The Dubai International Financial Centre (DIFC) has moved beyond its convention role and has emerged as a FinTech Hub – 2019 witnessed a four-fold growth in the number of innovation focussed technological companies taking the number to 138 companies as of now under its initiative called the FinTech Hive. On 4 March 2020, the Office of the Commissioner of Data Protection, DIFC conducted its first legal outreach session with respect to the new DIFC Data Protection Law (DP Law)[1]. The session saw a room full of audience comprising of lawyers, in-house counsels, and privacy professionals amongst others. The session was opened by Jacques Visser, Commissioner of Data Protection, DIFC followed by a presentation made by Lori Baker, Director of Data Protection, DIFC. The DIFC intends to replace and expand the existing Data Protection Law No. 1 of 2007 and hence, the new DP Law is sought.

The Journey of DP law in DIFC

Baker commenced the session with tracing the journey of the new DP Law right from January 2019 when the planning for a new DP Law commenced. In June 2019, Consultation Paper No.6 of 2019 was floated seeking public comments on the proposal by the Dubai International Financial Centre Authority (DIFCA) to issue legislation on the protection of personal data through the new DP Law [see PL&B Int August 2019, pp.24-25]. The 60-day consultation on the draft ended on 18 August 2019, with feedback received from around the world including the US, EU, and from within the Middle East.

The Vision for the DP Law 2020

Baker apprised that the sentiment at large that “data is the new oil” is expected to drive the economy in the 4^th industrial revolution. Accordingly, the updated DP Law sets out expectations for data controllers and processors, combining the best practices from a variety of current, world class data protection laws, to enable ethical data sharing and management. Critical components of the new DP Law include:

1. Legislating for accountability of data controllers and processors through compliance programs and data protection impact assessments, data protection by design and default, data protection policy and compliance program requirements, in addition to DPO appointment;
2. Clarifications of data subject rights, by both enhancing these rights as well as ensuring contractual clarity for emerging technological services and solutions;
3. Removal of permit system options for cross-border data transfers and sensitive data processing, while maintaining other basis for international transfer;
4. Removal of the schedule of fines prescribing maximum administrative fines that could be imposed against respective contraventions. Instead, in the proposed DP Law, it is recognised that adverse effects of a contravention cannot be quantified in advance. Accordingly, under the new DP Law, the Commissioner of Data Protection has the power to impose as fine such amount as he considers appropriate. The level of such fine will be determined by the Commissioner of Data Protection, taking into account the seriousness of the contravention and the risk and actual harm to Data Subjects.
5. Facilitating appropriate data sharing structures between governmental authorities; and
6. Providing a framework that will support DIFC’s bid for adequacy recognition by the European Commission and the United Kingdom. This will enable data transfers from the DIFC to the EU and UK, which is a major aspect of ease of doing business for Controllers and Processors in the DIFC. It will also especially serve to support the UAE in obtaining the same recognition when it enacts its own national data protection legislation.

Some key updates elaborated

1. The introduction of the Data Protection Officer (DPO) – For all such controllers and processors that are undertaking High Risk Processing Activities systematically, regularly or necessarily to carry out their business. In other cases, a controller or processor may designate a DPO, however such entities may be required to designate a DPO by order of the Commissioner of Data Protection and must, if required, do so. A Group may appoint a single DPO provided that a DPO is easily accessible from each undertaking in the Group. The DPO must be resident in the UAE unless the DPO is an individual employed within the organisation’s Group outside the UAE and performs a similar function for the Group on an international basis. Subject to the above, a DPO may be a staff member of the controller or processor or fulfil the tasks based on a service contract.

2. Prior Consultation – The controller shall consult the Commissioner of Data Protection where a data protection impact assessment under the Act indicates that, despite taking the measures prescribed, the risks to the rights and freedoms of data subjects remain particularly high and the controller has already carried out or wishes to commence or continue with the processing activity. Controllers may consult, where required, with the Commissioner of Data Protection before commencing the processing activity in question. The controller is not prohibited from commencing the processing activity in question before or during the consultation period where there is insufficient time to complete consultation in advance and there is a pressing business need to commence processing which is not overridden by the vital interests of the data subjects. Such processing must comply with the law at all times and the controller will remain liable for breaches of the law prior to or during the consultation period. The controller’s decision to consult, or failure to consult, will be taken into account by the Commissioner when considering any applicable sanctions under this law. A failure to consult with the Commissioner of Data Protection when required may result in the application of more severe penalties if the processing in question is in violation of the law.

