Jurisdictions
BahrainIran (Islamic Republic of)IraqIsraelJordanKuwaitLebanonOmanQatarQatar Qatar Financial CentreQatar Qatar State Saudi ArabiaSyrian Arab RepublicUnited Arab EmiratesAbu Dhabi Global MarketDubai Health Care CityDubai International Financial CentreEmirate of Abu DhabiEmirate of DubaiUnited Arab Emirates FederalYemen
Jurisdictions

Dubai International Financial Centre

Law: DIFC Data Protection Law No. 5 of 2020 (the Data Protection Law)

Regulator: The Commissioner of Data Protection

Summary: On May 21, 2020, the DIFC Data Protection Law No. 5 of 2020 (the Law) was enacted in the Dubai International Financial Centre (DIFC). The Law came into effect on July 1, 2020. The DFIC is a financial free zone in the UAE, which itself is a federation composed of seven emirates. Being a financial free zone means that UAE federal, civil, and commercial law does not apply and the DIFC can create its own legal and regulatory framework for all civil and commercial matters.

The Law introduces requirements for data protection officer appointments, Data Protection Impact Assessments (DPIAs), and the right to data portability. As such, the Law will move the DIFC into closer alignment with the EU's GDPR. The Law became enforceable on October 1, 2020.

Notably, the DIFC Authority (DIFCA) launched a public consultation on proposed amendments to the Law, ending on May 17, 2023, aiming to provide means for a better, safer, and more ethical management of data processing. In particular, the proposed amendments provide for new provisions regarding:

  • controller and processor obligations with regard to data breach incidents;
  • controller and processor obligations in connection with the use of personal data for digital communications and services;
  • controller and processor obligations regarding controls and safeguards in connection with the use of digital enablement technology systems, including artificial intelligence (AI) systems; and
  • concepts for organizations to incorporate Privacy by Design or by Default into generative AI, machine learning, or similar systems, which include fairness, ensuring ethical practices, transparency, security, and accountability.

The Data Protection Regulations 2020 (the 2020 Regulations) came into effect on the same day as the Law on July 1, 2020. On September 1, 2023, the DIFC announced the enactment of the amendments to the Data Protection Regulations 2020 through Regulation 10 on Processing Personal Data Through Autonomous and Semi-Autonomous Systems which amends the Data Protection Regulations 2020. Notably, the DIFC highlighted that the Data Protection Regulations were the first enacted regulation in the Middle East, Africa, and Southern Asia (MEASA) region on the processing of personal data via autonomous and semi-autonomous systems such as AI or generative machine learning technology.

JURISDICTIONS

Gain access to unlimited articles with 7 day access to all features, no credit card required.

or

Other options:

LatestGuidance NotesData ResidencyRetention Schedules

There are no articles.