Out-Law Analysis 10 min. read
29 Jun 2020, 6:24 am
The new Data Protection Law, DIFC No. 5 of 2020 (the DP Law), comes into force on 1 July 2020 and replaces DIFC Law No.1 of 2007. Businesses subject to the legislation have until 1 October 2020 to bring their organisations into compliance with the new requirements, which include expanded rules on the processing of personal data, new rights for data subjects, and notification of data breaches.
The new DP Law has been aligned with data protection regimes elsewhere in the world, including the GDPR in the EU and the California Consumer Privacy Act. It is to be hoped that the adoption of international data privacy concepts will lead authorities in other territories to recognise the DIFC as providing sufficient regulatory protection for personal data to allow the transfer of that data transfers in and out of the DIFC with relative ease.
The DIFC commissioner of data protection (the commissioner) has published a number of guides to assist firms with their implementation of the new requirements. These are not binding and do not have the force of law, but instead are indicative of the approach the commissioner will take to enforcement. Supporting regulations have still to be published.
This update picks up on some of the new developments in the data protection regime in the DIFC and highlights the need for businesses to become aware of their new compliance requirements as soon as possible in order to give ample time to prepare for the 1 October 2020 deadline.
The DP Law applies to:
In this context, "in the DIFC" means when the personnel used to conduct the processing or the means of doing so are physically located in the DIFC.
This means that payroll providers, cloud software providers and other suppliers will need to be aware of their obligations under the DP Law. Non-compliance could lead to the enforcement of fines, and damages imposed by the DIFC courts may be sought through the UAE court system.
The commissioner has the power to issue fines for contraventions of the DP Law which may be enforced through the courts if businesses fail to pay. In addition, a data subject may apply to the court for compensation if they suffer damage as a result of a breach of the DP Law.
The maximum fines that can be imposed has increased under the new DP Law.
For example, failure to:
In addition, the new DP Law expands the range of offences for which fines can be issued. Fines of up to $100,000 can be imposed for failure to comply with the following:
The commissioner also has the power to inspect and audit businesses subject to the DP Law to verify compliance.
Personal data is any information referring to an identified or identifiable natural person.
Identified or Identifiable means, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to an individual's biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.
The references to "location data" and "online identifier" in the definition are new and similar to wording in the EU GDPR. Online identifiers can include IP addresses or cookie identifiers. Not all location data will be considered personal data for the purposes of the DP Law; it will depend on the context. However, the broader definition of personal data is likely to capture data not previously considered to subject to the DIFC's data privacy regime.
The DP Law largely mirrors the rights granted to data subjects in the EU GDPR. Data subjects have various rights including the right to request copies of their personal data at any time, the right to rectify data and the right to withdraw consent and request erasure of their personal data.
One of the criticisms of the EU GDPR is that it fails to adequately allow for new emerging blockchain technologies where personal data is stored indefinitely and cannot be managed in the way modern data protection laws require. The DP Law seeks to remedy this by introducing an exemption from the right to rectify and erase personal data if the data controller discloses certain information to the data subject, including that such personal data will be processed in a way that prevents the data subject from exercising such rights.
The DP Law also introduces a new right for data subjects not to suffer discrimination as a result of the exercise of their rights. This concept is derived from the recently enacted Californian Consumer Privacy Act and it will be interesting to see how this concept develops in practice. If a customer refuses to allow a business to retain its personal data, under the DP Law that business is required to provide the customer with the same quality of goods or services as other customers.
A business conducting "high risk processing activities" has additional compliance requirements under the new DP Law, including an obligation to appoint a data protection officer (DPO). DPOs are responsible for monitoring compliance with the DP Law and other applicable privacy laws, and to act as a contact point for the commissioner as well as oversee all data protection impact assessments the business undertakes. The contact details of the DPO must be given to data subjects when collecting their personal data.
