On 01 June, 2020, the long awaited Dubai International Financial Centre Data Protection Law No. 5 of 2020 was enacted (“DIFC Law”, effectively repealing and replacing Data Protection Law No.1 of 2007 and all related Regulations made under that law (the “Previous Law”). The Law will be effective on 01 July, 2020 and businesses to which it applies will have a grace period of three months, until 1 October 2020, to comply with it, before it becomes enforceable.
The influence of the GDPR on the DIFC Law is clear even from a quick flick through the legislation, though the DIFC Law is not a carbon copy of the GDPR. Keep reading for a high level comparison of the two laws on key topics.
1. Key definitions
The DIFC Law uses very similar terms to the GDPR (e.g. 'personal data’, ‘data subject’, ‘processing’, ‘controller’ and ‘processor’) and gives them similar definitions.
The definition of ‘special categories of personal data’ is clearly influenced by the GDPR definition of the same term. However, there are a couple of data categories included in the definition that do not appear in the GDPR definition – namely “communal origin” and “criminal records”.
2. Scope of the law
The DIFC law applies to controllers and processors incorporated in the DIFC (regardless of whether the processing takes place in the DIFC or not) and controllers and processors, regardless of their place of incorporation, that process personal data in the DIFC as part of stable arrangements, other than on an occasional basis.
The GDPR applies to controllers and processors which have EU “establishments” where personal data are processed “in the context of the activities” of such an establishment. If this test is met, the GDPR applies irrespective of whether the actual data processing takes place in the EU or not. “Establishment” was considered by the Court of Justice of the European Union in the 2015 case of Weltimmo v NAIH (C-230/14) and this confirmed that an organisation may be “established” where it exercises “any real and effective activity – even a minimal one” – through “stable arrangements” in the EU. The DIFC Law appears to be influenced by the findings in this case.
GDPR also applies to controllers and processors where they process personal data about EU data subjects in connection with the “offering of goods or services” or the “monitoring” of their behaviour within the EU. This extends the GDPR to controllers and processors that do not have any "establishment" in the EU. The DIFC Law does not have provisions equivalent to this.
3. General requirements for processing of personal data
The DIFC Law contains general requirements regarding lawfulness, fairness and transparency, purpose limitation, data minimisation, data quality, retention and security that are similar to the principles set out in Article 5(1) GDPR.
Though the application of the retention principle under the DIFC Law appears less stringent than the GDPR, the DIFC Law contains specific provision regarding the ‘cessation of processing’ that requires controllers to ensure that the personal data is securely and permanently deleted, anonymised, pseudonymised or securely encrypted where the basis for processing changes, ceases to exist or a controller is required to cease processing due to the exercise of a data subject’s rights. Under GDPR, pseudonymisation or encryption of personal data after the processing is no longer necessary would not be sufficient to satisfy the retention principle.
4. Lawfulness of processing
Similar to Article 6 GDPR, the DIFC Law requires a lawful basis of processing for the processing of personal data. The lawful bases strongly resemble the lawful bases under Article 6 GDPR, but they are not identical. For example, although the GDPR’s consent requirements, including the requirements that consent is actively given, clearly distinguishable from other matters, in clear and plain language, as easily revoked as given and able to be demonstrated by controller, are also requirements for consent under the DIFC Law, the DIFC Law goes further than what the GDPR expressly requires, for example, under the DIFC Law:
(i) except in limited circumstances, the controller must implement appropriate and proportionate measures to assess the ongoing validity of consent; and
(ii) where such assessment concludes that a data subject would no longer reasonably expect the processing to be continuing, the data subject must be contacted without delay and asked to re-affirm consent.
The lawful bases for processing special categories of personal data under the DIFC Law are clearly based on Article 9 of the GDPR. There is somewhat more flexibility here than under GDPR: for example, special category data can be processed where this is necessary to protect people from bias and to protect against malpractice of those engaged in financial or professional services. In addition, special category data can be processed where required by applicable law and where processing meets a "Substantial Public Interest" threshold.
5. Accountability and data governance
Both laws contain provisions regarding accountability. Under DIFC Law, controllers and processors are required to establish a programme to demonstrate compliance with the DIFC Law, maintain a data protection policy and implement appropriate technical and organisational measures to demonstrate that processing is performed in accordance with the law. Under GDPR, controllers and processors are subject to a general obligation to be able to “demonstrate compliance” with GDPR.
