• DIFC Amends Data Protection Law Applicable To Companies in Dubai International Financial Centre - Four Key Changes You Need To Know
  • February 1, 2013
  • Law Firm: Norton Rose Canada LLP - Montreal Office
  • Amendments create new fines for administrative failures and duty to notify changes

    The Dubai International Financial Centre (DIFC) has introduced several amendments to the DIFC Data Protection Law No.1 of 2007 (Law) and the Data Protection Regulations (Regulations) that came into force on 23 December 2012.

    The updates are intended to provide greater legal certainty and bring the regulations into line with international best practices, according to the press release outlining the changes issued by the DIFC’s Commissioner of Data Protection.

    Some of the key amendments include:

    • Duty to notify changes: A new article has been introduced obliging all data controllers (i.e. any DIFC person who, alone or jointly with others, determines the purposes and means of the processing of personal data) to notify the Commissioner of changes to the registrable particulars previously notified under the Law. Failure to notify the Commissioner of changes within 14 days from the date upon which the entry becomes inaccurate or incomplete will amount to an offence for which a maximum fine of US$5,000 may be imposed.

    • Delegation of Commissioner’s powers: The Commissioner of Data Protection has new powers to delegate functions and powers where he considers it appropriate to do so. These functions may be delegated to officers and employees of the Dubai Financial Centre Authority (DIFCA) and, with DIFCA board approval, to any other person. This could be an indication that the DIFC intends to become more active in enforcing compliance with the Law.

    • Contravention and fines: The amendments introduce a schedule of maximum fines applicable to specific contraventions of the Law. The DIFC consultation document on the changes stated that the schedule has been included to assist the Commissioner in properly administering the Law and exercising his powers and functions in an effective manner. The legislation now specifies maximum fines of US$25,000 for failure to register with the Office of the Commissioner of Data Protection, US$20,000 for offences relating to transfers of personal data outside the DIFC without a permit and various other fines of between US$5,000 and US$15,000.

    • Definition of personal data: The scope of data caught by the Law originally covered any information referring to an “Identifiable Natural Person” (as defined). This has been narrowed in line with equivalent international legislation to refer only to information that:

    a. is being processed by means of equipment operating automatically in response to instructions given for that purpose;

    b. is recorded with the intention that it should be processed by means of such equipment; or

    c. is recorded as part of a Relevant Filing System (as defined) or with the intention that it should form part of a Relevant Filing System. The amendment brings greater clarity for data controllers as to the scope of the Law.

    Various other consequential and minor drafting amendments were also made to the Law and the Regulations to give effect to the above changes and clarify certain aspects of the original legislation.

    The DIFC is a financial free zone operating as an independent jurisdiction to Dubai and the rest of the United Arab Emirates. It has its own independent, English-language laws and its own court system. The UAE, in common with most other Middle East jurisdictions, does not have any specific federal laws on data protection although a number of general laws and sector-specific regulations have an impact on data processing activities.