Dubai International Finance Centre’s data protection law to be boosted by new federal regulation

A year after companies within the Dubai International Financial Centre (DIFC) were required to comply with the Data Protection Law No 5, a new United Arab Emirates (UAE)-wide regulation is on the horizon. 

Companies were given until October 2020 to comply with the new law which came into effect in July 2020, replacing DIFC Data Protection Law No. 1 of 2007. It seeks to ease international data transfers by aligning organisations that handle data within the DIFC with Europe’s GDPR.

The DIFC is a financial hub for the Middle East, Africa, and South Asia, set up in Dubai as a “free zone”— a geographically demarcated area in the UAE with its own laws and regulations. Traditionally free zones were set up to promote specific sectors, such as media and finance, and were given the freedom to enact their own laws, which tend to be pro-business. Companies operating outside of free zones are often referred to as “on shore”, a distinction that is key to understanding which rules apply in Dubai.

More than just a large community of banks and investment firms, the DIFC is also a thriving business hub where companies from a range of industries have a base. The DPL 2020 applies to companies incorporated in the DIFC, regardless of where data processing takes place, and to companies that are incorporated elsewhere but that process personal data in the DIFC on a regular basis.

Fundamentally the same as GDPR

A goal of DPL 2020 is to minimise the need for individual organisations to put in place specific transfer mechanisms, such as standard contractual clauses, to exchange data with entities in the EU and the UK. It comes as no surprise that the law is very similar to GDPR, including data protection principles and rights for data subjects, as well as transparency and governance obligations.

“Many financial institutions in DIFC operate globally and were already under GDPR,” said Nader Henein, analyst and fellow of information privacy at Gartner. “In fact, much of their data infrastructure is housed in Europe, which has helped them avoid the common mistakes that might yield fines under the DPL 2020.”

Like the GDPR, in some circumstances, the DPL 2020 requires both controllers and processors to appoint a data protection officer (DPO), who must monitor compliance and get involved in all data protection issues. The DPO job is protected, so officers cannot be dismissed or penalised for performing their duties.

The DPL 2020 is enforced by a regulator, the DIFC commissioner of data protection, who has the power to impose sanctions, including a maximum administration fine of $100,000. Businesses may also be required to pay compensation directly to data subjects—an amount which is not capped.

So far, there are no published reports of fines having been issued. “The Commissioner will take a relatively pro-business position on compliance,” said Jack Rossiter, a lawyer working with international law firm Simmons & Simmons in its DIFC office. “The Commissioner has made it clear that in the first instance, they're likely to use powers other than fines to encourage compliance and will work collaboratively with DIFC community members.”

“Like any new law, there’s an emphasis around education and awareness,” said Rossiter. “Although the DIFC is a sophisticated hub, there are some businesses that aren't as familiar with data protection regimes and the novelty factor is understandable given the Middle East does not have the same history of individual rights out of which the GDPR took shape. The Commissioner has taken a very pro-active role in helping to accelerate awareness and encourage good practices.”

Data transfers to the free zone have not come as easily as expected

“One of the things we  do is help companies navigate the different privacy laws based on our client’s business objectives,” added Rossiter. “We carry out cross border surveys to ensure bespoke advice is given around data laws across the globe and help assess whether the transfer of data is compliant—this is an issue which has become more complex in recent years.”

To make it easier for global organisations, Data Protection Commissioners can examine the laws in other countries and how they are enforced to determine if those other countries have adequate levels of data protection. The effect of an adequacy decision by the EU Commissioner, for example, is that personal data can flow from the EU to the other country without further safeguards, as if the transfer were within the EU. Where an adequacy has not been found, further safeguards must be used—and experts are often brought in to provide counsel.

While the DIFC considers the level of protection in all EU countries to be adequate, so far, the EU has not even considered the DIFC for an adequacy decision. Part of the problem is that DIFC is not a country. “Traditionally the EU considers entire countries for adequacy,” says Henein. “The European Commission may not accept an application for the DIFC but would be more likely to do so for the UAE as a whole.”

 The situation is different between the DIFC and the post-Brexit UK. The fact that both London and DIFC are global financial hubs has provided incentive for the UK to move more quickly. In August 2021, the DIFC announced that it had formally engaged with the UK for an adequacy assessment, which makes the DIFC the only jurisdiction in the Middle East even being considered for adequacy by the UK.

As for the DIFC considering the UK as adequate, that positive ruling was made prior to the August announcement. This means companies handling data in the DIFC are allowed to transfer data to the UK without having to put in place special mechanisms.

In the end, no one has ever accused the UAE of not knowing how to make money. So it’s not surprising that in September 2021, the UAE announced that a new federal data protection law is in the works. “I expect the federal law to be a lighter version of the GDPR that could very much put the UAE as a whole on the path to an adequacy decision from the EU,” says Henein.

Read more about GDPR