DIFC enacts amendments to Data Protection Law

In March 2025, we published a summary of the proposed amendments to the DIFC Data Protection Law, highlighting the DIFC’s intention to sharpen regulatory enforcement, expand its jurisdictional scope, and strengthen individual rights. With the amendments now finalised and in force as of 15 July 2025 (via Amendment Law No. 1 of 2025 (the “Amendments”)), businesses operating in or engaging with the DIFC should take stock of the key changes and take practical steps to ensure ongoing compliance.

What’s Changed?

The final version of the Amendments reflects many of the proposals first consulted on earlier this year. The most significant updates include:

1. Private Right of Action: Introduces a private right of action for data subjects in the DIFC Courts, enhancing the rights and remedies available to data subjects.
2. Scope Update: The amendments broaden the application of the Data Protection Law to encompass all data processing within the DIFC, regardless of whether the controllers, processors, or sub-processors are incorporated in the region.
3. Liability Clarification: Defines liability for controllers and processors, including both financial and non-financial damages. This means controllers and processors must demonstrate that they are not responsible for any incidents leading to such damages.
4. Adequacy Assessment: Controllers and processors must now carry out a documented assessment of whether data subjects will benefit from adequate legal protections and effective remedies in the recipient jurisdiction when transferring data outside the DIFC. The Commissioner also has the power to review and withdraw adequacy decisions, adding a further layer of regulatory oversight to international data transfers.
5. Increased Administrative Fines: The updated regulations introduce specific, higher-tier administrative fines for key compliance failures, such as failure to notify the Commissioner of processing activities or to carry out mandatory data protection impact assessments. Fines now range from USD 25,000 to USD 50,000 depending on the nature of the violation, with scope for further enforcement action where necessary.

Key takeaways

These amendments are particularly significant for businesses operating within the DIFC, as compliance with the revised regulations is essential to avoid potential penalties and maintain consumer trust. In particular, it will be important for businesses that had previously concluded they fell outside the scope of the DIFC Data Protection Law due to a lack of physical presence to reassess their position in light of the clarified extraterritorial provisions.

The introduction of a private right of action will also require careful review of internal complaints handling, incident response procedures, and the robustness of privacy notices and consent mechanisms. As individuals gain the right to seek redress directly from the Courts, the potential financial and reputational consequences of non-compliance have increased.

From a data transfer perspective, clients will need to revisit their cross-border transfer arrangements, particularly where transfers are made based on adequacy assumptions or standard contractual clauses. New documentation and risk assessments may be required to ensure that data subjects have appropriate remedies in recipient jurisdictions.

The DIFC's commitment to data protection not only strengthens its position as a leading financial hub but also fosters a secure environment for innovation and growth in the region.

What Should You Do Now?

Organisations engaging with the DIFC should act quickly to:

• Reassess whether any group entities or affiliates fall within the newly expanded scope of the law.
• Review and update international data transfer arrangements, including conducting recipient jurisdiction assessments where required.
• Ensure data protection impact assessments are being carried out for high-risk processing activities and retained as part of a defensible compliance file.
• Review and amend privacy policies, data subject rights procedures, and complaints handling frameworks in light of the new private right of action.
• Verify that appropriate notifications to the DIFC Commissioner have been made and are kept up to date, particularly in relation to high-risk processing or cross-border transfers.

For further details, the amended Data Protection Law can be accessed here. The Arabic press release can be accessed here.  For any further information on this topic, please contact Nick O’Connell, Nona Keyhani or Charlie Christie.