As the world becomes a smaller place and sharing personal data for availing services, for reasons ranging across identity verification and targeted marketing through mails, has become so much more frequent and necessary than ever. It is even reported by multiple sources that personal data of individuals get sold on the black market for prices ranging across several hundred dollars for significant confidential information such as bank transaction details, Pay Pal transaction histories and much more. Hence, protection of personal data has become an important prerogative for governments across the globe.

The Dubai International Financial Centre (DIFC), a financial free zone in the UAE's Emirates Emirate, has adopted a new privacy law, DIFC Law No. 5 of 2020. Like its predecessor legislation, the new law regulates the collection, processing, disclosure and use of personal data in the zone. The financial and reputational consequences of non-compliance can be considerable, including administrative fines up to $100,000, with the possibility for higher and unlimited fines for serious violation of the law. The new Data Protection Law contains better governance and transparency obligations that reflect many of the principles of the General Data Protection Regulation (GDPR) of the EU – the Data Protection Law of the European Union – that triggered the reform of data protection and data law.

Key Stipulations and Entering into Force

The new Data Protection Law (DIFC) entered into force in 2020, providing companies ample time to review and prepare their data protection and processing activities. The new DP Law brings the DIFC legislation into line with international data protection standards, including the European General Data Protection Regulation (GDPR), and is expected to be a step-by-step amendment to the DIFC Data Protection Act (DP). The DP Act enters into force on 1 June 2020 and replaces and extends the existing Data Protection Law.

The law applies to all companies operating in the DIFC, doing business or attempting to do business, regardless of whether the process takes place outside the DIFC or not. Organisations that were subject to the previous law are still in force were suggested to review their data processing activities to ensure that they comply with this law as well. Companies carrying out high-risk data processing activities will have additional compliance requirements under this law, including the obligation to nominate a data protection officer. The Data Protection Commissioners are responsible for monitoring compliance with DP and other applicable data protection laws and to oversee the data protection impact assessments carried out by the Company. The contact details of the data protection officers need to be communicated to the data subjects whose personal data is collected.

The Data Protection Law and Operation

The Data Protection Law regulates the collection, processing and use of personal data in the DIFC. It protects the rights of individuals and their personal data. It embodies international standards of best practice, in line with the EU and OECD rules and aims to balance legitimate needs of businesses and organisations processing personal data while respecting the right of individual to privacy. It repeals and replaces the existing data protection law of 2007, under the introductory provision. The new law seems to give more teeth to the data protection regime of the UAE. Let us delve into the specific provisions of the law.

Data Processing: The data protection law applies to DIFC and includes processing of data, in both automated and non-automated means of data collection. Here, the data included within the scope is quite inclusive and excludes only data collected for purely personal matters. The Part 2 of the law which specifically addresses processing of personal data mandates, under Article 9, that the data is processed fairly, lawfully and in a transparent manner for legitimate purposes alone. It also elucidates on respecting rights of the data subjects - the individuals from whom data is collected, preventing unauthorised use, ensuring consent and the responsibility on the entities processing data to keep the same secure. The law also specifies how to process the data as per Article 10, whereby it mandates that data shall be processed only if it is necessary to comply with laws, meet the ends of the customers and so on, leaving no room for any arbitrariness. The specific forms of data processed are addressed as well, which we would not be delving into in this article. Furthermore, data can only be collected to the extent required by the purpose for which it is collected, which has to be lawful as well.

Consent: Another glaring feature of this law is the high standard adopted in defining "Consent". Consent, defined under Article 12, mandates that the same has to be freely given with a clear affirmative act, paving way for informed consent being a condition precedent to collecting personal data. The consent will not be valid if it is the prerequisite for some act or even performance of contract by another party, cutting out unnecessary data collection where subjects are forced to provide personal information to access services essential to them. Furthermore, the law requires the controller of the data to be able to demonstrate that consent was freely given. Moreover, the subjects are allowed to withdraw consent whenever they want as per the provisions of Article 32 of the same law. The ones who are providing their personal data need to be informed of their rights and the purpose of the data collected at the time of taking consent.

Data Controller and Duties: The Data Protection Law contains the concept of a controller who determines the purpose and methods of processing and a processor who processes personal data. The DIFC Board of Directors has the power to issue regulations that exempt the controller from compliance with the law. Both the controller and the processor are subject to the legal provisions, but the obligations imposed on the processor are limited.

As per Article 14, the controller has to be able to demonstrate compliance with the laws and has to organise and incorporate technical measures to implement the law and ensure security of data collected. Furthermore, here the law reiterates that the data collected should only be up to the extent required. Furthermore, the law mandates an impact assessment before any high risk data collection operation is being organised and the controller has to consult the Commissioner in case the risk levels continue to be on the high. The Commissioner is appointed by the President as per Article 43 of the law.

Rights of Data Subjects: Here, it has to be noted that the data subjects are to be given information in accessible language, enabling them to make a decision knowing very well the implications of their consent, as per Part 5 of the Law. Furthermore, transfer of data outside the DIFC can only happen if adequate safety mechanisms are in place and can only happen if it complies with the requirements specified under Article 27, which include appropriate safeguards and the transfer falling within the reasons mentioned therein, such as explicit consent or necessity for performance. Furthermore, Part 6 of the Law elucidates on the rights of the data subjects which is an exhaustive list of rights including right to withdraw consent by informing the controller, right to erasure, right to object to processing of personal data on reasonable grounds and right to receive data given to the controller in an orderly manner (data portability). Furthermore, these rights also include non-discrimination and mandates that the controller should provide means to exercise each of these rights. Furthermore, breaches which might have happened to personal data needs to be reported to the Commissioner as well as the subject.

During the current pandemic, a three-month grace period was provided so that companies comply. The transitional period gives affected companies a short timeframe to review the new law and implement the necessary changes to their regulatory compliance programs. The DPL 2020 maintains certain features of the 2007 such that transfers must be authorised by a suitable country, thereby excluding the possibility of transfers without the written authorisation of the Commissioner or the Data Protection Supervisor. It has to be noted that the new law gives extra-territorial reach to this law, thereby rendering non-DIFC entities covered by the updated law if their employees process data outside the DIFC with systems outside the DIFC.

The Data Protection Law Requires Prompt Action!!

If you own or operate a DIFC facility, you must take into account the nature and scope of the personal data you process in order to determine to what extent you comply with the new Data Protection Law. You may also need to amend certain provisions of your standard agreements to take new privacy standards into account. Companies established outside the DIFC or outside a DIFC that processes personal data should take immediate action to verify that they are exposed to the updated law, carry out a gap analysis of their compliance and take all necessary measures to comply with the extended obligations. Entities in the DIFC are responsible for abiding by and implementing the provisions relating to the application of this law. The President of Dubai International Financial Centre is responsible for the appointment of a Commissioner for purposes of this law and the Commissioner will administer the law. The Board of Directors of the DIFC has also adopted a new Data Protection Regulation (the "Regulation") laying down the procedures for notifying the Data Protection Supervisor, accountability for records and fines, and appropriate jurisdiction for the cross-border transfer of personal data.