Dubai adopts new data protection law

The updated law, the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020, adopted yesterday, applies to the financial hub only.

The new law will come into effect from 1 July 2020. In light of the current global pandemic, businesses to which it applies will have a grace period of three months, until 1 October 2020.

It was thought that the existing law from 2007 needed updating in light of the EU GDPR and other international data protection legislative developments. Dubai is seeking EU adequacy for data flows, and the adoption of California’s Consumer Privacy Act also played a part, the Dubai International Financial Centre says.

New additions to the law include a requirement to appoint data protection officers, where necessary, and conducting Data Protection Impact Assessments. The new law also removes the permit system for cross-border data transfers and processing of sensitive data, while maintaining other bases for transfers.

See an analysis on the draft law in PL&B International Report, April 2020.