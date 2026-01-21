Regulation 10 of the Data Protection Regulations was introduced in late 2023 in the Dubai International Financial Centre, and forms part of the UAE's evolving regulatory framework governing the use of personal data in artificial intelligence systems.

Mayer Brown is an international law firm positioned to represent the world’s major corporations, funds, and financial institutions in their most important and complex transactions and disputes.

Regulation 10 of the Data Protection Regulations (the "DPR") was introduced in late 2023 in the Dubai International Financial Centre ("DIFC"), and forms part of the UAE's evolving regulatory framework governing the use of personal data in artificial intelligence ("AI") systems. It establishes a framework for the processing of personal data by autonomous and semi‑autonomous systems in the DIFC and supplements the DIFC Data Protection Law (the "DPL"). Regulation 10 aligns with emerging international approaches by adopting interoperable concepts drawn from the OECD guidelines and data protection regimes in the United Kingdom and European Union. This Regulation 10 is significant given the introduction of both general and system-specific certification requirements, including enhanced obligations and restrictions on the deployment of high risk AI systems. The Information Commissioner is anticipated to provide further guidance on the deployment of high risk AI systems in due course.

Systems, Deployers and Operators

Regulation 10 defines a "System" as any machine‑based system that operates autonomously or semi‑autonomously and can process personal data for human‑defined purposes or for purposes the System defines within human‑set parameters and generates outputs on that basis.

Regulation 10 places accountability on the visible entities that authorise or benefit from System operation by introducing the following roles:

A Deployer, being a person under whose authority or for whose benefit the System operates or who benefits from its output. The Deployer is deemed the controller for regulatory purposes. Systems that act under a Deployer's authority draw liability back to that Deployer.

An Operator, being the provider that operates or supervises a System on a Deployer's direction and is deemed the processor.

Autonomous Systems and Personal Data

As a System is comprised of data, Regulation 10 clarifies that if a System resembles the physical appearance or behaviour of an identifiable natural person, its use may constitute processing of that person's personal data even if no other personal data is processed. Virtual personas and avatars that identify an individual may fall within scope.

Where personal data is processed for use in or to enable the learning processes of a System, both Deployers and Operators must comply with the general requirements for lawful and legitimate processing in the DPL.

Transparency and User Notice

Deployers and Operators must provide notice at initial use or access to any application or website service that uses Systems to process personal data. The notice must:

Alert users to technology and processes that undertake processing not initiated or directed by humans;

Explain whether processing is confined to human‑defined purposes or whether the System can define further purposes; and

Indicate any impact on the exercise of certain rights where technology limits a data subject's ability to exercise rights such as erasure.

The notice must also include description of:

The human‑defined purposes for which personal data is processed by the System;

The human‑defined principles and limits that govern any self‑defined purposes; note that human‑defined purposes must prevail over System‑defined purposes and any dynamic purposes must be constrained by detailed principles hard coded into the System;

The System's outputs and how they are used;

The principles underpinning System design and operation, including built‑in safeguards to ensure compliance with the DPL and Regulation 10; and

Any codes, certifications, or principles on which the System relies, such as OECD, UNESCO, NIST, Dubai Digital Authority or relevant regulators' guidelines.

Data subjects may challenge System outcomes by submitting complaints under the DPL. Deployers and Operators must ensure Systems facilitate the effective exercise of rights and must be able to explain processing in non‑technical terms with appropriate supporting evidence.

Evidence, Risk Controls and Registers

Deployers and Operators must be able to produce evidence of:

Compliance with applicable audit and certification requirements;

Algorithms that trigger human intervention where processing may produce unfair or discriminatory impacts or unjust bias, with associated risk and impact assessments that consider potential High Risk Processing;

Algorithms that trigger human intervention when access by competent authorities is required for law enforcement, with risk and impact assessments;

algorithms that trigger human intervention where processing may infringe the digital communication requirements in the DPR, with risk and impact assessments

Deployers and Operators must also maintain and provide a register of System use cases and processing activities, including necessity and proportionality, access mechanisms for data subject rights, whether the System is used to make automated decisions, the third parties or requesting authorities with whom personal data is shared and under which lawful bases, the locations of those parties, and export safeguards.

Misleading notices or misstatements about certifications and adherence to principles may trigger investigation and enforcement.

Principles and Certification

Systems must be designed to be ethical, fair, transparent, secure, and accountable. The Commissioner anticipates a permissive certification‑based regime rather than licensing. General certification requirements will be set in future guidance (expected in 2026), with specific and stricter requirements for High Risk Processing. Once established, all Systems must comply with applicable audit and certification requirements.

A System may be used only if it processes personal data for human‑defined or human‑approved purposes or for System‑defined purposes that are strictly based on human‑defined principles and within human‑defined constraints. Systems capable of dynamically generating purposes must remain bounded by those hard-coded human principles.

High Risk Processing

No person may use, operate, provide or offer a System to engage in High Risk Processing unless:

The Commissioner has established audit and certification requirements for such Systems (further guidance expected in 2026);

The System processes personal data solely for human‑defined or human‑approved purposes; or

The Deployer or Operator has appointed an Autonomous Systems Officer ("ASO") with substantially similar status, competencies and tasks to a DPO under the DPL. The ASO's role mirrors the DPO's focus on governance, DPIAs, risk review with senior management and recommendations for accountability and compliance.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2026. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.