January 24, 2022

Volume XII, Number 24


January 21, 2022

Subscribe to Latest Legal News and Analysis

New Data Protection Law for the Dubai International Financial Centre

A new data protection law came into force in the Dubai International Financial Centre (DIFC) on 1 July 2020. The new law, Law No. 5 of 2020 (DIFC DP Law), which repeals the Data Protection Law No.1 of 2007, bears striking similarities to the EU’s General Data Protection Regulation (GDPR). The Law applies to controllers or processors that process personal data in the DIFC on a regular basis, regardless of the entity’s place of incorporation.

The DIFC DP Law will be actively enforced as of 1 October 2020. Unlike the situation with the introduction of the GDPR, where companies had a two-year transition period before enforcement began, DIFC entities have not had much time to prepare for compliance. With the date of enforcement just around the corner, it is important for companies operating in the DIFC to take the time now to achieve compliance with the new law if they have not already done so.

The DIFC DP Law draws heavily from the GDPR, so much so that the two can almost be read side by side.  For example, as with the GDPR, the DIFC DP Law:

  • requires records of processing to be kept;

  • follows the concepts of “controllers” and “processors” of data, as well as “joint controllers”;

  • establishes lawful bases required for any processing;

  • introduces general requirements from processing data comparable to the data processing principles contained in the GDPR;

  • follows the concept of Data Protection Impact Assessments (DPIAs) to be carried out for ‘high risk’ processing;

  • grants data subjects rights on par with those granted by the GDPR;

  • grants data subjects the right to seek compensation where they have suffered damage as the result of an infringement of the law;

  • prohibits international transfers unless there are appropriate safeguards in place; and

  • sets out the criteria for determining when an entity will need to appoint a Data Protection Officer (DPO).

We have prepared a table containing a side-by-side comparison of the DIFC DP Law against the GDPR. The table and information on how our EMEA Data Protection Team can help you in your compliance efforts is available here.

Lucia Hartnett contributed to this article.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 266

About this Author

Ann J. LaFrance Data Privacy & Cybersecurity Attorney Squire Patton Boggs New York, NY & Washington DC

Ann LaFrance co-chairs the firm’s global Data Privacy & Cybersecurity Practice and is a senior member of the international Communications Practice.

In addition to advising clients on national and cross-border data privacy and cybersecurity matters, Ann has experience counselling clients on a broad range of legal and regulatory issues affecting the provision of internet and digital services, as well as advanced technologies. She has particular expertise advising on issues of concern to technology, media and telecommunications companies and she frequently serves as an adviser to...