In Brief:
- In a consultation released in February 2025, the DIFC proposed various amendments to the DIFC’s data protection law, which we reported on ahead of the closing of the consultation period here https://hadefpartners.com/news-insights/insights/proposed-amendments-to-the-difc-data-protection-law/.
- On 8 July 2025, a number of the proposed amendments were enacted into law, and came into effect on 15 July 2025.
- In this article, we analyse the material changes ultimately adopted as amendments to DIFC Law No. 5 of 2020 (“DIFC DPL”).
Scope of Application
The changes proposed to Article 6(3) (a) and (b) of the DIFC DPL with respect to the scope of the DIFC DPL were adopted. The changes to Article 6(3) (a) were not material, and controllers, processors and sub-processors which are incorporated in the DIFC remain firmly within the scope of, and thereby must comply with, the DIFC DPL.
The changes to the extra-territorial scope of the DIFC DPL, as contained in Article 6(b), and, in particular, the removal of the words ‘other than on an occasional basis’, are of note, notwithstanding the DIFC consultation describing the changes to the law as simply restating its original intent. Under Article 6(b), controllers, processors and sub-processors will be in the ambit of the DIFC DPL, regardless of where they are incorporated, if their processing takes place in the DIFC as part of a ‘stable arrangement’. Transfers of personal data made out of the DIFC as part of such processing will also be included, which means that where personal data is collected in the DIFC and subsequently transferred out of the DIFC for further processing, the relevant controller, processor or sub-processor carrying out such collection and subsequent transfer may fall into the remit of the DIFC DPL, in regard that personal data, even where its incorporation location is outside of the DIFC.
A stable arrangement, as expanded upon in DIFC issued guidance, includes any ‘legally binding or recognised agreement or relationship of an existing, valid sort’. The removal of the words, ‘other than on an occasional basis’, makes it clear that the longevity or frequency of an arrangement is irrelevant to what is deemed a stable arrangement, provided the arrangement is ‘stable’, so, one-time contracts that involve the processing of personal data within the DIFC, including transfers of such personal data outside the DIFC as part of that contractual arrangement, may still be sufficient to qualify as a stable arrangement for the purposes of the DIFC DPL.
By way of example, a contract formed between a vendor who is based outside of the DIFC and a purchaser based inside the DIFC that results in personal data being processed, for example, by way of collection in the DIFC, and including any transfer of such personal data made outside of the DIFC as part of such processing, may be a stable arrangement falling into the scope of the DIFC DPL. This means that the vendor must comply with the DIFC DPL in respect of the Personal Data it processes pursuant to that arrangement, even where the vendor is established outside of the DIFC.
As was noted in the guidance issued for the consultation on the proposed changes to the DIFC DPL in February, this is not considered a change to the law, but rather a restatement of its original intent. This follows decisions of the DIFC courts regarding the extraterritorial scope element of the DIFC DPL. The 2024 DIFC court decision regarding Careem and its use of drop-off and pick-up points located in the DIFC provides particularly helpful guidance. You can see the full judgment here.
As a notable limitation to the extra-territorial scope of the DIFC DPL, the suggested addition of an Article 6(c) to the law, which proposed that the processing of the personal data of a data subject in the DIFC would be governed by the DIFC DPL, regardless of the place of incorporation of the controller or processor, if such processing involved:
- offering goods or services to data subjects in the DIFC; or
- monitoring the behaviour of a data subject in the DIFC,
has not been adopted into the law.
This means that the DIFC has not gone as far as the EU General Data Protection Regulation (GDPR) with respect to the ‘targeting’ of data subjects. However, as our example above and the Careem case both illustrate, Article 6(b) is, nevertheless, sufficiently broad to bring a wide range of entities established outside the DIFC within the scope of the DIFC DPL, where their dealings or operations in the DIFC amount to a stable relationship.
Private Right of Action
As we noted in our prior article, relating to the consultation, data subjects whose personal data is processed in violation of the DIFC DPL, or whose rights have been breached, were limited to seeking recourse through the DIFC Commissioner in the original law, and, only after the DIFC Commissioner had declined to take enforcement action could a data subject appeal directly to the DIFC Court.
The amendments proposed, which grant data subjects the right to initiate personal actions in the DIFC court against a breaching controller, processor, or joint controller, without first having to await enforcement action by the Commissioner, have been adopted in full.
Data Sharing
The DIFC DPL includes provisions in Article 28 regarding the steps a controller or processor must take before disclosing personal data to a public authority. Prior to the amendments to the law taking effect, these steps included, under Article 28(2), the transferring entity taking reasonable steps to satisfy itself that:
- the request was valid and proportionate; and
- the requesting authority would respect the rights of data subjects under the DIFC DPL.
The amendments, which were proposed to the law, added a further requirement for controllers and processors transferring personal data to public authorities to ensure that affected data subjects had the right to seek other legal forms of suitable redress in the requesting authority’s jurisdiction.
These proposed amendments, however, have not been adopted, and, Article 28(2)(b) (as mentioned above), has also now been removed from the DIFC DPL. One might suppose that this suggests something of a softening of the obligations on controllers and processors receiving data sharing requests from public authorities, however, in our view, the removal of Article 28(2)(b) does not materially change the existing obligations found in Article 28 because, under Article 28(1)(c), the transferor, if practical, must obtain written assurances from the requesting authority that it will honour the rights of data subjects and comply with the data protection principles set out in Part 2 of the DIFC DPL (which includes data subject rights). Therefore, the transferor must, insofar as is feasible, take steps to seek to ensure that the requesting authority will respect the data subject’s rights under the DIFC DPL in any event.
While the obligations under Article 28 have not been amended, the fine for breach of Article 28 has increased from USD 10,000 to USD 50,000, therefore, Article 28 remains critically important in the context of public authority data sharing requests.
Fines
All proposed fine changes and new fines have been adopted as were proposed in the consultation, and these, as they stand today, are as follows:
|
Article |
Contravention |
Fine |
|
19 |
Failure to submit the DIFC’s DPO annual assessment |
*New* USD 25,000 |
|
20 |
Failure to carry out a data protection impact assessment prior to undertaking high risk processing activities |
*Increase* from USD 20,000 USD 50,000 |
|
28 |
Failure to comply with Article 28’s public authority data sharing requirements |
*increase* from USA 10,000 USD 50,000 |
For further information related to this article, please contact Diana Froyland, Senior Counsel, Commercial.