New DIFC law seeks to enhance security, privacy of data

New DIFC law seeks to enhance security, privacy of data

The Dubai International Financial Centre is implementing a new law to protect data as part of its drive to be in the frontline in enhancing data protection practices.

The new law, enacted by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in his capacity as the Ruler of Dubai, will come into effect from 1 July 2020.

While the current law enacted in 2007 will remain in effect until this date, the "Data Protection Law 5 of 2020" further develops DIFC's data protection regime which is already one of the most advanced in the region.

Besides keeping Dubai and DIFC at the forefront of data protection in the region, the new law features enhancements related to global data, security and privacy best practice. It also specifies requirements relating to accountability, individuals' control of personal data and fines for breaches.

General fines have been introduced for serious breaches of the law, in addition to or instead of administrative fines.

The new law combines the best practices from a variety of current, world class data protection laws, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and other forward-thinking, technology agnostic concepts, a statement issued through the Media Office said.

"The Board of Directors of the DIFC Authority has also issued new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data."

Essa Kazim, governor of DIFC, said the global financial hub continues to develop its robust regulatory ecosystem built on the principles of compliance, integrity and security. "The enhanced Data Protection Law combines the best practices from world-class data protection laws. By setting out the regulation, DIFC also sets a clear requirement for all organisations to follow global best practice relating to data and privacy. It demonstrates our position as a forward thinking international financial hub shaping the future of finance across the region and enables us to further consolidate the Centre's reputation as a leading global financial centre," he said.

In light of the current global pandemic, while the law will be effective from 1 July 2020, businesses to which it applies will have a grace period of three months, until 1 October 2020, to prepare to comply with it.

The new data regime sets out expectations for controllers and processors in the Centre regarding several key privacy and security principles. "The requirements reflect the DIFC's commitment to developing an enabling business ecosystem with robust regulatory and compliance guidelines for all organisations operating from the Centre. They will enable DIFC to continue to build upon the centre's reputation focused on innovation and collaboration, while also promoting ethical data sharing."

Importantly, the new law and regulations provide a framework that will support DIFC's bid for adequacy recognition by the European Commission, the UK and other jurisdictions, easing data transfer compliance requirements for DIFC businesses.

Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity of such rights when engaging with vendors of emerging technologies, such as Blockchain and Artificial Intelligence (AI). Permit options for cross-border data transfers and special category personal data processing have been removed. The new regime includes appropriate data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region. - [email protected]