer to be responsible for monitoring and ensuring the safety of the systems and procedures of your organisation.
Originally published June 02 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.