The DIFC Law contains similar provisions to Article 30(1) GDPR in relation to records of processing that must be maintained by the controller. There is a divergence in relation to records of processing that must be maintained by processors – the DIFC Law appears to require more information to be maintained by processors than the GDPR does. A processor under the DIFC Law is required to maintain a written record of all categories of processing activities carried out on behalf of a controller containing the same information fields as specified under the controller record of processing requirements. There is a slightly more limited list of information fields for processors under GDPR (which does not include, for example, the categories of recipients and where possible, the time limits for erasure – the DIFC Law does require this).
GDPR-like concepts of ‘data protection impact assessments’ for high risk processing, prior consultation and privacy by design and default are broadly reflected in the DIFC Law.
Like the GDPR, there are requirements under the DIFC Law for the designation and tasks of a data protection officer (“DPO”). Though there are some key differences under DIFC Law, for example:
(i) if a controller or processor is not required to appoint a DPO, it must still clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations and provide details to the Commissioner (i.e. the person appointed, pursuant to the DIFC Law, to monitor, ensure and enforce compliance with the DIFC Law);
(ii) a controller or processor could be required to appoint a DPO by the Commissioner; and
(iii) DPOs are required to undertake an assessment of the controller's processing activities, at least annually (including reporting on current and upcoming high risk processing activities) and submit this to the Commissioner.
(iv) A DPO must reside in the UAE, unless s/he is employed within an organization’s group (like a subsidiary of a holding company) and performs a similar function within that organization on an international basis. There are no similar restrictions on the residency of the DPO in the GDPR.
6. Transparency and individual rights
The DIFC’s provisions on transparency closely resemble Articles 13 and 14 GDPR.
The data subject rights in the DIFC Law are similar to the rights under the GDPR – they include the right to withdraw consent, right to access, rectification and erasure of personal data, right to object to processing, right to restriction of processing, right to data portability and the right to object to automated individual decision-making including profiling.
Though whilst GDPR requires such rights to be provided free of charge (except in very limited circumstances), under the DIFC Law, only the rights to access, rectification and erasure are required to be free of charge and where the controller maintains a website, at least one method of contact must be available without charge via the website.
Also, a notable difference is the DIFC Law’s prohibition of discrimination against a data subject who exercises its rights (e.g. by denying goods or services, charging different prices for goods and services or decreasing the quality of goods and services). The GDPR does not have provisions equivalent to this.
7. Arrangements between joint controllers and controllers and processors
The GDPR concept of ‘joint controllers’ in the DIFC Law and the requirements imposed on such controllers are similar to Article 26 GDPR – i.e. controllers that jointly determine the purposes and means of processing must agree how responsibility for compliance with the law is allocated between them and information regarding the arrangement must be provided to data subjects.
The DIFC Law has largely lifted the controller - processor contract requirements from Article 28 GDPR.
8. Breach notification
The definition of a ‘personal data breach’ in the DIFC Law is the same as the definition in the GDPR. There is also a mandatory regulatory notification obligation, but the trigger and timing of the notification is different from the obligation under the GDPR. Under the DIFC law, a controller is required to notify a personal data breach that compromises a data subject's confidentiality, security or privacy as soon as practicable in the circumstances (as opposed to the GDPR obligation to notify a qualifying personal data breach without undue delay and, where feasible, no later than 72 hours after having become aware of it). The information that must be provided in the notification and the requirement to maintain a breach log is similar to what is required by Article 33(3) – (5) GDPR.
The obligation to notify affected data subjects in the DIFC Law is similar to the obligation under Article 34 GDPR.
9. Administrative fines
Both laws apply different maximum administrative fines depending on which particular provision of the law has been contravened. Though, unlike the GDPR, the DIFC Law does not make any reference to percentages of worldwide turnover. Rather it sets out a list of maximum fines (which is “not exhaustive and may be updated from time to time”) that range from USD $20,000 to USD $100,000. The Commissioner may also issue a general fine for a contravention of the DIFC Law by the Controller or Processor. The amount of the fine is left at the discretion of the Commissioner who shall take into consideration the seriousness of the contravention and the risk of actual harm to any relevant Data Subject when issuing it.
Like the GDPR, the DIFC Law contains provisions allowing data subjects to make compensation claims in relation to contraventions of the data protection law. Under the DIFC Law, court proceedings can be initiated by the Commissioner as well as by data subjects.
There is a provision similar to Article 82(5) of the GDPR which imposes joint and several liability for the entire damage where more than one controller or processor is involved in the same processing and where they are responsible for any damage caused by processing. However, the DIFC Law does not include an equivalent to Article 82(6) of the GDPR which provides that a controller or processor held to be fully liable in such circumstances is entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage. As a result, well drafted contracts between organisations which are working together to process personal data will be particularly important.