Introduction to DIFC Law No. 5 of 2020
Dubai International Financial Center (DIFC), Dubai’s financial services free zone, has issued a new Data Protection Law (DIFC Law No. 5 of 2020), replacing the current regime. The purpose of this law is to provide enhanced standards and controls for the processing and free movement of personal data by controllers or processors and to protect the fundamental rights of data subjects. It includes how such rights apply to the protection of personal data in emerging technologies. The law aligns DIFC’s data protection landscape with measures adopted globally, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. The goal is to establish enhanced governance and transparency requirements that will place DIFC on par with international laws and regulations.
It is a clear step towards DIFC establishing itself as an internationally recognized jurisdiction for data protection. In turn, this will contribute to achieving “adequacy” status, thus facilitating the transfer of personal data from Europe.
When does the new law come into effect?
The new law comes into force on 1 July 2020. However, the DIFC Commissioner of Data Protection (the Commissioner) is not expected to actively enforce the law until 1 October 2020. This gives organizations a window of four months in which to review their data protection and processing activities and implement the latest compliance measures.
What does the law cover?
- General Requirements: A Controller or Processor is required to establish a program to demonstrate compliance with this Law, the level and detail of which will depend on the scale and resources of the Controller or the Processor, the categories of Personal Data being Processed and the risks to the Data Subjects.
- Data Controllers and processors: Roles and Responsibilities of the Data Controller, Processor, and Subprocessor.
- Data Export \ Download and Sharing: Data controllers may transfer personal data out of the DIFC if the personal data is being transferred to a Recipient in a jurisdiction that has laws that ensure an adequate level of protection for that personal data (DPL, Article 11(1)(a)). An adequate level of protection is when the level of protection in that jurisdiction is acceptable according to the DPR or any other jurisdiction approved by the CDP (DPL, Article 11(2)).
- Providing the Information: Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the information that has been captured by the Data Controller.
- Data Subject Rights: The right to be informed, The right of access, The right to rectification, The right to erasure, The right to restrict processing, The right to data portability, The right to object, Rights in relation to automated decision making and profiling.
- Breach Notification: There is no mandatory requirement under UAE Federal Law to report data security breaches.Data subjects based in the UAE, however, may be entitled to hold the entities in possession of their data liable under the principles of the UAE Civil Code for their negligence in taking proper security measures to prevent the breach, if such breach has resulted in actual losses being suffered by the data subjects. In relation to telecommunication services, the Telecoms Law and most Policies do not include an explicit requirement on service providers to take the initiative in notifying the TRA of a breach or alleged breach, unless a subscriber complains to a service provider about the unauthorized disclosure of his or her data. Such a notification would be included in the monthly reporting which is submitted to the TRA (Article 15.10.2 of the TRA Consumer Protection Regulations).
Applicability of the Law
(1)This Law applies in the jurisdiction of the DIFC.
(2) Law applies to the Processing of Personal Data:
(a) by automated means; and
(b) other than by automated means where the Personal Data forms part of a Filing System or is intended to form part of a Filing System.
(3) This Law applies as follows:
(a) This Law applies to the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not, Companies or businesses registered under DIFC.
(b) This Law applies to a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. This Law applies to such a Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), including transfers of Personal Data out of the DIFC.
(c) For this Article 6(3), Processing “in the DIFC” occurs when the means or personnel used to conduct the Processing activity are physically located in the DIFC, and Processing “outside the DIFC” is to be interpreted accordingly.
(4) This Law does not apply to the Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.
(5) This Law is without prejudice to agreements entered into between one (1) or more DIFC Bodies and:
(a) Third Country governments or governmental authorities;
(b) regulatory bodies or public authorities established under the law of a Third Country; or
(c) International Organisations that address regulating the transfer of Personal Data and include appropriate safeguards for the relevant Data Subjects.
What has Changed while comparing the earlier DIFC Data Protection Law 2007?
