Proposed Amendments to the DIFC Data Protection Law

In Brief:

1. The DIFC is proposing amendments to its data protection law and has released a consultation that closes on 25 March 2025.
   
   
2. The amendments include broadening the law’s extraterritorial scope to align with international practices, impacting both UAE businesses incorporated outside the DIFC as well as international businesses to the extent that their products and services are supplied to or utilized in the DIFC.
   
   
3. Data subjects will now be able to initiate personal legal action and claim damages directly in the DIFC courts (including damages for distress), without first referring to the DIFC’s Commissioner of Data Protection.
   
   
4. Proposed changes include additional obligations for sharing personal data with public authorities and new penalties for non-compliance.
   
   
5. The fine for failing to submit a data protection impact assessment will increase more than twofold, and a new fine of USD 25,000 has been introduced for failure to submit the DIFC's annual notification of data processing.

The Dubai International Financial Centre (“DIFC”) is proposing significant amendments to its Data Protection Law, DIFC Law No. 5 of 2020 (“DPL”), and has proposed these amendments in DIFC Law Amendment Law No. 1 of 2025. A consultation paper (“Consultation Paper”) has been released regarding the proposed amendments, allowing concerned entities to provide feedback until 25 March 2025.

While the DIFC describes the amendments as “largely clarificatory” in nature and as aiming to ensure that the DPL remains “in line with international best practice,” certain proposed changes, particularly the widening of the DPL's extra-territorial reach, could have far-reaching impacts on businesses in the UAE and internationally.

Scope of Application

The DPL currently applies to:

1. The processing of personal data by a Controller or Processor incorporated in the DIFC, regardless of whether the processing occurs within the DIFC;
   
   
2. Controllers or Processors, regardless of their place of incorporation, that process personal data "in the DIFC" as part of a "stable arrangement," excluding arrangements conducted on an occasional basis. “In the DIFC” refers to situations where the means of processing or the personnel carrying out such processing are situated in the DIFC. A “stable arrangement” may be established via a contract.

The proposed amendments remove the reference to “other than on an occasional basis”, potentially broadening the scope of limb (b) to include one-time and ad-hoc arrangements. As a result, Controllers and Processors incorporated outside of the DIFC will fall into the scope of the DPL if they enter into contractual arrangements involving the processing of personal data within the DIFC. The Consultation Paper suggests that this change is a clarification rather than an expansion of scope, indicating that this is how limb (b) should have always been interpreted.

Perhaps more striking, however, is the proposed amendment widening the extraterritorial scope of the DPL. This amendment introduces a new provision which states that the processing of the personal data of a data subject “in the DIFC” will be governed by the DIFC DPL, regardless of the Controller's or Processor's incorporation location, if such processing involves:

1. offering goods or services to Data Subjects in the DIFC; or
   
   
2. monitoring the behaviour of a data subject in the DIFC. 
   Although “In the DIFC” is not defined, the Consultation Paper explicitly refers to both data subjects who are “habitually resident” and those whose “place of work” is in the DIFC.

The extraterritoriality of this amendment mirrors the extraterritorial scope of the EU’s General Data Protection Regulations (“GDPR”) and incorporates the GDPR-centric concept of ‘targeting’. There is a significant amount of GDPR-related guidance issued by the EU Data Protection Commissioner and the European Data Protection Board on what constitutes ‘targeting’ by way of offering goods or services or monitoring under the GDPR. On the basis that the DIFC Commissioner has noted explicitly, both in the Consultation Paper and in guidance, that the DPL must be read in conjunction with the GDPR and related guidance, such guidance will be relevant when interpreting the impact of the proposed new scope of the DPL.

On a practical level, drawing on the aforementioned GDPR-related guidance, this amendment will mean that, under limb (a) a company whose products and services can be ordered by an individual located in the DIFC, whether at their home or in their workplace, would need to comply with the DIFC DPL regarding personal data collected as part of that transaction. Under limb (b), a company that provides a monitoring device, such as a smartwatch, which collects the personal data of an individual who works in the DIFC would need to comply with the DIFC DPL regarding the collected personal data, whether such personal data was collected whilst the individual was in the DIFC or outside of the DIFC.

