Dubai International Financial Center (DIFC), Dubai’s financial services free zone, has issued a new Data Protection Law (DIFC Law No. 5 of 2020), replacing the current regime. The purpose of this law is to provide enhanced standards and controls for the processing and free movement of personal data by controllers or processors and to protect the fundamental rights of data subjects. This includes how such rights apply to the protection of personal data in emerging technologies.

The law aligns DIFC’s data protection landscape with measures adopted globally, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. The goal is to establish enhanced governance and transparency requirements that will place DIFC on par with international laws and regulations.

This is a clear step towards DIFC establishing itself as an internationally recognized jurisdiction for data protection. In turn, this will contribute to achieving “adequacy” status, thus facilitating transfer of personal data from Europe.

When does the new law come into effect?

The new law comes into force on 1 July 2020. However, the DIFC Commissioner of Data Protection (the Commissioner) is not expected to actively enforce the law until 1 October 2020. This gives organizations a window of four months in which to review their data protection and processing activities and implement the latest compliance measures.

What about the previous DIFC Data Protection Law of 2007?

The DIFC Data Protection Law 2020 and updated Data Protection Regulations repeal and replace the existing Data Protection Law of 2007.