The new DIFC data protection law (the ‘New Law’) came into force on 1 July, 2020 but will be applicable to businesses with effect from 1 October, 2020. In essence, the New Law provides a three-month transition period to businesses to offer compliance. DIFC has also published its supporting Data Protection Regulations under the New Law (‘Regulations’) which came into force alongside the New Law. Separately, non-binding guidance on the New Law (‘Guide’) has also been released in an attempt to facilitate compliance amongst stakeholders. The New Law is closely aligned with the approach taken by the EU General Data Protection Regulation (‘GDPR’).
Applicability and Scope
The scope of the DIFC’s data protection regime has expanded under the New Law. The prior DIFC data protection law, which had been in place since 2007 (the ‘Old Law’), was applicable to Controllers registered within the jurisdiction of the DIFC. In contrast, the New Law applies not only to Controllers incorporated within the jurisdiction of DIFC (whether or not processing takes place in DIFC) but also as applying to Controllers and Processors (regardless of their place of incorporation, whether elsewhere in the UAE or abroad) that process personal data in the DIFC as a part of stable arrangements other than on an occasional basis.
The question then arises as to whether the New Law and the Regulations are applicable to remote processing service providers. In this respect, the Guide elaborates that non-DIFC entities are not necessarily required to register with or notify operations to the Commissioner other than by way of the relationship with the DIFC-based relevant entity, nor are they required to complete other administrative tasks. However, they may be subject to fines, warnings or public reprimand by way of such relationships or arrangements, either directly or indirectly. According to the New Law, Processing ‘in the DIFC’ occurs when the means or personnel used to conduct the processing activity are physically located in the DIFC.
Basics and processing of consent
The New Law expands the scope of Processing activities in comparison to the Old Law and generally incorporates the principles for Processing of Personal Data as set out in the GDPR (i.e. lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation and integrity/security). The conditions for lawful basis for Processing Personal Data as stipulated in the New Law are also largely based on the GDPR.
In comparison to the Old Law, there is greater emphasis on the conditions of a Data Subject’s consent. When needed, such consent must be freely given by a clear affirmative action which shows an unambiguous indication of consent. Where Processing is based on consent, the Controller should implement appropriate and proportionate measures to assess the ongoing validity of the consent. In the context of an employee-employer relationship, it may be hard for the employer to establish that consent was freely given. In the Commissioner’s opinion, consent is therefore unlikely to be a good basis for employers to rely on and may be subject to challenge. Employers should consider other lawful bases for processing employee Personal Data.
Special Categories of Personal Data
Special Categories of Personal Data (previously referred to in the Old Law as Sensitive Personal Data) includes ‘Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person’. Such data must not be processed unless one of the conditions set out in the New Law exists (in addition to the general requirements for Processing and lawfulness).
In this respect, most notably (and in comparison to the Old Law), the New Law grants specific rights to the Controller to process Special Categories of Personal Data for Data Subjects’ employment purposes including recruitment, visa or work permit processing, the performance of an employment contract and termination of employment. Such processing rights are also available to Controllers in a healthcare context.
Legitimate interests
In comparison to the Old Law, the New Law provides clarity on what constitutes ‘legitimate interests’ for purposes of Processing. For example, transfer of Personal Data by Controllers within their organisational group for internal administrative purposes is considered a legitimate interest. Controllers also have a legitimate interest in Processing Personal Data if it is necessary and proportionate to prevent fraud or ensure network and information security.
Data Controllers and Processors
The New Law places compliance obligations directly on the Processors as well as the Controllers. For example, Processors are required to notify the Controller in cases where processing activity infringes the New Law. Failure to do makes the Processor liable to penalties. In addition to such obligations, Controllers and Processors must enter into a legally binding written agreement governing any processing activities.
Data Controllers and Processors are required to maintain a written electronic record of their processing activities. The types of information required to be included in such records largely mirror the records requirements contained in the GDPR and include (among others) the name and contact details of the Controller or Processor, the purposes of processing, descriptions of data, data subjects and recipient categories.