If this proposed amendment is adopted, non-DIFC entities who target or monitor individuals who live or work in the DIFC will need to develop systems and protocols to identify DIFC data subjects and ensure compliance with the DIFC DPL in respect of the personal data of such data subjects. It may also mean that non-DIFC entities may need to comply with different UAE data protection regimes in regard to different data sets. For example, an onshore fast food delivery company must comply with the UAE Federal Data Protection Law and, now, potentially, the DIFC DPL, but in regard to the latter, only in respect of customers located in the DIFC (residents or workers) who they target with their goods or services, or whose actions they monitor.

It will be interesting to see how this will be applied in practice if the amendments are adopted. Unlike under the GDPR, where both the nation where data is stored, and the EU have the sovereign right to regulate data, the DIFC is not a sovereign territory but part of the wider UAE. Companies doing business in the UAE do not typically delineate their product offerings between ‘onshore’ UAE and the geographical territory of the DIFC, unless licensing restrictions dictate. Much of the guidance issued with respect to the GDPR envisages a true ‘cross border’ relationship, and this may be challenging to apply in a situation where there is no hard border, and no differences in language, currency or website extension.

Private Right of Action

Currently, and as noted in the Consultation Paper, data subjects whose personal data is processed in violation of the DPL, or whose rights have been breached, are limited to seeking recourse through the DIFC Commissioner. Only after the DIFC Commissioner has declined to take enforcement action can a data subject appeal directly to the DIFC Court.

The proposed amendments to the DPL would grant data subjects the right to initiate personal actions in the DIFC courts against a breaching Controller, Processor, or Joint Controller without first having to await enforcement action by the Commissioner. Furthermore, the proposed amendments clarify that both financial damages and damages for distress may be claimed, significantly increasing the potential for recovery, as proving monetary damages arising from a data breach is often challenging.

If adopted, this change will empower data subjects to take control of their rights and allow them to directly enforce and claim damages from companies that have breached their data privacy rights or failed to comply with the DPL regarding processing their personal data. This will ‘put teeth’ into the law should companies fail to comply with data subject requests, and companies may face enforcement on two fronts: from individuals and from the DIFC Commissioner.

Data Sharing

The DPL includes provisions in Article 28 regarding the steps a Controller or Processor must take before disclosing personal data to a public authority. These steps include ensuring that:

1. The request is valid and proportionate; and
   
   
2. The requesting authority will respect the data subject’s rights under the DPL.

If the proposed amendments are adopted, Controllers and Processors (and sub-processors) wishing to disclose personal data to a public authority must, in addition to the above, ensure that affected data subjects have the right to seek legal or other forms of suitable redress in the requesting authority’s jurisdiction pursuant to Article 28. This means a data subject should be able to enforce their rights under the DPL and claim compensation from the requesting authority within its jurisdiction if that authority fails to uphold those rights.

This proposed new right to redress for data subjects indicates that disclosures of personal data may not be possible unless the requesting authority commits to honouring the data subject's rights under the DPL, and to providing the data subject with the right to seek direct redress against it. This may complicate the observance of UAE federal disclosure requests, where an individual right of redress may not be practical.

Fines

A specific fine of USD 25,000 is proposed to be introduced for the failure to submit the DIFC’s annual notification of data processing. In our experience, fines for failure to submit such notification have been minimal and not immediately applied. If this new fine is adopted, it is possible that a fixed USD 25,000 may now be applied immediately on the portal reporting an overdue notification, and companies are advised to be vigilant regarding their filing deadlines.  Additionally, the fine for failure to carry out a data protection impact assessment is proposed to increase from USD 20,000 to USD 50,000, and the fine for non-compliance with Article 28 (Data Sharing) would rise from USD 10,000 to USD 50,000. The latter is likely to encourage companies to carefully apply Article 28 when dealing with a public authority disclosure request.

The amendments described above are presently at the proposal stage, and may not ultimately be brought into force. Clients concerned with any of these amendments may provide feedback to the DIFC by 25 March 2025. Feedback can be sent by writing to Jacques Visser, Chief Legal Officer, DIFC Authority, Level 14, The Gate, P.O. Box 74777, Dubai, United Arab Emirates, or by emailing consultation@difc.ae.

For further information related to this article, please contact Victoria Woods, Partner and Head of Commercial and Diana Froyland, Senior Counsel, Commercial.