Dubai Data Protection Law No.5 will be implemented on July 1st, 2020, replacing DIFC No. 1 of 2007.
Sheikh Mohammed bin Rashid Al Maktoum, Ruler of Dubai, and Vice President and Prime Minister of the United Arab Emirates, recently enacted the Dubai International Financial Center (DIFC) Data Protection Law No.5 of 2020. This new law will come into practice on the 1st of July 2020. The current law, Data Protection Law DIFC No. 1 of 2007 will remain relevant until then. The Board of Directors of the DIFC has also updated its protocols and procedures for the synchronization and elevation in standards for data protection, accountability, record keeping, sanctions, as well as the relevant protocols for cross-border transfers of personal data. The Board of Directors of the DIFC has also set out new Data Protection Regulations, governing the procedures for notifications to the Commissioner regarding these standards. This new law combines the best practices from legislation such as GDPR (General Data Protection Regulation), the CCPA (California Consumer Privacy Act), and some other modern technological concepts.
The new Dubai Data Protection Law includes some robust changes to the current law.
A Key focus of the new DIFC Data Protection Law is to regulate expectations for Controllers and Processors in the DIFC regarding several privacy and security concerns. These include some robust changes in the contractual obligations to current clients and the implementation data protection officers (if needed), to carry out data protection impact assessments, and contractually ensuring that individuals and their personal data remain protected. This only seeks to further increase U.A.E’s standing as a leading nation in the framework of Data Privacy and Intellectual Property legislation making it still one of the more attractive places for those looking to conduct business ethically.
While there are many changes to the legislation being implemented on July 1st, businesses will have until October 1st to get in compliance.
Updated and highlighted procedures are outlined under the new terms and conditions of the legislation. These new procedures place accountability in the hands of the Processors and Controllers and have serious implications including fines. These fines have not only had their maximum penalty increased, but also had some new ones introduced. It is key to note that AI and Emerging technology companies are not eligible for cross border data transfers or special category personal data processing. These regulations are centered on data sharing structures with state run entities which is an essential step for the deepening of ties with other regions. While this legislation is being implemented on July 1st, due to the COVID-19 global pandemic, the businesses to which it applies will have until October 1st, 2020 to get in compliance, before the law is enforced.
The Dubai Data Protection Law is expected to bring multiple benefits to the region.
Governor of the DIFC, Essa Kazim echoed many of the reasons for the change. He outlined that the DIFC continues to facilitate the growth of businesses by setting clear regulations for all organizations, based on global best practices on data privacy, thereby creating the correct ecosystem for Privacy regulations. Kazim believes that this will position the U.A.E as one of the leading global financial centers by demonstrating their progressive thinking. This is expected to aid the Middle East, Africa and South Asia (MEASA) region in strengthening its leadership and being positioned as an international financial hub. Because the GDPR allows for personal data transfers to countries whose legislation is seen by the European Commission to provide for an “adequate” level of personal data protection, this is expected to encourage, improve, and increase business between the two regions.
Likewise Dubai Data Protection Law No. 5, the CCPA in California is also expected to be enforced on July 1, 2020