Dubai Data Protection Law

Dubai Data Protection Law No.5 will be implemented on July 1st, 2020.

Dubai Data Protection Law No.5 will be implemented on July 1st, 2020, replacing DIFC No. 1 of 2007.


Sheikh Mohammed bin Rashid Al Maktoum, Ruler of Dubai, and Vice President and Prime Minister of the United Arab Emirates, recently enacted the Dubai International Financial Center (DIFC) Data Protection Law No.5 of 2020. This new law will come into practice on the 1st of July 2020. The current law, Data Protection Law DIFC No. 1 of 2007 will remain relevant until then.  The Board of Directors of the DIFC has also updated its protocols and procedures for the synchronization and elevation in standards for data protection, accountability, record keeping, sanctions, as well as the relevant protocols for cross-border transfers of personal data. The Board of Directors of the DIFC has also set out new Data Protection Regulations, governing the procedures for notifications to the Commissioner regarding these standards. This new law combines the best practices from legislation such as GDPR (General Data Protection Regulation), the CCPA (California Consumer Privacy Act), and some other modern technological concepts. 


The new Dubai Data Protection Law includes some robust changes to the current law.


A Key focus of the new DIFC Data Protection Law is to regulate expectations for Controllers and Processors in the DIFC regarding several privacy and security concerns. These include some robust changes in the contractual obligations to current clients and the implementation data protection officers (if needed), to carry out data protection impact assessments, and contractually ensuring that individuals and their personal data remain protected. This only seeks to further increase U.A.E’s standing as a leading nation in the framework of Data Privacy and Intellectual Property legislation making it still one of the more attractive places for those looking to conduct business ethically.


While there are many changes to the legislation being implemented on July 1st, businesses will have until October 1st to get in compliance. 


 Updated and highlighted procedures are outlined under the new terms and conditions of the legislation. These new procedures place accountability in the hands of the Processors and Controllers and have serious implications including fines. These fines have not only had their maximum penalty increased, but also had some new ones introduced. It is key to note that AI and Emerging technology companies are not eligible for cross border data transfers or special category personal data processing. These regulations are centered on data sharing structures with state run entities which is an essential step for the deepening of ties with other regions. While this legislation is being implemented on July 1st, due to the COVID-19 global pandemic, the businesses to which it applies will have until October 1st, 2020 to get in compliance, before the law is enforced.


The Dubai Data Protection Law is expected to bring multiple benefits to the region.


Governor of the DIFC, Essa Kazim echoed many of the reasons for the change. He outlined that the DIFC continues to facilitate the growth of businesses by setting clear regulations for all organizations, based on global best practices on data privacy, thereby creating the correct ecosystem for Privacy regulations. Kazim believes that this will position the U.A.E as one of the leading global financial centers by demonstrating their progressive thinking. This is expected to aid the Middle East, Africa and South Asia (MEASA) region in strengthening its leadership and being positioned as an international financial hub. Because the GDPR allows for personal data transfers to countries whose legislation is seen by the European Commission to provide for an “adequate” level of personal data protection, this is expected to encourage, improve, and increase business between the two regions.


Likewise Dubai Data Protection Law No. 5, the CCPA in California is also expected to be enforced on July 1, 2020 


Does your company have all of the mandated safeguards in place to ensure data protection compliance? Aphaia provides data protection impact assessments including in international context, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Casebook Data Protection

Casebook on Data Protection by Olumide Babalola offers a global perspective: NDPR v GDPR

Olumide Babalola’s global Casebook on Data Protection, reviewed by Aphaia’s founder Dr Bostjan Makarovic, follows the adoption of Nigeria Data Protection Regulation 2019 ( NDPR ).


The Casebook on Data Protection is an inclusive collection of several European Court of Human Rights (ECTHR) and Court of Justice of European Union (CJEU) cases around data protection and privacy. The book is divided into different chapters, based on smaller subsections of data protection and privacy litigation. It features 159 cases as its bases of study and commentary on each of these specific avenues. Some notable Chapters include: Transfer of Data to Foreign Countries, Principles of Data Protection, Exceptions and Derogation. There are also chapters on Employment data, sensitive data and other relevant topics.  A few of Aphaia’s representatives had the pleasure of attending the virtual launch of ‘Casebook on Data Protection’ on June 4th, 2020. The book sets the stage for the NDPR v GDPR comparison.


Casebook of Data Protection is the fifth published book of author Olumide Babalola.


Olumide Babalola is one of Africa’s leading intellectuals in the field of data protection, consummate digital rights and internet privacy. Currently the Managing Partner at the self- titled Olumide Babalola LP – Where their bias aligns with Babalola’s expertise; consumer rights litigation, digital rights, employment, corporate commercial disputes and more. He is an award winning law practitioner , receiving the Nigerian Rising Star award, and is a member of not only the Nigerian Bar association but the International Bar, IGFSA, Internet Society and International Association of Privacy Practitioners, among others. Being one of Nigeria’s most sought after speakers on Legislation regarding the internet- he delivered a speech at the UN Internet Governance Forum (IGF), and RightsCon (The 8th Annual Summit on Human Rights in the Digital Age) . Babalola is the author of multiple relevant litigation works including Nigeria’s first law dictionary – Babalola’s Law Dictionary. Babalola is a pioneer in his field in Africa and also on the global front speaking on topics such as cybercrime, Freedom of Information and the laws surrounding digital rights, their implementation and amendment.


