On July 1, 2020, the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 came into effect (“New DP Law”). Due to the current pandemic, a three-month grace period, running until October 1, 2020, has been provided for companies to comply. The New DP Law replaces DIFC Law No. 1 of 2007. The release of the New DP Law is, in part, an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses).
The New DP Law will apply to companies incorporated in the DIFC, regardless of where processing takes place, or companies that, whilst incorporated elsewhere, process personal data in the DIFC as part of stable arrangements (other than occasional processing). In the latter case, the New DP Law only applies to those processing activities taking place within the DIFC. The New DP Law reflects many aspects of the EU’s General Data Protection Regulation (the “GDPR”), including:
- Accountability Requirements: Controllers are required to put in place programs demonstrating compliance with the New DP Law, similar to the GDPR’s accountability requirements.
- Data Protection Principles: The New DP Law sets out requirements for processing that are largely identical to the data protection principles under the GDPR.
- Lawful Bases for Processing: The New DP Law provides essentially the same legal bases for processing of personal data as the GDPR. With regard to consent, the New DP Law reflects elements of the GDPR’s standard, i.e., that the consent be freely given and demonstrated by a clear affirmative act showing an unambiguous indication of consent.
- Data Subject Rights: Data subjects are provided certain rights in relation to their personal data and data controllers also are required to provide data subjects with information relating to processing and an individual’s rights with respect to their data.
- Data Protection Officer (“DPO”) and Data Protection Impact Assessments (“DPIAs”): A DPO must be appointed to monitor and advise on compliance with the New DP Law where a controller or processor engages in “high risk processing activities” on a systematic or regular basis, the definition of which includes criteria that are similar, but not identical to, the criteria for appointment of a DPO under the GDPR. Additionally, high risk processing activities also trigger the requirement for a controller to carry out a DPIA.
- Data Transfers: The New DP Law prohibits transfers outside of the DIFC where the Commissioner of Data Protection has determined that the recipient jurisdiction, or a specified sector within the recipient jurisdiction (a deviation from the GDPR) provides an adequate level of data protection. Among the available safeguards that will permit such transfers are Standard Contractual Clauses or Binding Corporate Rules.
- Data Breach Notification: Controllers are required to notify the Commissioner of Data Protection of any personal data breach that compromises a data subject’s confidentiality, security or privacy. Data subjects also must be notified if the breach is likely to result in a high risk to their security or rights.
- Special Category Data: There is a general prohibition on the processing of special category data unless a derogation applies.
- Controller-Processor Agreements: Controllers must put in place legally binding written agreements with processors to whom they disclose personal data, as under Article 28 of the GDPR, and processors are expected to execute the same agreements with sub-processors.
The New DP Law also incorporates certain aspects of the California Consumer Privacy Act of 2018 (“CCPA”) and its proposed regulations. Specifically, the New DP Law follows the CCPA in prohibiting businesses from discriminating against consumers for exercising their rights under the CCPA, including by offering a financial incentive or price or service difference (subject to certain exemptions).
For more detail, read the full client alert.