Dubai International Financial Centre

Summary

Law: DIFC Data Protection Law No. 5 of 2020 (the Data Protection Law)

Regulator: The Commissioner of Data Protection

Summary: On May 21, 2020, the DIFC Data Protection Law No. 5 of 2020 (the Law) was enacted in the Dubai International Financial Centre (DIFC). The Law came into effect on July 1, 2020. The DFIC is a financial free zone in the UAE, which itself is a federation composed of seven emirates. Being a financial free zone means that UAE federal, civil, and commercial law does not apply and the DIFC can create its own legal and regulatory framework for all civil and commercial matters.

The Law introduces requirements for data protection officer appointments, Data Protection Impact Assessments (DPIAs), and the right to data portability. As such, the Law will move the DIFC into closer alignment with the EU's GDPR. The Law became enforceable on October 1, 2020.

Notably, the DIFC Authority (DIFCA) launched a public consultation on proposed amendments to the Law, ending on May 17, 2023, aiming to provide means for a better, safer, and more ethical management of data processing. In particular, the proposed amendments provide for new provisions regarding:

controller and processor obligations with regard to data breach incidents;
controller and processor obligations in connection with the use of personal data for digital communications and services;
controller and processor obligations regarding controls and safeguards in connection with the use of digital enablement technology systems, including artificial intelligence (AI) systems; and
concepts for organizations to incorporate Privacy by Design or by Default into generative AI, machine learning, or similar systems, which include fairness, ensuring ethical practices, transparency, security, and accountability.

The Data Protection Regulations 2020 (the 2020 Regulations) came into effect on the same day as the Law on July 1, 2020. On September 1, 2023, the DIFC announced the enactment of the amendments to the Data Protection Regulations 2020 through Regulation 10 on Processing Personal Data Through Autonomous and Semi-Autonomous Systems which amends the Data Protection Regulations 2020. Notably, the DIFC highlighted that the Data Protection Regulations were the first enacted regulation in the Middle East, Africa, and Southern Asia (MEASA) region on the processing of personal data via autonomous and semi-autonomous systems such as AI or generative machine learning technology.

Browse more content in Dubai International Financial Centre

All Guidance Notes

All News

All Insights

News

18 April 2024

DIFC: Commissioner joins Global CAPE

08 April 2024

International: NPC and DIFC sign MoU on data protection

26 March 2024

DIFC: DIFC announces enactment of amendments to Operating Law regarding data retention

01 September 2023

DIFC: DIFC announces amendments to Data Protection Regulations 2020 enter into force

09 August 2023

International: DIFC issues first California adequacy decision

04 July 2023

DIFC: DIFC publishes thematic report on government data sharing requests

13 June 2023

DIFC: DIFC publishes abbreviated cross-border SCCs and guidance on controller/processor SCCs

19 April 2023

DIFC: DIFCA launches public consultation on amendments to Data Protection Regulations 2020

07 December 2022

DIFC: Commissioner launches non-legislative consultation on multi-lateral data sharing pilot

18 July 2022

DIFC: DIFC publishes guidance on controller/processor obligations and data retention

01 July 2022

DIFC: DIFC launches Open Finance Lab

20 April 2022

DIFC: DIFC launches public consultation on updated guidance materials for data transfers

Insights

January 2024

DIFC: Amendments to the Data Protection Law

In this Insight article, Maher Ghalloussi and Lucrezia Lorenzini, from Baker McKenzie LLP, delve into the significant amendments made to the Dubai International Financial Center (DIFC) Data Protection Law No. 5 of 2020 (the Data Protection Law). The updates aim to enhance data protection practices, with a focus on regulating the processing of personal data through autonomous and semi-autonomous systems, marking a pioneering move in the Middle East.

October 2023

UAE: The DIFC's approach to assessing adequacy of foreign data protection regimes

In this Insight article, Anne-Caroline Albrecht, Partner at Bonnard Lawson, Dubai, explores the evolving landscape of international data protection, with a focus on the Dubai International Financial Centre's (DIFC) pioneering efforts and its recent assessment of California's Data Protection Regime.

September 2023

DIFC: Proposed updates to data transfer guidance materials - part two

In this Insight Article, Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultancy, provide an update to part one of this series. As discussed previously, the Dubai International Financial Centre (DIFC) has a collection of tools for data processors and controllers to rely on, in terms of protection of data, specifically when they are transferring data outside of the DIFC.

July 2022

DIFC: Proposed updates to data transfer guidance materials - part one

In light of the global developments around data protection, specifically on the cross-border transfer of data, the Dubai International Financial Centre ('DIFC') seeks to provide enhanced tools to equip businesses and ensure compliance with both the DIFC, as well as international standards. Being a global business hub, the DIFC is home to international players that undertake both an inward and outward data flow, these businesses being at the crossroads of multiple jurisdictions when it comes to data compliance.

The DIFC has recently proposed updates to its data transfer guidance materials namely, the Standard Contractual Clauses ('SCCs'), the Ethical Data Management Risk Index ('EDMRI'), and the Data Export and Sharing Handbook ('DES Guide'). Dr. Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultants, provide an overview of the proposed updates and evaluates its impact in meeting the goals of the Data Protection Law, DIFC Law No.5 of 2020 ('the Law').

May 2022

DIFC: A look at the amendments to the Data Protection Law

On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law') was enacted, came into effect on 1 July 2020, and became enforceable from 1 October 2020, in addition to the Data Protection Regulations 2020 ('the Regulations'), (collectively, 'the DIFC Legislation'). More recently, on 8 March 2022, the DIFC enacted the DIFC Laws Amendment Law, DIFC Law No. 2 of 2022¹ ('the Amendment Law'), which incorporates amendments to several DIFC laws, including the Data Protection Law. This Insight article provides a summary of the key changes introduced by the amendments to the Data Protection Law following the enactment of the Amendment Law.

December 2021

DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 3

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020¹('the Law') was enacted in the DIFC and came into effect on 1 July 2020, in addition to the Data Protection Regulations 2020² ('the Regulations'), (collectively, 'DIFC Legislation'). Furthermore, the DIFC has published several guidance materials³relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

November 2021

DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 2

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020¹ ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 2020² ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials³ relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.

October 2021

DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 1

The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 2020¹ ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 2020² ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials³ relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.