Dubai has enacted a new data protection law that replaces the current privacy law, law N. 1 of 2007. The new 50-page law, which modernizes the current data protection law, will come into effect on July 1, 2020, at which time the pre-existing law and all related regulations will be repealed.
The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted on June 1, 2020 by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in capacity as the Ruler of Dubai. Like its predecessor, the geographic scope of the law is limited to the Dubai International Financial Centre (DIFC) rather than the entire territory of the Dubai emirate.
The new law introduces concepts of accountability, and enhances individuals’ control over their personal data. It also provides for fines for data breaches. According to its Article 5, the purpose of the law is to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of the data subjects. Interestingly, Article 5 also specifies that the purpose of the law is to protect the fundamental rights of data subject “including how such rights apply to the protection of personal data in emerging technologies.”
DIFC Law No. 5 of 2020 takes into accounts principles found it other well-known data protection laws, such as the EU General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA). According to the official press release, the modernization of the data protection legal landscape of the DIFC signals its ambition to apply for adequacy recognition by the European Commission and other jurisdictions, which would ease global data transfers for DIFC-based businesses.
The new DIFC Data Protection Law applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of whether the processing takes place in the DIFC or not. It also applies to a controller or processor, regardless of its place of incorporation, that processes personal data in the DIFC as part of stable arrangements, other than on an occasional basis. The law applies to such controller or processor in the context of its processing activity in the DIFC, including transfers of Personal Data out of the DIFC.
The law sets out 9 principles, which are outlined in a manner similar to that which is used in the EU’s GDPR. Also like in the GDPR, the requirements include a separate obligation for accountability whereby the data controller or processor is responsible for, and must be able to demonstrate, its compliance with those nine principles.
Lawfulness of the Processing
Law No. 5 of 2020 identifies six bases for what constitutes “lawful processing”. These bases include consent, necessity (the processing is necessary to perform certain specified tasks), and legitimate interest. In the same manner as provided in the GDPR, the processing can be justified by a “legitimate interest” only if the interest of data controller is not overridden by the rights or interests of the data subject. Article 13 of the law defines circumstances that would be considered “legitimate interest”, including the prevention of fraud, or ensuring security.
The new law details accountability obligations for controllers and processors, including requirements for the development of a program to demonstrate compliance with the law. It also requires the implementation of appropriate technical and organizational measures to demonstrate that the processing is performed in accordance with the law.
The law requires the establishment of a written “data protection policy”, and requires that controllers and processors follow the principle of data protection by design and by default. There are also requirements for the development of a record of processing activities, appointment of data protection officers (in specified circumstances, including for example, “high risk processing activities”), conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data.
Notification of the Data Protection Commissioner
Unlike the EU GDPR, which removed the obligation under prior law to notify the country’s data supervisory authority, the new DIFC data protection law retains the existing obligation for data controllers to register their processing activities with the DIFC’s data protection commissioner by filing a “notification of processing operations” and it extends that obligation to data processors. The notification must be kept up to date through amended notifications.
Cessation of Processing
Article 22 of the new law details the procedures that the data controller must follow when it is required to cease processing personal data. “Cessation of processing” may occur when the basis for processing changes or ceases to exist, or when the controller is required to cease processing due to the exercise of the data subject’s rights. The obligation also extends to ensuring that all data processors perform similar activities on the data held by them. This useful and practical provision does not appear to resemble any other provision in other similar laws, worldwide.
Rights of Individuals
Article 32 to 38 of DIFC Law No. 5 of 2020 grants enhanced rights to individuals. These rights include, for instance, right to withdraw consent, right to access, rectification and erasure of personal data, right to object to the processing, right to restrict the processing, right to data portability, right to object to any decision based solely on automated processing, including profiling. These rights are generally comparable to those outlined in the EU GDPR or Brazil LGPD, for example.
Article 39 provides a right of “non-discrimination” which resembles some aspects of California’s CCPA. It prohibits discrimination against an individual who has exercised her rights (for example, right to restrict the processing of her data) by denying any goods or services to that individual, or charging different prices, or providing goods of less quality. Like the California CCPA, it also allows controllers to offer financial and other incentives to data subjects for their willingness to allow the controller to use personal information about them.
Crossborder data transfers
The new law contains the usual restrictions to the transfer of personal data out of the territory, and requires that the country of the recipient provide “adequate protection” or in the absence of such laws that the data exporter and data importer provide adequate safeguard, such as those that would come from binding corporate rules, standard contractual clauses, and the like, unless a derogation applies.
The DIFC data protection law includes comprehensive provisions regarding the notification of data breaches. Like the GDPR, the law distinguishes notification to be provided to the data commissioner from notification to be provided to the data subjects. Unlike GDPR or some US laws, there is no set maximum number of days for making the notification to the Commissioner. The time frame for making the initial notification is “as soon as possible” and the triggering event is whether the incident “compromises confidentiality, security or privacy.
Notification to data subjects is triggered only when the breach “is likely to result in a high risk to the security or rights of a data subject”. In this case, there is also no maximum time frame for making the notification. It would be ”as soon as practicable” in most circumstances, or “promptly” when there is “an immediate risk of damages”.
Remedies, Liability and Sanctions
Part 9 of the new DIFC law addresses Remedies, Liability and Sanctions. A wide variety of sanctions is provided, going from warnings to the issuance of a “direction” requiring a controller or processor to do or refrain from doing certain acts, to fines, payment of damages and compensation to the data subject, or payment of the costs incurred by the data commissioner or other person. The new law leaves to the Board of Directors of the DIFCA to draft regulations on this matter.
Data Sharing; Response to Request from Public Authority
Article 28 of Law No. 5 of 2020 provides guidance for the procedures to be followed when a data controller or processor receives a request from a public authority regarding the disclosure and/or transfer of personal data. The guidance provided is practical and detailed.
According to the press release issued by the DIFC, these provisions may form the first step towards data sharing standards within the UAE and the region.
Code of Conduct and Certification
Article 48 of the law provides for the use of “codes of conduct” and Article 49 provides for “certification schemes”. Both concepts will be familiar to those companies that operate in, or do business with, the European Union or European Economic Area.
In light of the current global pandemic, while the Data Protection Law is effective from July 1, 2020, businesses to which it applies will have a grace period of three months, until October 1, 2020, to prepare to comply with it, after which the new data protection law will becomes enforceable.
According to the DIFC press release, the Board of Directors of the DIFC Authority is issuing new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.