Data protection reform is sweeping the United Arab Emirates. Two new laws came into force recently in the financial districts of Dubai and Abu Dhabi.
The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DPL 2020) regulates the collection, handling, disclosure and use of personal data, and includes enhanced governance and transparency obligations. It replaces the previous data protection law in the form of DIFC Law No. 1 of 2007. DPL 2020 is closely aligned with the EU General Data Protection Regulation (GDPR) and its recently born cousin, the UK GDPR.
DPL 2020 mainly applies to businesses operating in the Dubai International Financial Centre (DIFC). This is the leading financial hub in the Middle East, Africa and south-Asia region. The 110-acre DIFC district hosts 2,400 businesses employing over 25,000 professionals in the legal, financial, management and regulatory sectors.
If a business is registered in the DIFC or processes personal data within the DIFC as part of stable arrangements (that is, a data controller), it is covered by the new law, as well as any business which processes personal data on behalf of either of the above (that is, a data processor). As to the substance of the new law, those who know about GDPR will find all the familiar concepts in DPL 2020. These include data protection principles and data subjects’ rights, as well as transparency and governance obligations all closely modelled on GDPR. Notable provisions include:
- Privacy notices: more information is now required to be given to data subjects at the point at which their data is collected, including the legal basis for processing and their rights.
- Data protection impact assessments: these will have to be undertaken in relation to any new ‘high risk processing activities’. This will involve assessing the impact of the proposed data processing operation on the risks to the rights of data subjects.
- Breach notification: data controllers will have to notify the regulator if they suffer a personal data breach which compromises data subjects’ confidentiality, security or privacy. In the case of high risk, the data subjects must also be informed.
- Data processors: the new law imposes direct compliance obligations on data processors, and a requirement to have written contracts between controllers and processors setting out the latter’s obligations.
- International transfers: like GDPR, these can take place where there is an adequate level of protection for the personal data in the receiving country as assessed by the regulator. In the absence of such protection, the controller or processor must put in place appropriate safeguards which could include standard contractual clauses.
DPL 2020 requires both controllers and processors, who perform high-risk processing activities, to appoint a data protection officer. The DPO must be involved in all data protection issues and monitor compliance. It is a protected job so the DPO cannot be dismissed or penalised for performing it.
DPL 2020 is enforced by a regulator, the Commissioner of Data Protection, who has the power (among other sanctions) to issue administrative fines for breaches. The maximum fine is $100,000. The DIFC courts may also require a business to pay compensation directly to data subjects. In addition, aggrieved data subjects can bring an action for compensation which is not subject to a cap. The commissioner can also do this on behalf of data subjects who have suffered material harm and who are disadvantaged in their ability to bring their own claim.
On February 14 2021, the Abu Dhabi Global Market (ADGM) enacted its new Data Protection Regulations 2021, replacing the Data Protection Regulations 2015. These too are closely modelled on the GDPR with broadly the same provisions as discussed above.
The new regulations will come into force following a transition period of 12 months for current businesses (that is, those established in ADGM before February 14 2021) and six months for new businesses (that is, those established in ADGM on or following 14 February 2021). They introduce an independent Office of Data Protection headed by a Commissioner of Data Protection charged with promoting and enforcing data protection within ADGM, maintaining a register of data controllers and upholding the rights of individuals.
Data controllers and processors need to act now to ensure compliance with the new laws. Failure to do so will not just lead to enforcement action but also reputational damage.
The following should be part of an action plan for compliance:
- Raising awareness about the new laws at all levels from senior management down to frontline staff.
- Carrying out a personal data audit and reviewing how records management and information risk is addressed within the organisation.
- Reviewing information security policies and procedures in the light of the new, more stringent, security obligations particularly breach notification.
- Revising privacy policies in the light of the more prescriptive transparency requirements.
- Writing policies and procedures to deal with new and improved Data Subject rights.
- Appointing and training a DPO.
Ibrahim Hasan is a solicitor and director of Act Now Training (actnow.org.uk)