November 27, 2020

Volume X, Number 332


November 25, 2020

Subscribe to Latest Legal News and Analysis

New Dubai International Financial Centre Data Protection Law Comes into Effect

On July 1, 2020, the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 came into effect (“New DP Law”). Due to the current pandemic, a three-month grace period, running until October 1, 2020, has been provided for companies to comply. The New DP Law replaces DIFC Law No. 1 of 2007. The release of the New DP Law is, in part, an effort to ensure that the DIFC, a financial hub for the Middle East, Africa and South Asia, meets the standard of data protection required to receive an “adequacy” finding from the European Commission and the United Kingdom, meaning that companies may transfer EU/UK personal data to the DIFC without putting in place a transfer mechanism (such as Standard Contractual Clauses).

The New DP Law will apply to companies incorporated in the DIFC, regardless of where processing takes place, or companies that, whilst incorporated elsewhere, process personal data in the DIFC as part of stable arrangements (other than occasional processing). In the latter case, the New DP Law only applies to those processing activities taking place within the DIFC. The New DP Law reflects many aspects of the EU’s General Data Protection Regulation (the “GDPR”), including:

  • Accountability Requirements: Controllers are required to put in place programs demonstrating compliance with the New DP Law, similar to the GDPR’s accountability requirements.

  • Data Protection Principles: The New DP Law sets out requirements for processing that are largely identical to the data protection principles under the GDPR.

  • Lawful Bases for Processing: The New DP Law provides essentially the same legal bases for processing of personal data as the GDPR. With regard to consent, the New DP Law reflects elements of the GDPR’s standard, i.e., that the consent be freely given and demonstrated by a clear affirmative act showing an unambiguous indication of consent.

  • Data Subject Rights: Data subjects are provided certain rights in relation to their personal data and data controllers also are required to provide data subjects with information relating to processing and an individual’s rights with respect to their data.

  • Data Protection Officer (“DPO”) and Data Protection Impact Assessments (“DPIAs”): A DPO must be appointed to monitor and advise on compliance with the New DP Law where a controller or processor engages in “high risk processing activities” on a systematic or regular basis, the definition of which includes criteria that are similar, but not identical to, the criteria for appointment of a DPO under the GDPR. Additionally, high risk processing activities also trigger the requirement for a controller to carry out a DPIA.

  • Data Transfers: The New DP Law prohibits transfers outside of the DIFC where the Commissioner of Data Protection has determined that the recipient jurisdiction, or a specified sector within the recipient jurisdiction (a deviation from the GDPR) provides an adequate level of data protection. Among the available safeguards that will permit such transfers are Standard Contractual Clauses or Binding Corporate Rules.

  • Data Breach Notification: Controllers are required to notify the Commissioner of Data Protection of any personal data breach that compromises a data subject’s confidentiality, security or privacy. Data subjects also must be notified if the breach is likely to result in a high risk to their security or rights.

  • Special Category Data: There is a general prohibition on the processing of special category data unless a derogation applies.

  • Controller-Processor Agreements: Controllers must put in place legally binding written agreements with processors to whom they disclose personal data, as under Article 28 of the GDPR, and processors are expected to execute the same agreements with sub-processors.

The New DP Law also incorporates certain aspects of the California Consumer Privacy Act of 2018 (“CCPA”) and its proposed regulations. Specifically, the New DP Law follows the CCPA in prohibiting businesses from discriminating against consumers for exercising their rights under the CCPA, including by offering a financial incentive or price or service difference (subject to certain exemptions).

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 191



About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct