The Dubai International Financial Centre (“DIFC”), a financial services free zone in the Emirate of Dubai in the UAE, recently released Data Protection Law DIFC No.5 of 2020. The law came into effect on 1 July 2020. Companies have a 3 month grace period to prepare for the new requirements. There is some good news though – the new law draws inspiration from several existing laws, such as the GDPR and CCPA, combining best practices with clear intent to be both innovative and pragmatic.
The question many privacy professionals across the EU may be asking is whether existing GDPR readiness will be enough to comply with the updated DIFC requirements?
This is a high-level overview of some of the main differences between these two privacy regulations
Scope of the law
When it comes to the applicability of the law, the DIFC approached matters from a different perspective to EU lawmakers. The DIFC looks at the place of incorporation of the company, meaning that incorporation within the DIFC makes a controller or processor subject to the law. Also, the law applies to those companies that process personal data within the DIFC, as part of stable arrangements, even if they are not incorporated in DIFC.
GDPR on the other hand, looks at the concept of a company’s establishment within the EU instead of its incorporation. Moreover, it applies to the processing of personal data of those data subjects in the EU, rather than the companies within its borders.
Lawfulness and the legal bases available for processing of data are very similar to those in GDPR. However, the requirements for obtaining and assessing the validity of consent of data subjects are more demanding. According to the DIFC rules, in most cases it is not enough to obtain consent once – the validity of consent obtained must be assessed on an ongoing basis and each controller needs to implement measures that would support it. If the controller has doubts whether the consent should be considered valid then it must actively re-confirm the consent of the data subject.
Record of processing activities
Both the DFIC law and GDPR require that controllers and processors keep a record of the processing activities that they undertake. This relates to both controllers and the activities that processors perform on behalf of the controllers. The DIFC law, though, imposes more requirements on processors as they need to track more information in their records. In short, processors have responsibilities – similar to those of controllers in terms of keeping a record of what they process.
The obligation to designate a Data Protection Officer is present for both GDPR and the DIFC data protection law, and a new addition to the latter. The DIFC law provides that a company performing high risk processing activities on a systematic or regular basis shall appoint a DPO.
The DIFC law defines high-risk processing activities as processing that includes new technologies that create materially increased risk to the security or rights of individuals, or it would make it more difficult for them to exercise their rights. This includes activities that process a considerable amount of personal data that could lead to a higher risk to data subjects or special categories of data, or processing that involves systematic evaluation of data subjects such as profiling.
What is also worth mentioning is that the DIFC offers a pragmatic solution for international companies. In general, the DPO should be resident in the UAE, but if a corporate group already has a DPO elsewhere, this would be sufficient to satisfy the DPO requirement.
Despite this, and to ensure smooth cooperation between the Commissioner and the companies, there is an obligation to delegate responsibilities for data protection to one individual in the DIFC. That person must be known to the Commissioner so that, if required, it will be easier to establish contact.
Data Subject Rights
There is one noticeable difference regarding data retention and the right to erasure. GDPR requires that when data are no longer required, or when a data subject has requested data erasure, this personal data must be erased unless an exemption applies. DIFC rules are less stringent in this regard. According to the DIFC law, both anonymisation and pseudonymisation would be enough to fulfill an erasure request. Archiving could also be taken into consideration provided archived data is put beyond further use.
Right to erasure
In addition to the above, personal data will not have to be erased, anonymised or pseudonymised if these data form a part of a dataset used to train an AI system. Of course, any such usage of personal data cannot present risks to data subjects and a DPIA is required before AI training starts. Further, the right to erasure does not have to be complied with if deletion of data is not technically possible. This could be applied to a blockchain technology scenario. As we know, blockchain creates an irreversible record or ledger. This makes it problematic to comply with storage limitation requirements, for example. The DIFC law allows for an exception to facilitate the adoption of blockchain technology provided the controller makes this clear to the data subject at the outset that the ability to erase certain data may be impacted if they proceed with the processing. This regulatory innovation by the DIFC aligns strongly with a drive by both the UAE Federal and Dubai governments to promote the adoption of blockchain technology.
