ARTICLE
25 July 2025

DIFC Enacts Key Amendments To Data Protection Law

BA
BSA Law

Contributor

BSA Law logo
BSA is a full-service law firm headquartered in Dubai, UAE, with 9 offices across the region. We are deeply rooted in the region, offering a competitive advantage to clients seeking advice that works in the real world and is truly in tune with the market. We have rights of audience in every country where we have an office, means that we can litigate all the way from the boardroom to the courtroom.
Explore Firm Details
On 8 July 2025, the Dubai International Financial Centre ("DIFC") enacted a comprehensive set of legislative amendments following a public consultation paper released in February 2025.
United Arab Emirates Privacy
Hala Harb
Your Author LinkedIn Connections

Introduction

On 8 July 2025, the Dubai International Financial Centre ("DIFC") enacted a comprehensive set of legislative amendments following a public consultation paper released in February 2025.

A focal point of these amendments is the Data Protection Law ("DPL"), which has undergone substantial revision to clarify extra-territorial applicability, address data sharing with authorities and reinforce the right of action of data subjects.

Article 6: Clarifying the Scope of Application

Article 6 of the DPL clarifies the scope of application of the DPL in respect of when processing is considered to occur "in the DIFC."

The amendment makes clear that the DPL applies not only to entities incorporated in the DIFC but also to non-DIFC controllers and processors who process personal data of individuals who reside or work in the DIFC. This applies whether the data processing is conducted directly or indirectly through stable arrangements with third parties located in the DIFC.

While we do not view this as a substantive amendment per se, as the provision was always understood to apply in this manner, it definitively clears any previous doubt and eliminates any basis to argue that the DPL does not have extraterritorial scope.

Article 28: Refining Data Sharing with requesting Authorities.

Amendments to Article 28(2) update the regulation of cross-border data sharing, especially when data is shared with "Requesting Authorities" outside the DIFC.

Under the revised provisions, data may only be shared with requesting authorities "after" the party has taken reasonable steps to verify that the request is valid and proportionate. The insertion of the word "after" now clarifies and reinforces the mandatory nature of this requirement. This clearly makes it a condition precedent to respond to requesting authorities.

Article 64A: Private Right of Action

Perhaps the most transformative amendment is the explicit introduction of a private right of action.

While previously Article 64 did state that a data subject may apply to court for compensation, in practice, this right was largely contingent on prior engagement with the DIFC Commissioner. The typical enforcement pathway required the data subject to first lodge a complaint with the DIFC Commissioner, who would investigate and take enforcement. Only if the DIFC Commissioner declined to act, or the enforcement outcome was unsatisfactory, could the data subject escalate the matter to the DIFC courts and even then, the court's fact-finding powers were limited.

By introducing Article 64A, the DIFC has removed these procedural bottlenecks, providing a direct legal mechanism for data subjects to pursue claims.

Furthermore, Article 64A now explicitly specifies the liabilities of joint controllers, clarifies the liabilities of processors, and expressly includes non-financial damages such as distress. This is in addition to any non-judicial remedies, such as filing a complaint with the DIFC Commissioner. It also establishes a statutory cause of action to enforce these rights.

In our view, this marks a significant shift in the DIFC's approach to data subject empowerment and enforcement mechanisms.

Article 46 & 47: Expanded Autonomy for the Commissioner

Article 46 & 47 of the DPL has been updated to enable the DIFC Commissioner to set the scope and function of any advisory committees he establishes, within the parameters of the DPL.

Schedule 2: Enforcement and Penalties

A new fine of USD 25,000 has been introduced for failure to complete the mandatory annual assessment required by controllers. Additionally, the penalties for failing to conduct a data protection impact assessment prior to engaging in high-risk processing activities, as well as for improper data sharing practices, have both been substantially increased to USD 50,000. This represents a notable rise from the previous penalty amounts of USD 20,000 and USD 10,000, respectively.

We believe these heightened fines reflect the DIFC's reinforced commitment to ensuring strict adherence to core data protection obligations, while signaling that non-compliance will attract significant financial consequences.

Concluding Remarks

The amended DIFC DPL sends a clear message that entities cannot avoid compliance with the DPL simply because they are controllers or processors based outside the DIFC as it is now undebatable the DPL applies extraterritorially.

Also, with the addition of private right of action, we believe controllers and processors face greater liability to compensate individuals for both financial and non-financial harm, including emotional distress.

Finally, the amended penalty regime imposes higher fines, underscoring the DIFC's intent to create a stronger deterrent and drive compliance.

In light of these developments, organizations are advised to review and strengthen their data protection practices to mitigate legal and reputational risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Hala Harb
Hala Harb
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More