Data Protection Officers
Another key new feature of the New Law which previously remained unaddressed is the introduction of the GDPR concepts of the Data Protection Officer (‘DPO’) and Data Protection Impact Assessments (‘DPIA’). Controllers and Processors systematically or regularly engaged in High Risk Processing Activities must appoint a DPO. The definition of High Risk Processing Activities includes:
The Guidance issued by the Commissioner provides useful insights on the parameters of High Risk Processing Activities, most notably where processing involves a considerable amount of Personal Data and the risk to Data Subjects is high. The Commissioner refrains from setting any specific quantitative thresholds in respect of what constitutes a ‘considerable amount’ of Personal Data but gives specific instances of that may qualify.
Another interesting feature of the New Law is that where a DPO is appointed, the DPO must reside in the United Arab Emirates unless he or she is an individual employed within an organisation’s group and performs a similar function for the entire group on an international basis. The DPO is required to act independently and report directly to senior management.
Data Subjects’ rights
The New Law appears to have greatly expanded the scope of Data Subjects’ rights in order to achieve greater consistency with the GDPR. Accordingly, the New Law grants Data Subjects a full set of rights in respect of:
The anti- discrimination right is an additional right from the California Consumer Privacy Act, which states that the Controller may not discriminate against a Data Subject who exercises any rights under the New Law including: (i) denying any goods or services; (ii) charging different prices or rates, including through the use of discounts or other benefits or imposing penalties; (iii) providing a less favourable level or quality of goods or services; or (iv) suggesting any of the above to the data subject.
Transferring data outside the DIFC
The requirements, in respect of transferring Personal Data outside of the DIFC are generally based on the GDPR’s data export requirements. The Commissioner is empowered to determine which jurisdictions outside the DIFC implement adequate levels of protection, and a list of adequate jurisdictions has been published in the Regulations.
Similar to the GDPR, where personal data is being transferred to jurisdictions which do not provide adequate levels of protection one of the following conditions must be met:
The Commissioner has approved and published standard contractual clauses that may be used for transfers to non-adequate jurisdictions outside the DIFC.
Further, a key new feature of the transfer regime under the New Law is the introduction of ‘binding corporate rules’ to facilitate the transfer of Personal Data between members of a corporate group. A Controller or Processor can only rely upon such rules if the Commissioner has approved them and if they are only used for transfers inside the Controller or Processor’s corporate group.
Breach notifications
Controllers are required to report Personal Data Breaches which compromise the Data Subject’s security, confidentiality or privacy to the Commissioner. Such notification must be made to the Commissioner as soon as practicable in the circumstances. Processors should notify the relevant Controller without undue delay after becoming aware of Personal Data breach. In certain circumstances, notification must also be provided to the affected Data Subjects.
Fines and disputes
Failure to comply with a direction by the Commissioner or a violation of the New Law may result in the imposition of fines ranging from USD 10,000 to USD 100,000 (depending on the nature of the contravention). The heaviest administrative fines relate to contraventions in respect of the rights of Data Subjects. The Commissioner may also issue a general fine for a violation of the New Law in an appropriate and proportionate amount, taking into account the seriousness of the contravention and the risk of actual harm to any relevant Data Subjects. Data Subjects are entitled to compensation for any damages suffered arising out of a violation of the New Law by. The New Law also grants Controllers and Processors the right to appeal any decision or direction of the Commissioner with the DIFC courts.
Conclusion
The New Law also contains certain other provisions such as data sharing with authorities, codes of conduct, cessation of processing and certification schemes.
In order to ensure compliance by 1 October 2020, Controllers and Processors should start reviewing their processing activities including, in particular, transfer mechanisms to jurisdictions outside the DIFC, considering whether or not a DPO is required to be appointed as per the New Law, ensuring compliance with requirements for High Risk Processing Activities, and ensuring their privacy notices provide a complete list of Data Subject rights and fulfil the consent and other requirements set out under the New Law.