Right to non-discrimination
Another unique data subject right is the right to not be discriminated against. It seems to have been inspired by the Californian Consumer Privacy Act. Generally, data subjects cannot be discriminated against while exercising their rights. In practice this could mean that an individual cannot be denied service or be offered a less favorable service or price for withdrawing – for example – their consent for receiving marketing materials. The data subject could, however, be offered an incentive (financial or not) for not withdrawing it.
When to comes to data breaches the most important and business friendly aspect is the lack of a deadline for notifying the Commissioner and/or data subjects about an incident. The DIFC law uses the phrase “as soon as practicable in the circumstances”. European experience suggests that larger companies find it very challenging to gather the data required to offer sufficient clarity on the position, and then to notify within 72 hours, as prescribed in GDPR. The DIFC appears to impose a slightly more pragmatic requirement, affording companies an opportunity to gather additional data which should enable controllers to explain what happened, propose mitigating measures and, if applicable, changes to their processes to avoid similar events in the future. I would like to point out though, that where there is an immediate risk of damage to data subjects, notification to the Commissioner must occur without undue delay.
Data transfers outside DIFC
DIFC has confirmed a list of 43 current jurisdictions that offer adequate levels of protection meaning transfers of data to these locations would not require appropriate safeguards like the standard contractual clauses adopted by the Commissioner or binding corporate rules. For clarity, transfers from the DIFC free zone to the rest of the UAE, except the Abu Dhabi Global Market (ADGM) free zone which has adequacy, are considered Third Country transfers. This is because the UAE does not yet have a Federal data protection law, although we can confirm that the government is currently finalizing a draft for release at some point in the future.
The DIFC will also very likely seek to achieve adequacy status with the EU and the UK after Brexit. The DIFC’s incorporation of various global best practices also indicates an intention to look beyond the EU and US, to other jurisdictions in the Asia Pacific region, and South America.
Tips for starters – what to do?
Here are some suggested tips for any companies who may be starting their data protection journey. They offer guidance on where to start and what to look at when assessing your level of readiness, and what you could consider doing to address any gaps.
1. Check if the law applies to you – keeping in mind, as noted above, that it is applied differently to GDPR. Does your company process personal data? Is the processing performed within the DIFC? Are we incorporated within the DIFC? If the answer to at least one is yes, then the law most likely applies to you.
2. Check what personal data you process and the likely volumes of this personal data. Does your company perform high risk activities – e.g. using AI technology to make automated decisions that impact data subjects? Based on the answer you might have to consider appointing a DPO.
3. Check if your company needs to have an appointed DPO. If yes, choose someone with practical experience with privacy. If you decide not to appoint a DPO, then select one person based in the DIFC to be the designated contact point for the Commissioner and consider seeking external support with the operationalisation of your data protection program.
4. Map the personal data you collect and all data transfers and create an appropriate record of processing activities process. This is likely to become a key new challenge for many companies, and one that may well require external support and a need for automation using a privacy platform. If you are a processor, also include the activities performed on behalf of the DIFC controller.
5. Review your policies and procedures. Check if they have all the information required but also make sure they are practical in nature, e.g. they tell your staff what to do when there is a data breach.
6. Review your privacy notices and consent notices. Implement measures to track consent and processes that will help you to assess the ongoing validity of the consent that has been collected.
7. Carefully review your contracts with vendors. Do they have the required data protection clauses? Is data sent abroad? If yes, does the country have an adequacy status, or alternatively, have safeguards like standard contractual clauses been adopted?
8. Consider updating training and creating ongoing awareness about the importance of data protection in the company
9. Establish a new or updated data breach procedure that includes a focus on your obligation as a processor, or obligations for your processors if you are a controller.