Key features |
DIFC Data Protection Law 2007 | DIFC Data Protection Law 2020 |
Scope | Any type of business registered in the DIFC | In addition to any business registered in the DIFC, the 2020 Law applies to:
|
Appointing a Data Protection Officer | Not required | DIFC bodies and companies conducting High-Risk Processing Activities will need to appoint a DPO. The definition of High-Risk Processing Activities includes Adoption of new or different technologies or methods that materially increase the risk to data subjects or renders it more difficult for data subjects to exercise their rights;
|
Principles of data protection | As per the 2007 Law, personal data should be:
|
The new law adds the accountability principle, and adds that personal data must be:
|
Data subject rights |
The 2007 law detailed the following data subject rights:
|
Following are the Changes in the new Law:
|
Data Processor obligations | No obligation on Processors | The new law adds the following:
|
Cross-border transfers |
Transfers could previously take place:
|
The 2020 law allows for the ability to transfer personal data outside DIFC to a non-adequate country if appropriate safeguards are put in place, such as
· Personal data can be transferred outside of the DIFC without permission from the Commissioner if a country falls under the ‘adequate jurisdiction’ list. Otherwise, it is permitted to transfer the data, so long as appropriate safeguards are in place (e.g. by adopting standard data protection clauses approved by the Commissioner, by legally binding instruments between public authorities, and through (approved) binding corporate rules within the same group of companies). |
Breach notifications | No requirement | Breach notifications are now required:
— To the commissioner: As soon as possible in the circumstances, when the breach compromises a data subject’s confidentiality, security, or privacy. — To the data subject(s): As soon as practicable in the circumstances, when the breach is likely to result in a high risk to the security or rights of the data subject. |
Penalties | A maximum fine of USD 25,000 for contraventions |
The new law sets a maximum fine of USD 100,000 for administrative breaches, with additional scope for larger fines (unlimited) for more serious violations. The law adds the ability for compensation claims to be made by or on behalf of data subjects. |
Penalties as per the New UAE Data Protection law 2020
Fines vary from USD 10,000 to USD 100,000 depending on the corresponding contraventions of the law
The following table sets out administrative fines that may be applied for non-compliance. Fines vary from USD 10,000 to USD 100,000, depending on the corresponding contraventions of the law:
Relevant article(s) | Key requirements | Maximum fine range in case of contravention |
Articles 9 – 12 | — Process data on a lawful basis
— Obtain data subject’s consent |
USD 50,000 |
Article 14 | — Maintain technical and organizational measures to protect personal data
— Comply with accountability requirements — Register with commissioner |
USD 25,000 to USD 50,000 |
Articles 15 – 26 | — Maintain records of processing activities
— Designation of DPO — Fulfilment of DPO tasks — Perform assessments — Perform prior consultation — Cease processing when required |
USD 20,000 to USD 50,000 |
Articles 27 – 28 | — Third country or international organization personal data transfer | USD 10,000 to USD 50,000 |
Articles 29 – 32 | — Data subject access rights
— Disclosure of personal data — Nature of processing information — Withdrawal of data subject consent |
USD 75,000 |
Articles 33 – 38 | — Request for rectification or erasure of personal data
— Right to restriction of processing of personal data — Right to data portability — Automated individual decision-making, including profiling |
USD 100,000 |
Articles 39, 40,41,42,65 | — Failure to report data breach
— Non-discrimination towards data subject — General exemptions of compliance |
USD 25,000 to USD 75,000
|
How Can Network Intelligence Help?
- Phase 1: Assess
- Phase 2: Implement
- Phase 3: Assistance in Registration
Phase 1: Assess
Purpose: The purpose of this phase is to assess the security controls implemented at the organization against the principles of the DIFC Data Protection Law with the help of the Data Protection Law self-assessment questionnaire. The consultant from Network Intelligence will carry out the following activities as part of gap assessment:
- Data privacy maturity assessments
- Data privacy gap assessments against applicable laws and regulations
- Data privacy audits
Deliverables:
- Overall gap assessment report
Phase 2: Implementation
Purpose: To close the gaps found during the gap assessment phase and to conduct data protection privacy impact assessment.
Network Intelligence Consultant will help the organization in the following areas based on the outcome of gap assessment phase:
- Data privacy framework implementation
- Data privacy initiatives implementation
- Data discovery, mapping, and classification, in line with the register of processing
- Data breach management
Phase 3: Assistance in Registration
Purpose: To aid the organization for getting it registered with the national data protection authority in the area where it intends to do business with DIFC:
Network Intelligence Consultant provides consultation for getting the organization registered within the DIFC, Data Protection authority:
- Identifies the area in DIFC where the organization intends to do business
- Identifies the national data protection authority of that region, International Commissioner Office
- Helped the organization in getting registered with the national data protection authority
- Provided formal notification of the enrollment
- Provide DPO as a Service to Monitor and Manage
Conclusion
Network intelligence will assist in overall compliance for the organization with the DIFC, Data Protection Law 2020 by improvising awareness amongst the stakeholders about the processing and movement of the personal data by the controllers or processors and henceforth protect the fundamental rights of data subjects.