DIFC Data Protection Law, 2020
Dubai International Financial Center (DIFC), issued DIFC Law Number 5 of 2020, a new Data Protection Law ("DPL"), replacing the existing Data Protection regime, first enacted in 2007. DPL aims to strengthen its standards by providing enhanced controls for the Processing and free movement of personal data by controllers or processors as well as protecting the fundamental rights of data subjects. With the new legislation, DIFC's data protection is in sync and aligned with globally adopted measures, similar to the one adopted in European Union (General Data Protection Regulation), and in the United States of America (California Consumer Privacy Act). DIFC has always been up to date with International market and laws, and now with the issuance of the DPL, will further earn itself an international recognition by establishing enhanced governance and transparency requirements.
The DPL is in effect from 1 July 2020, with affected businesses granted until 1 October 2020 to undertake the necessary compliance measures.
Scope of Application
DPL applies in the jurisdiction of the DIFC. The DPL applies to the Processing of personal data by a Controller or Processor incorporated in the DIFC, irrespective of whether the Processing takes place in the DIFC or not. DPL applies to the Controller or Processor that processes personal data in the DIFC as part of stable arrangements, other than on occasional basis, regardless of the place of incorporation. DPL applies to the Controller or Processor in the context of their processing activity in the DIFC (not in a third country), inclusive of transfers of personal data out of the DIFC.
However, DPL does not apply to a natural person processing the personal data in the course of a purely personal or household activity and having no connection to any commercial purpose.
Personal Data in the DPL
Any information that refers to an identified or identifiable natural person is Personal Data.
Identified or Identifiable could be a direct or indirect reference to an identifier such as name, identification number, location data (depending on the context), an online identifier (like IP addresses or cookie identifiers) or to one or more factors specific to the individual's physical, biometric, biological, physiological, mental, genetic, cultural, economic or social identity.
Rights of the Data Subjects
The DPL mirrors the rights granted to data subjects in the European Union. Data Subjects have various rights, for instance:
- right to request copies of their personal data at any time;
- right to rectify data;
- right to withdraw consent and request erasure of their personal data.
The European Union Law has a drawback as it does not adequately pave the way for new emerging blockchain technologies where personal data can be indefinitely stored and cannot be managed in accordance with the modern data protection laws.
The DPL, however, remedies this as it introduces an exemption from the right of rectification and erasure of personal data when the data subject is disclosed specific information by the data controller, including that the personal data will be processed in a way preventing the data subject from exercising such rights.
The DPL introduces a right for the data subjects (similar to the United States), which protects them from any discrimination resulting from the exercise of their rights. For instance, a customer has refused to allow a business to retain his personal data; the DPL will require that business to provide the customer with the same quality of goods or services as other customers and ensure that the refusing customer is not discriminated against.
Legally Binding Written Agreement
Part 3A of the DPL deals with Joint Controllers (where two or more persons jointly determine the purposes and means of Processing Personal Data) and states that they must enter into a legally binding written agreement, defining their respective responsibilities for ensuring compliance with the obligations under the DPL. Such agreement shall clarify the process for ensuring that a Data Subject can exercise his rights and for providing a Data Subject with the information.
Furthermore, where Processing is to be carried out by a Processor on behalf of a Controller, the Processing shall be governed by a legally binding written agreement between the Controller and the Processor. A Controller shall only enter into agreements with Processors which provide sufficient assurances of implementing appropriate technical and organizational measures to meet the Processing requirements of the DPL and protecting a Data Subject’s rights. (Part 3B of the DPL). A Processor may not engage another Processor to act as a Sub-processor without the prior written authorization of a Controller, and when authorized, the Processor shall inform a Controller of any intended changes regarding the replacement or addition of a Sub-processor.
Additionally, a Processor may not engage a Sub-processor for carrying out specific Processing activities on behalf of the Controller, unless a legally binding written agreement containing the requirements is in place with the sub-processor that ensures a full delegation of the obligations that the Processor owes to the Controller under the agreement with the Controller in respect of such specific Processing activities.
