On 18 June 2019, the Dubai International Financial Centre (DIFC) issued Consultation Paper No. 6 of 2019 (“Consultation Paper”) seeking public comments on the proposal by the Dubai International Financial Centre Authority (DIFCA) to issue a new Data Protection Law aimed at enhancing the existing legal framework on data protection in the DIFC (“Proposed Law”). The deadline for providing comments on the proposals in the Consultation Paper is 18 August 2019.
This note provides an overview of the objectives and key features of the Proposed Law.
Objectives of the New Data Protection Law
The Proposed Law is sought to replace the existing Data Protection Law No. 1 of 2007 and is aimed at:
(i) incorporating international best practices as well as elements of the GDPR (General Data Protection Regulation (EU)) and the California Consumer Privacy Act (USA);
(ii) expanding the compliance framework including in relation to data breach notification, prior consultation and data protection officer appointments;
(iii) providing for clarity on consent and data subjects’ rights; and
(iv) amendment of powers of the Commissioner of Data Protection, administrative requirements and sanctions / enforcement.
Key Provisions of the New Data Protection Law
Application of the Proposed Law:
The Proposed Law applies in the DIFC and to the processing of personal data in the context of the activities of a controller or a processor operating, conducting or attempting to conduct business in or from the DIFC, regardless of whether the Processing takes place in the DIFC or not.
Processing of Personal Data:
The principles under which the personal data could be processed are identified; also, there are separate requirements for the lawful bases of the processing of personal data and the processing of special categories of personal data (data concerning health, origin, etc.).
Obligations of Processors or Controllers:
Under the Proposed Law, controllers must ideally implement and maintain a written data protection policy (proportional to the processing activities), as well as written records in relation to the processing activities. Controllers and Processors who undertake high-risk processing activities on a regular basis should appoint a DPO (data protection officer) – the Proposed Law regulates the requirements and the legal status of a DPO. Also, controllers with high-risk processing activities are obliged to conduct data protection impact assessments and must consult with the Commissioner of Data Protection in certain cases.
Joint Controllers must, by written agreement, detail how they will ensure compliance with the Proposed Law, in particular how they will interact with Data Subjects (in terms of the information requirements and the handling of Data Subject requests to exercise rights). Joint controllers’ liabilities are joint and several. However, Joint Controllers and Processors can agree on indemnities and reallocate the risks between themselves.
Data export outside the DIFC:
Provisions on the transfer of personal data to the countries that provide adequate levels of data protection remain the same. However, when the personal data is intended to be transferred to a third party (a country that does not possess adequate levels of data protection), the controller or processor should provide appropriate safeguards. The Proposed Law also describes the limited circumstances of such transfer and derogations where the controller or processor may not apply the appropriate standards. In addition, there are provisions on the controller’s management of the requests to disclose Personal Data outside the DIFC from official authorities.
Expansion of rights of a data subject: The Proposed Law introduces a wide range of rights granted to the data subject, which includes:
(a) right to withdraw consent;
(b) right to access, rectification and erasure of personal data;
(c) right to object to processing;
(d) right to restrict of processing;
(e) right to data portability;
(f) right not to be subject to a decision based solely on automated processing;
(g) right to non-discrimination.
The Proposed Law indicates which of those rights are absolute (subject to certain exceptions) and those that apply only in certain circumstances.
Notification of Breaches:
The obligation of Controller to notify the commissioner of data protection and the concerned data subjects about the data breach is not automatic and applies only when a data breach exceeds certain qualitative thresholds such as when the breach is likely to result in a high risk to confidentiality, security, or privacy of data subject. Such communication should be provided as soon as possible in a clear and plain language.
Code of Conduct and Certification Schemes:
Controllers and Processors are encouraged to draw up codes of conduct which indicates the collection of personal data processed, assertation of fair and transparent processing based on legitimate aim, the information provided to the data subjects and execution of their rights, data breach notification and other mechanisms of personal data protection. Also, the Proposed Law encourages the establishment of certification schemes for Controllers and Processors to demonstrate compliance with the Proposed Law. Such schemes could be issued by certification bodies on a voluntary basis.
In sum, the Proposed Law significantly updates the existing personal data protection system. As stated above, it is currently open for a public discussion, and there is a possibility for everybody interested to provide their comments at to within a 60-day public period (ends on 18 August 2019).