The Dubai International Financial Centre (“DIFC”) is proposing significant amendments to its Data Protection Law, DIFC Law No. 5 of 2020 (“DPL”), and has proposed these amendments in DIFC Law Amendment Law No. 1 of 2025.
A consultation paper (“Consultation Paper”) has been released regarding the proposed amendments, allowing concerned entities to provide feedback until 25 March 2025.
BACKGROUND
The Dubai International Financial Centre (DIFC) Data Protection Law, DIFC Law No. 5 of 2020, was enacted in May 2020 is the legal framework that governs how personal data is handled within the DIFC, aiming to protect individuals’ data and ensure responsible data processing by businesses. This law is significantly influenced by international standards like GDPR and CCPA, bringing DIFC privacy legislation closer to global practices. The DIFC is now proposing amendments to its data protection law that include broadening the law‟s extraterritorial scope to align with international practices, impacting both UAE businesses incorporated outside the DIFC as well as international businesses to the extent that their products and services are supplied to or utilized in the DIFC.
Data subjects will now be able to initiate personal legal action and claim damages directly in the DIFC courts (including damages for distress), without first referring to the DIFC‟s Commissioner of Data Protection.
Proposed changes include additional obligations for sharing personal data with public authorities and new penalties for non-compliance. The fine for failing to submit a data protection impact assessment will increase more than twofold, and a new fine of USD 25,000 has been introduced for failure to submit the DIFC’s annual notification of data processing.
While the DIFC describes the amendments as “largely clarificatory” in nature and as aiming to ensure that the DPL remains “in line with international best practice,” certain proposed changes, particularly the widening of the DPL’s extra-territorial reach, could have far-reaching impacts on businesses in the UAE and internationally.
Scope of Application
The proposed amendments aim to clarify the scope of application of the DPL to ensure that DIFC data subjects are fully protected, aligning with international standards such as the GDPR. The amendments also remove the reference to “other than on an occasional basis”, potentially broadening the scope of limb (b) to include one-time and ad-hoc arrangements. As a result, Controllers and Processors incorporated outside of the DIFC will fall into the scope of the DPL if they enter into contractual arrangements involving the processing of personal data within the DIFC. The Consultation Paper suggests that this change is a clarification rather than an expansion of scope, indicating that this is how limb (b) should have always been interpreted.
Besides, the proposed amendment widen the extraterritorial scope of the DPL by introducing a new provision which states that the processing of the personal data of a data subject “in the DIFC” will be governed by the DIFC DPL, regardless of the Controller’s or Processor’s incorporation location, if such processing involves:
- offering goods or services to Data Subjects in the DIFC; or
- monitoring the behaviour of a data subject in the DIFC. Although “In the DIFC” is not defined, the Consultation Paper explicitly refers to both data subjects who are “habitually resident” and those whose “place of work” is in the DIFC.
Review of Article 28 – Data Sharing
The DPL includes provisions in Article 28 regarding the steps a Controller or Processor must take before disclosing personal data to a public authority. These steps include ensuring that:
- The request is valid and proportionate; and
- The requesting authority will respect the data subject‟s rights under the DPL.
This proposed new right to redress for data subjects indicates that disclosures of personal data may not be possible unless the requesting authority commits to honouring the data subject’s rights under the DPL, and to providing the data subject with the right to seek direct redress against it. This may complicate the observance of UAE federal disclosure requests, where an individual right of redress may not be practical.
Data Subject Right to Initiate Personal Action
The proposed amendments to the DPL would grant data subjects the right to initiate personal actions in the DIFC courts against a breaching Controller, Processor, or Joint Controller without first having to await enforcement action by the Commissioner.
Furthermore, the proposed amendments clarify that both financial damages and damages for distress may be claimed, significantly increasing the potential for recovery, as proving monetary damages arising from a data breach is often challenging.
Enhanced Fines
A specific fine of USD 25,000 is proposed to be introduced for the failure to submit the DIFC‟s annual notification of data processing. Additionally, the fine for failure to carry out a data protection impact assessment is proposed to increase from USD 20,000 to USD 50,000, and the fine for non-compliance with Article 28 (Data Sharing) would rise from USD 10,000 to USD 50,000.
The exact text and copy of the Amendments can be accessed here.
Should you need any clarification or would like to discuss any query related to the said development or generally any aspect related to the Law, please feel free to contact:
Salman Waris,
Founder
Privacy Academy
Email: salman.waris@techlegis.com
Ph: +971-585442415