By Sharvari Alape
The DIFC Data Protection Law No. 1 of 2007 is due to be modified soon with the new proposed Data Protection Law [2019] draft being circulated for consultation.
The GDPR’s replica effect globally has led many state institutions to review their data protection laws. Various jurisdictions in the region are re-evaluating their data laws based on Europeans models. The DIFC is the latest such state institution to imbibe certain necessary changes in its Data Protection Law.
“Public awareness about data privacy is quite low as it is still deemed to be a new concept in the region,” said Gordon Wade, Data Privacy and Protection Lawyer at PwC Legal Middle East LLP in an interview with Communicate. The DIFC Data Protection Law only applies to businesses in and from DIFC, some of which are international companies operating in the Dubai zone. Hence, businesses operating from outside DIFC remain unaffected by it.
There are no federal laws in the UAE that address data protection. However, the country could see a new law in place within the next 12 months to tackle this issue, Wade opines. A mature draft that is heavily based on the GDPR is now going through government channels. The new laws are attempting to initiate minimal data collection.
Lori Baker CIPP/E, Vice President, Legal & Director of Data Protection at Dubai International Financial Centre (DIFC) said that within the DIFC law, a few revisions have been made to improve data subjects’ rights to access and control their own personal data.The amended law is likely to clarify the obligations of not only data controllers but also data processors in handling personal data with a higher level of accountability. “The proposed new law is forward thinking in terms of emerging technology,” she added.
Wade adds that while there are no significant changes being made, the new proposed law provides a much-needed update in the emerging world of new technology and substantial use of data. “It is a message of collaboration,” he said.
It [the law] gives heightened rights and controls to individuals on how the information is collected, used and processed, “and ensures stricter controls for companies to be more accountable and transparent as to what they do with it,” Wade told Communicate.
While the law has certain provisions influenced by the GDPR requirements, as well as the California Consumer Privacy Act (CCPA), Wade clarifies, “this law is not a copy and paste of GDPR.” He adds, “It is modernizing the previous law by bringing DIFC into the modern data protection world and rectifying unnecessary collection of data. It is an evolution, not a revolution.”
As it is an updated version of the previous existing law, when brought into effect, the law of 2019 won’t cause any major overhaul for businesses in the DIFC. If companies already follow a basic protocol of their privacy program, it will be a smooth transition, Wade confirms.
Regarding penalties, the law does not state any limits on the fines; it will be decided by the commission according to each violation. Citing this practice, Wade added that rather than focusing on penalties, the intention is to “guide, collaborate, assist, and educate DIFC businesses on their journey to incorporating the privacy program.”