DIFC sets out AI requirements in updated data protection regulations

DIFC companies should understand what systems they have in place to be able to adhere to these new requirements according to Alexandra Bertz and Martin Hayward, data protection experts at Pinsent Masons.

The DIFC has now finalised amendments to its existing data protection regulations, which came into force on 1 September, with newly added AI provisions being some of the most significant changes. DIFC companies must now ensure that their AI systems are designed in accordance with principles of ethicality, fairness, transparency, security and accountability; comply with applicable audit and certification requirements; be well-documented; and only process personal data for human-defined or approved purposes.

In the final version of the AI provisions, new sections have been inserted to provide definitions for key words such as ‘system’, ‘deployer’, ‘operator’ and ‘provider’.

The updated regulations require deployers and operators of AI systems used for processing personal data to take certain actions, including providing data subjects with a clear and explicit notice in accordance with the updated regulations that covers the potential impact of the use of the AI system on their rights. The updated regulations also specifically limit the use of AI systems for ‘high risk’ processing activities.

Martin Hayward of Pinsent Masons said: “Data subjects can now submit privacy complaints challenging the outcome of the processing of their personal data by AI systems. Businesses using AI systems need to ensure that these are designed in accordance with the regulations”.

The regulations introduce other noteworthy updates, including a new power for the DIFC Data Protection Commissioner to investigate unfair or deceptive privacy practices which include misleading privacy notices or inaccurate statements of compliance to particular privacy standards or codes. The updated regulations also focus on the penalties for failing to submit annual assessments and to comply with inspection notices, and the likelihood of fines where data breaches are not properly notified.

The updated regulations have introduced the new concept of a “temporary custodian” of “inadvertently obtained information”, with detailed provisions on how such information should be managed and the role and responsibilities of the temporary custodian. In addition, the updated regulations include an important waiver of the ‘records of processing activities’ requirements for companies with less than 50 persons – unless the company engages in high risk processing activities – and updated details on managing digital communication consents. They also include an updated and expanded list of ‘adequate jurisdictions’ – approved by the Data Protection Commissioner for cross-border personal data transfers – in Appendix 3. 

“The ‘less than 50 persons’ waiver will be particularly important to a large number of DIFC companies,” said Alexandra Bertz.