Sheikh Mohammed enacts new data protection law for Dubai International Financial Centre

The law will come into effect from July 1, 2020

Sheikh Mohammed

Image courtesy: Sheikh Mohammed bin Rashid Al Maktoum Twitter account

Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE and Ruler of Dubai, has enacted the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020.

The law which will come into effect from July 1, 2020, will give businesses a three-month grace period until October 1, to comply with the regulations within it.

It will replace the Data Protection Law DIFC Law No. 1 of 2007 which would remain in effect until the time that the new law comes into effect.

The Board of Directors of the DIFC Authority also issued a new Data Protection Regulations that sets out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data, read a press statement.

The new law combines the best practices from global regulations including the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act, among others.

The statement added that the “the Data Protection Law and Regulations provide a framework that will support DIFC’s bid for adequacy recognition by the European Commission, the United Kingdom and other jurisdictions, easing data transfer compliance requirements for DIFC businesses.”

“DIFC continues to develop its robust regulatory ecosystem built on the principles of compliance, integrity and security. The enhanced Data Protection Law combines the best practices from world-class data protection laws. By setting out the regulation, DIFC also sets a clear requirement for all organisations to follow global best practice relating to data and privacy,” said Essa Kazim, governor of DIFC.

The new law will also legislate for accountability of Controllers and Processors through compliance programmes, appointing data protection officers, conducting data protection impact assessments and imposing contractual obligations that protect individuals and their personal data.

Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity of such rights when engaging with vendors of emerging technologies such as Blockchain and Artificial Intelligence.

Permit options for cross-border data transfers and special category personal data processing have been removed and it also promotes appropriate data sharing structures between government authorities.

General fines for serious breaches, administrative fines and maximum fines under the new law has also been outlined.