The new 2020 DIFC Data Protection Law Summary Guide
Date Posted: Thu, 02 Jul, 2020
Developing a robust framework to support the DIFC’s bid for adequacy recognition by the European Commission, the United Kingdom and other jurisdictions around the world.
The new Data Protection Law, DIFC No. 5 of 2020 (the "DP Law"), comes into force on 1 July 2020 and replaces DIFC Law No.1 of 2007. Businesses caught by the legislation have a grace period of three months to bring their organisations into compliance with the new requirements. As previously discussed here, the new DP Law has been aligned with data protection regimes elsewhere in the world such as the European GDPR and the California Consumer Privacy Act. Adoption of international data privacy concepts means we're hopeful that such reform will see other territories recognising the DIFC as providing sufficient regulatory protection to allow data transfers in and out of the DIFC with relative ease.
The DIFC Commissioner of Data Protection (the "Commissioner") has published a number of guides to assist firms with their implementation of the new requirements. These are not binding and do not have the force of law, but instead are indicative of the approach the Commissioner will take to enforcement. We are still awaiting publication of the supporting regulations.
This update picks up on some of the new developments in the data protection regime in the DIFC and highlights the need for businesses to become aware of their new compliance requirements as soon as possible in order to give ample time to prepare for the 1 October 2020 deadline. Effect on non-DIFC businesses
The DP Law applies to: I. all businesses incorporated in the DIFC who are processing personal data (regardless of where the personal data is being processed); and II. any business which processes personal data in the DIFC as part of "stable arrangements", rather than just on occasion (regardless of the business' place of incorporation).
In this context, “in the DIFC” means when the personnel used to conduct the processing or the means of doing so are physically located in the DIFC.
Therefore, payroll providers, cloud software providers and other suppliers will need to be aware of their obligations under the DP Law. The enforcement of fines and damages imposed by the DIFC courts may be sought through the UAE court system.
Higher penalties for non-compliance The Commissioner may issue fines for both administrative and more general contraventions which may be enforced through the courts if businesses fail to pay. In addition, a data subject may apply to the court for compensation if they suffer damage as a result of a breach of the DP Law.