The new DIFC Data Protection Law (No. 5 of 2020) (the "DPL") and Data Protection Regulations (the "Regulation") came into force on 1 July 2020, replacing Data Protection Law (No. 1 of 2007) (the "Old Law"). The DPL adopts best practice standards from around the world and is consistent with OECD Guidelines and EU regulations, namely the General Data Protection Regulation ("GDPR").
The DPL is a comprehensive piece of legislation, governing the collection, processing, storage and use of Personal Data in the DIFC. Those familiar with data protection laws in other jurisdictions will no doubt recognise and be familiar with some of the changes, in particular the enhanced protections given to Data Subjects.
The DPL also considers the impact of emerging technologies on data use, movement and protection. This is an important development given the number of businesses to which the DPL will apply who are beginning to, if they are not already, using emerging technologies (such as coding and blockchain) in their day to day business.
The Office of the Data Commissioner in the DIFC (the "Commissioner") has announced that businesses have until 1 October 2020 to ensure they are operating in compliance with the DPL. This briefing looks at the key changes made by the DPL, as compared to the Old Law, what businesses need to be considering in the lead up to 1 October 2020 and the consequences if compliance is not met.
Who does the DPL apply to?
Whilst there is currently no onshore federal Data Protection Law in the UAE, the application of the DPL is farreaching, and in some circumstances may even apply to businesses not located in the DIFC.
The DPL applies to:
- Controllers and/or Processors of Personal Data incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not; and
- Controllers and/or Processors that Process Personal Data in the DIFC as part of stable arrangements (i.e. other than on an occasional basis), regardless of its place of incorporation of the business
The DPL clarifies that Processing "in the DIFC" occurs when the means or personnel used to conduct the Processing activity are physically located in the DIFC.
Therefore, it is advisable that all businesses in the UAE (not just those incorporated in the DIFC) who are Controllers and/or Processors of Personal Data review their business practices to determine whether the DPL applies to them and if so, what they need to be doing to ensure compliance by 1 October 2020.
The landscape of data protection is quickly-changing in the region, with several Gulf states proposing to introduce data protection laws, including the UAE. The UAE is advanced in this process and is expected to enact an onshore federal data protection law within the next 12 months.
The key terms used in the DPL
The key terms used in the DPL are consistent with the GDPR and other best-practice laws and regulations. We have referred to these terms in this briefing, in particular:
- A "Controller" is any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
- A "Data Subject" is the identified or Identifiable Natural Person to whom Personal Data relates.
- A "Processor" is any person who Processes Personal Data on behalf of a Controller.
- "Personal Data" is any information referring to an identified or Identifiable Natural Person.
- The "Processing" of
Personal Data is any operation or set of operations performed upon
Personal Data, whether or not by automated means, such as
collection, recording, organization, structuring, storage and
archiving, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination, transfer or otherwise
making available, alignment or combination, restricting (meaning
the marking of stored Personal Data with the aim of limiting
Processing of it in the future), erasure or destruction, but
excluding operations or sets of operations performed on Personal
(a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or
(b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.
Originally published 20 August, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.