The event featured various notable speakers and presenters, reviewing the Casebook on Data Protection and sharing insightful presentations.


Thursday’s proceedings featured some very insightful presentations by various speakers, including Prof Nani Jensen-Reventflow; the founding director of the Digital Freedom Fund, Dr Tobias Hollwarth; president of EuroCloud Europe, and Privacy and Data Protection lawyer, Prof Paolo Balboni.The Book was first reviewed by two professionals in the environmental, ICR and privacy litigation arenas; Professor Olanrewaju Fagbohun PhD, and Aphaia’s very own Dr Bostjan Makarovic. Finally, computer science graduate, Kashifu Inuwa Abdullahi presented on the comprehensive collection of decisions; Casebook on Data Protection, to event attendees. 


A Summary of the review of ‘Casebook on Data Protection’, by Dr Bostjan Makarovic.


Dr Makarovic deems this book a great companion for anyone who seeks comparative support for their privacy work, or who would simply like a broader understanding of legislative concepts. He noted a specific appreciation for the way the cases are neatly broken down into questions raised, and the answer presented by each decision, making the book an easy read, with a global approach. This original collection of global case law decisions comes just at a time when data protection law is becoming a global discipline, and privacy professionals are seeking support in understanding statutory concepts, according to Dr. Makarovic. He definitely recommends this book, which largely uses the prototype concepts of EU law, including new concepts introduced by the GDPR, such as data breach, which can help build NDPR v GDPR comparison in practice.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

France will impose digital tax, regardless of international levy

France will impose digital tax regardless of whether the rest of the world proceeds with a deal on an international levy, according to this article by Euractiv.

France will impose a digital tax on corporate giant tech companies. According to Finance Economics Minister, Bruno le Maire, large tech companies like Amazon and Google have largely and disproportionately profited from the ease of doing business online during the COVID-19 pandemic and amid social distancing protocol and practices, and the French, like many other EU nations, feel that they must do something in order to stimulate their local economy in what is expected to be their upcoming deep recession.

Washington may fight back on digital tax

There has been a big pushback on the implementation of a digital tax, which would largely affect digital corporate giants like Google, which records an annual global revenue of over $160 billion (over 145 billion Euros). Washington, considering that many of these tech giants are US based, has threatened to fight back with their own trade tariffs, also claiming that France unfairly targets US digital companies.

Many EU nations are moving forward with digital tax implementation despite setbacks

While digital tax implementation at a uniformed rate across European nations arms to be a long time coming, France is not alone in wanting to move forward with its implementation. Countries like Italy, Britain and Spain either have already implemented digital tax or plan on doing so in the near future. However due to opposition from countries like Ireland, progress towards an EU wide digital tax seems to be stalled at the moment. In other nations, like the Czech Republic for example, Finance Minister Alena Schillerova has said that she may actually delay the implementation of a digital tax until next year and lower the rate, from the currently proposed 7% to 5%.

France will impose digital tax, whether or not international tax is implemented.

According to Euractiv, “Nearly 140 countries from the Organisation for Economic Cooperation and Development (OECD) are negotiating the first major rewriting of tax rules in more than a generation, to take better account of the rise of big tech companies such as Amazon, Facebook, Apple and Google that often book profit in low-tax countries.”

“Never has a digital tax been more legitimate and more necessary,” Finance Minister Bruno Le Maire told journalists on a conference call on May 13th. “In any case, France will apply as it has always indicated a tax on digital giants in 2020 either in an international form if there is a deal or in a national form if there is no deal.” Initially, in January, the government of France had offered to suspend its current digital tax on tech companies until the end of 2020, while an international tax deal was being negotiated. However, due to the circumstances surrounding the coronavirus outbreak, things have changed, with finance ministries more focused now than ever before, on saving their local economies.

EU seeks a better managed digital space, including digital tax.

Considering what seems to be an integration of the US and EU economies with the digital sphere, the European Union has sought to introduce regulation to achieve a level playing field and protect both European consumers and businesses in this new digital world. With legislation like the GDPR controlling the flow of information across borders and protecting consumer data, many legislative authorities do believe that a digital tax is the absolutely necessary next step. As digital corporate giants, like Amazon and Google with little to no physical presence in Europe have largely escaped what many would consider fair taxation, as a result of their predominantly online operational presence, governments across the EU believe that it is time to restructure and level the playing field. While there are many initiatives which are more focused on investment and education, there is a push now from legislators to enforce digital tax, particularly with the current need for income and to stimulate local economies impacted by the effects of COVID-19. Ultimately, the result of this will be a more managed digital space where online companies are not benefiting from a disproportionate advantage.

Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.


A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.


Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.


The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.


Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 


The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 


What should have the Healthcare Committee done in order to avoid the breach?


-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.