The Commissioner appointed under the DPL shall publish standard contractual provisions for the businesses. Failure to ensure that the contracts are in compliance with all relevant processors of personal data shall result in a maximum fine of USD 25,000.
Part 8 of the DPL deals with the appointment, removal, powers, functions, objectives and liabilities of the Commissioner.
The President of the DIFC shall appoint a person to be the Commissioner who is appropriately experienced and qualified. The DIFCA Board of Directors shall be consulted by the President prior to appointing, re-appointing or removal of the Commissioner. The Commissioner shall be appointed for a specified period of time not exceeding five years, and may be re-appointed but not extending beyond the day when the Commissioner turns 75 years of age.
The Commissioner has such powers, duties and functions as conferred on him under the DPL and the Regulations. The Commissioner shall not be held personally liable for any act or omission committed by him under or in relation to the DPL or in relation to his duties and functions as Commissioner, save for where the Commissioner has acted in bad faith. The DIFCA will indemnify and hold harmless the Commissioner with respect to all liabilities that may be incurred by or suffered by the Commissioner in relation to the discharge of the Commissioner's duties and functions under or in relation to the DPL and his duties and functions as Commissioner.
Data Protection Officer
A Controller or Processor may elect to appoint a Data Protection Officer ("DPO") that meets the requirements specified in the DPL and are responsible for high-risk compliance with the DPL and other applicable privacy laws. Any business conducting "high-risk processing activities" has an obligation to appoint a DPO. The DPO's contact details must be given to data subjects when collecting their personal data.
The DPL specifies the DPO to be a resident in the United Arab Emirates. However, the residency requirement does not apply where the person is an individual employed by a group of members and performs similarly for the group on an international basis elsewhere. In such cases, the DPO must be easily accessible to each member of the group.
Where the Controller or Processor is not required to appoint a DPO, it shall clearly allocate the responsibility for oversight and compliance under the DPL within its organization and provide details of the persons with such responsibility to the Commissioner upon request.
Personal Data Breaches (Part 7 of the DPL)
A "Personal Data Breach" is defined as a breach of security leading to the unlawful or accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Notification to the Commissioner:
A Personal Data Breach compromising a Data Subject's confidentiality, security or privacy, the Controller involved shall notify the same to the Commissioner as soon as practicable. A Processor shall notify the relevant Controller after becoming aware of a Personal Data Breach without undue delay. Failure to notify shall result in a fine of maximum USD 50,000 on either or both of the Controller and Processor.
Notification to a Data Subject:
Where a Personal Data Breach is likely to result in a high risk to the Data Subject's security or rights, the Controller shall communicate the same to an affected Data Subject as soon as practicable. However, the Controller shall promptly communicate with the affected Data Subject if there is an immediate risk of damage to the Data Subject.
The DPL states that where a notification to an affected Data Subject involves a disproportionate effort, public communication will be sufficient to satisfy the provisions. Failure to notify as per the requirements can result in a fine of maximum USD 50,000. Where a Data Subject has suffered loss as a result of the failure to notify, he can apply for compensation or damages to the court.
The Commissioner is entitled with the power to issue fines for contraventions of the DPL which are enforced through the courts when the businesses fail to pay.
Fines of maximum:
- USD 50,000 is imposed for failure to implement and maintain technical and organizational measures to protect personal data;
- USD 25,000 is imposed for failure to maintain records of the Processing;
USD 100,000 can be imposed for failure to comply with:
- Data Subject's rights of access, rectification and erasure of personal data;
- new requirements relating to data portability; and
- Data Subject's right to object to any decision based solely on automated Processing, including profiling, which produces legal or other seriously impactful consequences.
The Commissioner has the power to inspect and audit businesses subject to the DPL to verify compliance.
The newness of the DPL issues such rights, requirements and responsibilities which do not consider it sufficient only to have a reliance on legal or compliance teams but rather have everyone in the organization comprehend their role to keep the data safe and secure. The businesses need to understand how they can use and process personal data and update existing contracts with third parties, privacy notices and interactions with customers, and think about employee awareness around the handling of personal data.