[co-author: Florence Mugwera]
The Dubai International Financial Centre (the DIFC), a financial free zone in the United Arab Emirates (the UAE), has become the leading financial hub for the Middle East, Africa and South Asia. The DIFC is located in Dubai and is home to a high concentration of multinational firms, investment funds, wealth management firms, banks and financial institutions. Reasons for locating in the DIFC include that it is English-speaking, there is no restriction on foreign ownership or capital repatriation, zero tax on profits, capital or assets and employee income, and counterparty confidence is high by virtue of its internationally recognised judicial system based on English common law, and an independent regulator.
Why is the DIFC interested in Data protection?
The DIFC is a dynamic economic hub and has made rapid advances in technology. Data protection laws have existed in the DIFC since 2007 as part of the free zone’s desire to be viewed internationally as a top-tier jurisdiction for data protection – achieving an investor stamp of approval as an investment destination. Businesses which are engaged in processing and exchanging individual data electronically and across borders are already impacted by the EU General Data Protection Regulation (GDPR) and other international privacy laws.
Data Protection Law (DIFC Law No. 5 of 2020)
The recently enacted Data Protection Law (DIFC Law No. 5 of 2020), (the DPL 2020) aspires to combine best practices from the GDPR and the California Consumer Privacy Act (CCPA). Compared to its predecessor law, the DPL 2020 includes enhanced governance and transparency obligations. Just as under the GDPR, potential fines for infringements are significant, with a maximum fine for an administrative breach of USD 100,000, and scope for larger (and unlimited) fines for more serious violations.
The DPL 2020 will come into effect on July 1, 2020, but it has recently been announced that active enforcement of the law will not happen until October 1, 2020 due to the global pandemic – thereby giving businesses a four-month implementation window to review existing data protection processing activities and make necessary adjustments to become compliant. DPL 2020 regulates the collection, handling, disclosure and use of personal data in DIFC. However, the new law goes further than previous laws by creating and enhancing obligations on controllers and processors. Further, data subjects have more rights and greater access to compensation for breaches. In this way, the DPL 2020 is very similar to the GDPR, such as the rules on the extra-territorial applicability of the DPL 2020, how consent for processing can be lawfully obtained and when a notification to the regulator and/or individuals is required in case of a data breach. However, there remain clear differences and distinctions. Examples include the specific circumstances in which the appointment of a Data Protection Officer (DPO) is mandated, which are distinct from those set out under the GDPR, and a right for data subjects not to be discriminated against, for example with respect to pricing or the provision of goods or services as a result of exercising rights under the DPL 2020 – a concept derived from CCPA.
Businesses based in the DIFC, or processing the personal data of individuals resident in the DIFC, will be able to leverage significantly off the compliance work that they have done on GDPR readiness programs, but should note carefully the specific but important differences between the DPL 2020 and the GDPR and work now to make changes to their privacy program to ensure compliance.
 The Data Protection Law of 2007 as amended by Data Protection Law Amendment Law, DIFC Law No. 5 of 2012 and the Data Protection Regulations Consolidated Version No. 2, in force on 23 December 2012 which were established to create a legal and procedural framework ensuring that all personal data in the DIFC is treated fairly, lawfully and securely when it is stored, processed, used, disseminated or disclosed.