A DPO is permitted to hold other roles or titles within the business provided those additional tasks and duties do not result in a conflict of interest or otherwise prevent the proper performance of the DPO role. The role of DPO can also be outsourced to an external party provided they have access to all relevant resources.
Generally, the DP Law requires the DPO to be resident in the UAE. However, if the person is an individual employed by a group of members and performs a similar function for the group on an international basis elsewhere, the residency requirement does not apply. In such cases, the DPO must be easily accessible to each member in the group.
The DPO is required to complete an annual assessment and submit that assessment to the commissioner. This is not intended to be an onerous obligation and will be integrated into existing DIFC compliance and reporting cycles.
The definition of 'high risk processing activities' pools together certain types of processing activity and includes:
The commissioner has published comprehensive guidance and a list of activities that are considered to be 'high risk processing activities'. Although this guidance is comprehensive, it will often be a judgment call as to whether certain activities fall within the definition. Businesses should regularly assess whether their processing activities would be considered 'high risk' and stay on top of any updates issued by the commissioner.
Failure to appoint a DPO when required or requested to do so may result in a fine of up to $50,000.
Under the DP Law, businesses are required to notify certain personal data breaches to the commissioner and sometimes to data subjects too.
A "personal data breach" is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In cases where a personal data breach compromises a data subject's right to security or confidentiality, then expeditious notifications are required.
Examples of personal data breaches could include the infiltration of an IT system by a virus or third parties, an employee leaking information to third parties, incorrect use of email, or where laptops or devices are stolen or lost. This is a much wider definition than the previous DIFC data privacy regime which merely required notifications to the commissioner in the event of an "unauthorised intrusion" to a personal data "database".
The new DP Law does not include any 'de minimus' limits for which a report must be made, so a strict technical interpretation of the requirements suggests that any breach, however small, would trigger a notification requirement to the commissioner. In this respect the data breach notification obligations are different from those set out in the GDPR.
Any business that processes information on behalf of a "controller" – this being any person who determines the purposes and means of processing personal data – must notify the controller of the personal data breach "without undue delay". A controller must notify the commissioner of the breach "as soon as reasonably practicable". Failure to so notify may result in a fine of up to $50,000 on either or both of the controller and processor.
As well as including details of the number of data subjects affected and the likely consequences of the data breach, the controller's notification to the commissioner must also include details of measures taken or proposed to be taken to mitigate the adverse affects of the personal data breach. While businesses will be expected to make an initial notification of their breach to the commissioner, the DP Law provides leeway for businesses to report further details of the breach in stages thereafter as more information becomes available.
A new requirement to notify data subjects has also been introduced in line with the requirements in the GDPR. Notification is required if it is "likely to result in high risk to the security or rights" of the data subject. A controller must make such notification as soon as practicable. However, if there is an "immediate risk of danger", such notification must be made promptly.
The DP Law also contains a derogation which means that where a notification to an affected data subject could involve a disproportionate effort, a public communication or similar measure will be sufficient to satisfy the new provisions.
Failure to notify in accordance with these requirements can result in a fine of up to $50,000. A data subject can also apply to the court for compensation or damages where they have suffered loss as a result of the failure to notify.
Where services involving the processing of personal data are provided by other parties, contracts must contain much more robust contractual provisions. If the service provider appoints another company to carry out such services, then they must obtain the consent of the controller and the sub-contract must also contain similar robust contractual provisions.
Such contractual provisions must include commitments to:
Provision is made in the DP Law for the commissioner to publish standard contractual provisions for businesses to use in their contracts.
Failure to ensure that such contracts are in place with all relevant processors of personal data may result in a fine of up to $25,000.
Responsibility for meeting the new requirements of the DP Law cannot be left solely to legal and compliance teams. Instead, compliance with data privacy obligations requires everyone in an organisation to understand their role and responsibility to keep data safe and secure.
There are a number of actions businesses should consider between now and 1 October 2020 to ensure they are prepared for and compliant with the new DP Law:
Additional contributions from Charlotte Holden of Pinsent Masons.