The Dubai International Financial Centre (the DIFC), a financial free zone in the United Arab Emirates (the UAE), is the leading financial hub for the Middle East, Africa and South Asia. It has implemented the new enhanced Data Protection Law No. 5 of 2020 on 1 July 2020 (the DPL 2020). The DPL 2020 has replaced the former Data Protection Law No. 1 of 2007 (the DPL 2007). Businesses to which the new law applies have a grace period of three months starting from 1 July 2020 and until 1 October 2020 before official enforcement will proceed to prepare their data protection processing activities to comply with the DPL 2020.
As referenced in our previous alert relating to the DPL 2020, the DPL 2020 combines the best practices from the EU General Data Protection Regulation (the GDPR) and the California Consumer Privacy Act. Businesses registered in the DIFC, or processing personal data within the DIFC, should carefully review the provisions of the DPL 2020 and work now to make changes to their privacy program to ensure compliance prior to the date of 1 October 2020 when enforcement will begin.
Some of the key updates to the data protection regime introduced by the DPL 2020 are described below.
The DPL 2020 makes the appointment of a data protection officer mandatory for those controllers and processors who conduct high-risk processing activities. A high-risk processing activity is a processing of personal data:
a. that includes the adoption of new or different technologies or methods, which create a materially increased risk to the security or rights of individuals or renders it more difficult for individuals to exercise their rights; or
b. where a considerable amount of personal data will be processed and where such processing is likely to result in a high risk to the data subject, including due to the sensitivity of the personal data or risks relating to the security, integrity or privacy of the personal data; or
c. where the processing will involve the systematic and extensive evaluation of personal aspects relating to individuals, based on automated processing, including profiling; or
d. where a material amount of special categories of personal data is to be processed, such as personal data revealing or concerning racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for identifying an individual.
The rights of individuals have been expanded and re-aligned to absorb impact of emerging technology. For example, individuals are free to withdraw consent to processing. Individuals, being data subjects, also have a broader basis for and access to compensation for breaches. An individual who suffers material or non-material damage by reason of any contravention of the DPL 2020 may apply to the court for compensation from the controller or processor, in addition to any fine imposed on the same parties. The amount of such compensation is not yet clear and, as has been the case under the GDPR, remains to be interpreted by the courts.
Previously, transfers of personal data could take place if made from the DIFC to a jurisdiction that provides an adequate level of protection or where the Commissioner has granted a permit or written authorization for such transfer. The DPL 2020 further clarifies this and allows transfers of personal data from the DIFC to a jurisdiction without an adequate level of protection if appropriate safeguards are put in place. Examples of such safeguard are a legal binding contract between the relevant parties, which is expected to be interpreted in line with the EU approved Standard Contractual Clauses, or binding corporate rules (which are protection policies and procedures, aggregated or incorporated in a single written document, which regulate the transfer of personal data between members of a single group).
Breach notifications are required and should be made to the Commissioner as soon as possible, when the breach compromises an individual’s confidentiality, security or privacy. When the breach is likely to result in a high risk to the security or rights of the individuals, such individuals must be also informed.
Previously, the maximum fine for contraventions was USD 25,000. Under the DPL 2020, potential fines for infringements are much higher. The maximum fine for an administrative breach is USD 100,000. There is a scope for larger and unlimited fines for more serious violations. Where both a controller and a processor are liable for the infringing processing, their liability under the law is joint and several.
Businesses based in the DIFC, or processing the personal data of individuals resident in the DIFC, should carefully review the specific updates to the data protection regime, including but not limited to the reinforced accountability, requirements relating to security breach notifications and higher penalties for infringement introduced by the DPL 2020. Considering the fast-approaching end of the grace period, such businesses should aim to finalise their work on making changes to their data protection protocols to ensure full compliance with the new rules prior to 1 October 2020.