UAE: DIFC consults on Data Protection Law amendments

The Dubai International Financial Centre (DIFC) has issued Consultation Paper No.1 concerning DIFC Law Amendment Law No. 1 of 2025 . The Consultation Paper outlines proposed amendments to DIFC legislations, specifically the Data Protection Law (DPL) as summarised below but also includes amendments to the Law of Security, Insolvency Law, and Employment Law. 

The purpose of these amendments is to enhance the legal framework within the DIFC, ensuring alignment with international standards and addressing specific issues raised by stakeholders. The Consultation Paper seeks comments on these proposed amendments and closes for comments on 26 March 2025. 

Amendments to the Data Protection Law 

The proposed amendments to the DPL are aimed at clarifying the scope of application, ensuring adequate redress mechanisms, and enhancing the rights of Data Subjects. These amendments are divided into three main areas: Article 6, Article 28, and Part 9.

Article 6: Clarification and extension of the scope of application

The amendments to Article 6(3) seek to clarify the scope of application of the DPL to ensure that DIFC Data Subjects are fully protected, aligning with international standards such as the GDPR. The key aspects of these amendments include:

• Scope of application: The DPL will apply to any Processor or Controller that engages in the processing of Personal Data in the DIFC, whether directly or indirectly through third parties. This includes entities that process Personal Data as part of stable arrangements or in relation to the offering of goods or services to individuals in the DIFC.
   
• Extra-territoriality: The amendments aim to align the extra-territorial scope of the DPL with comparable legislation in other jurisdictions. This ensures that individuals who enjoy robust privacy rights within the DIFC will not lose these rights when interacting with entities outside the DIFC.
   
• Non-DIFC Controllers and Processors: The amendments clarify that non-DIFC Controllers and Processors fall within the scope of the DPL's application when engaged in the processing of Personal Data in the DIFC through stable arrangements with third parties.

Article 28: Assessment of the availability of redress for unlawful processing by government authorities

The amendments to Article 28(2) introduce requirements for Controllers or Processors to ensure that legal or other suitable redress will be available to Data Subjects in the importing jurisdiction when sharing data with a Requesting Authority. 

This supports the Commissioner's reassessment of the adequacy referential for assessing the suitability of Third Countries for receiving Personal Data.

• Risk-based due diligence: The amendments codify the requirement for risk-based due diligence in the DPL, aligning with the Commissioner's approach to ethical data management.
   
• Redress mechanisms: The amendments ensure that Data Subjects have access to redress mechanisms in the importing jurisdiction, even when the respondent is a government authority.

Part 9: Private right of action

The proposed amendments to Part 9 of the DPL introduce a Private Right of Action (PRA) for Data Subjects to seek compensation directly through the DIFC Courts. This enhances the rights and remedies available to Data Subjects in the following ways:

• Direct judicial redress: Data Subjects can directly seek judicial redress at the DIFC Courts for alleged violations of the DPL without the need for a prior investigation or action by the Commissioner.
   
• Compensatory orders: The Courts are empowered to make compensatory orders in respect of a PRA claim, including compensation for non-financial damage such as distress.
   
• Enforcement protection: The PRA provides additional enforcement protection to Data Subjects, ensuring that businesses are sufficiently incentivized to comply with the DPL.

Public comments and next steps

The Consultation Paper seeks public comments on the proposed amendments, with a deadline of 26 March 2025. After considering public comments, the proposed legislation may be refined and enacted. 

The proposed legislation is currently in draft form and should not be acted upon until formally enacted.