3. Cessation of processing – Where the basis for processing ceases to exist or the controller is required to cease processing via the exercise of data subject rights, the controller must ensure that all personal data (including personal data held by processors) are securely and permanently deleted. Where the controller is unable to ensure that the personal data are securely and permanently deleted, archived in a manner which ensures the (a) Controller is not able, and must not attempt, to use the personal data to inform any decision is final and in respect of the data subject or in a manner that affects the data subject in any way; (b) no party other than the controller has access to the personal data; (c) the personal data are protected by appropriate technical and organisational security which is no less than that afforded to live personal data in accordance with this law; and (d) the controller has in place a strategy for the permanent deletion of the personal data if, or when, this becomes possible (which the controller must comply with). This provision is not applicable when such personal data are necessary for the establishment or defence of legal claims or must be retained for compliance with applicable law. The controller must have a policy and process for securely and permanently deleting personal data which are subject to the above when the grounds for retention no longer apply. The controller must securely and permanently delete the personal data when such grounds no longer apply.

4. Data subject rights – The rights remain the same but have now been elaborated upon and moreover, aligned to absorb the impact of emerging technology. The provision speaking in specific of aligning with emerging technology is one where rectification or erasure of personal data is not feasible for technical reasons. In such an event, the provision says that the controller is not in violation of this Law with respect to a failure to comply with a request for rectification or erasure of the personal data if: (i) the controller collected the personal data from the data subject; and (ii) the information provided to the data subject was explicit, clear and prominent with respect to the manner of processing the personal data; and (iii) expressly stated that rectification and/or erasure (as the case may be) of the personal data at the request of the data subject would not be feasible.

5. Personal data breaches and their reporting – The provision has been enhanced and the processor must now play a larger role in the overall accountability and the data subject him or herself must be informed in certain cases. If there is a personal data breach that compromises a data subject’s confidentiality, security or privacy, the controller must, as soon as feasible in the circumstances, notify the personal data breach to the Commissioner of Data Protection. The processor must notify the controller without undue delay after becoming aware of a personal data breach. Both controllers and processors shall fully co-operate with any investigation that the Commissioner of Data Protection wishes to conduct in relation to any personal data breach. When the personal data breach is likely to result in a high risk to confidentiality, security or privacy of data subjects, the controller shall communicate the personal data breach to the data subjects as soon as feasible in the circumstances.

6. International transfers – The process has been realigned and enhanced to align with current international adequacy standards. Additional mechanisms such as BCRs are recognised. Any processing of personal data which involves the transfer of personal data to a recipient located in a jurisdiction outside from the DIFC to a third country or to an international organisation may take place only if: (i) an adequate level of protection for that personal data is ensured by laws and regulations that are applicable to the recipient including with respect to onward transfers of personal data; or (ii) the controller or the processor have provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate safeguards may be (a) a legally binding and enforceable instrument between public authorities or bodies; (b) Binding Corporate Rules; (c) standard contractual clauses adopted by the Commissioner of Data Protection; (d) an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or (e) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards. Besides there, there are also certain “derogations” or “limited circumstances” available under the law that a controller may rely on.

Road ahead

The aim of the legal outreach session was to inform stakeholders of the critical changes leading to the new DP Law. Baker informed the audience that currently the new draft was pending with His Highness the Ruler for enactment and it would be published as soon as His Highness was to enact it. It is intended that the companies would be given a time period of three  months for aligning their processes and systems with the new Law. The new DP Law is planned to in effect from 1 July 2020. However, in light of recent Covid-19 related developments, it is uncertain as to what would be the further course of action of DIFC for its new DP Law.

Author: Tripti Dhar

[1] The DIFC Data Protection Law 2007 applies only in the jurisdiction of the Dubai International Financial Centre.