The Dubai International Financial Centre (DIFC) has recently announced an update to its data protection legislation. The new law, Data Protection Law No. 5 of 2020 ("DPL") (which is accompanied by new regulations) is said by the DIFC to combine "the best practices from a variety of current, world class data protection laws, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and other forward-thinking, technology agnostic concepts". DPL will be effective from 1 July 2020 but, to give businesses a grace period, is not expected to be enforced until 1 October 2020.
Those familiar with GDPR will recognise much of the terminology and many of the provisions of DPL. For instance:
- "Controllers" and "Processors" will have to demonstrate compliance and maintain a record of processing activities
- Some companies will have to appoint a data protection officer and conduct data protection impact assessments, depending on whether they conduct 'High Risk Processing Activities'
- Controllers will have to notify the DIFC Commissioner in the event of certain personal data breaches
- The Commissioner has the ability to issue fines for violations, as well as public reprimands, and can hold both the Controller and the Processor jointly and severally liable for any damage.
DPL builds on existing DIFC law, and should not present too much of a burden for those companies which are already complying with that prior law. It is notable, however, that it provides further evidence that the EU's GDPR is increasingly seen as a benchmark for other jurisdictions, as highlighted in the EU Commission's recent evaluation report on GDPR, where it describes it as a "global standard-setter for the regulation of the digital economy". This is no surprise – the more aligned that data protection laws are, the easier it is for data to flow across borders, and the easier it is for trade to take place.