A year after companies within the Dubai International Financial Centre (DIFC) were required to comply with the Data Protection Law No 5, a new United Arab Emirates (UAE)-wide regulation is on the horizon.
Companies were given until October 2020 to comply with the DIFC data protection law, which had been enacted four months previously to replace the DIFC Data Protection Law No 1 of 2007. The latest data protection law sought to ease international data transfer for companies operating within the DIFC by aligning local data privacy regulation with the European Union’s General Data Protection Regulation (GDPR).
The DIFC is a financial hub for the Middle East, Africa and South Asia that was set up in Dubai as a free zone – a geographically demarcated area within the UAE with its own laws and regulations. Traditionally, free zones have been set up to promote specific sectors, such as media and finance, and were given the freedom to set their own laws, which tend to be pro-business. Companies operating outside free zones are said to be “onshore”.
More than just a large community of banks and investment firms, the DIFC is also a business hub where companies from a range of industries are headquartered. The new data protection law applies to companies incorporated in the DIFC, regardless of where data processing takes place, and to companies that are incorporated elsewhere but process personal data in the DIFC regularly.
The goal of the new law is to minimise the need for individual organisations to put in place specific data transfer mechanisms, such as standard contractual clauses (SCCs), to exchange data with entities in the EU and the UK. It comes as no surprise that the new law is very similar to the GDPR, including data protection principles and rights for data subjects, as well as transparency and governance obligations.
“Many financial institutions in DIFC operate globally and were already under GDPR,” said Nader Henien, analyst and fellow of information privacy at Gartner. “In fact, much of their data infrastructure is housed in Europe, which has helped them avoid the common mistakes that might yield fines under the 2020 Data Protection Law.”
Like the GDPR, the new law requires both controllers and processors to appoint a data protection officer (DPO), who must monitor for compliance and get involved in all data protection issues. The DPO’s job is protected, so officers cannot be dismissed or penalised for performing their duties.
Data Protection Law No 5 is enforced by a regulator, the commissioner of data protection, who has the power to impose sanctions, including a maximum fine of $100,000. Businesses may also be required to pay compensation directly to data subjects – an amount that is not capped.
So far, there are no published reports of fines being issued. “The DIFC commissioner takes a relatively pro-business position on compliance,” said Jack Rossiter, a consultant working for British law firm Simmons & Simmons out of its office in the DIFC. “They made it clear that, in the first instance, they are likely to use powers other than fines to encourage compliance.
“Like any new law, it’s about education and awareness. Although the DIFC is a sophisticated hub, there are some businesses that aren’t familiar with data protection regimes, because especially in the Middle East, it’s not the same history of individual rights. It’s about education and that’s something the commission is particularly good at.”
Data transfers to the free zone not as easy as expected
Rossiter added: “One of the things my company does is to help companies navigate the different privacy laws. We carry out cross-border surveys to build a map of the laws and regulations in countries across the globe, and whether they can actually guarantee the level of protection that is needed.”
To make it easier for global organisations, data protection commissioners can examine the laws in other countries and how they are enforced to determine whether those other countries have adequate levels of data protection. The effect of an adequacy decision by the EU commissioner, for example, is that personal data can flow from the EU to the other country without further safeguards, as if the transfer were within the EU. Where an adequacy has not been found, further safeguards must be used – and experts are often brought in to help figure that out.
“But adequacy decisions do not always come easily,” said Rossiter. “The DIFC doesn’t even consider the rest of the UAE to have an adequate level of data protection, which makes it challenging for the businesses with a footprint in the DIFC and onshore.”
While the DIFC considers the level of protection in all EU countries to be adequate, so far the EU has not even considered the DIFC for an adequacy decision. Part of the problem is that the DIFC is not a country. “Traditionally, the EU considers entire countries for adequacy,” said Gartner’s Henien. “The European Commission may not accept an application for the DIFC, but would be more likely to do so for the UAE as a whole.”
The situation is different between the DIFC and the post-Brexit UK. The fact that both London and Dubai are global financial hubs has provided an incentive for the UK to move more quickly. In August 2021, the DIFC announced that it had formally engaged with the UK for an adequacy assessment, which makes the DIFC the only jurisdiction in the Middle East even being considered for adequacy by the UK.
As for the DIFC considering the UK as adequate, that positive ruling was made before the August announcement. This means companies handling data in the DIFC are allowed to transfer it to the UK without having to put special mechanisms in place.
In the end, no one has ever accused the UAE of not knowing how to make money. So it’s not surprising that in September 2021, the UAE announced that a new federal data protection law was in the works. Henien added: “I expect the federal law to be a lighter version of the GDPR that could very much put the UAE as a whole on the path to an adequacy decision from the EU.”