DIFC Data Protection Legislation: Amendments Enacted
Dubai International Financial Centre (DIFC), the leading global financial centre in the Middle East, Africa and South Asia (MEASA) region, has enacted amendments to select legislation, primarily the Data Protection Law: DIFC Law No. 5 of 2020. Several substantial revisions have been implemented, and can be found in the DIFC Amendment Law: DIFC Law No. 1 of 2025.
Private Right of Action
One of the most notable amendments to the DIFC Data Protection Legislation would be the implementation of the private right of action.
What does this mean?
It highlights the introduction of a new statutory cause of action, that allows data subjects to bring claims against a controller or processor who contravenes the DIFC Data Protection Law. This specific change is modelled on the equivalent rights granted to data subjects under the EU's General Data Protection Regulation (GDPR), reinforcing the DIFC’s reputation as a forward-thinking jurisdiction prioritising clarity, proportionality and alignment with international standards.
Previously, a data subject was only permitted to apply to a court for compensation after first filing a complaint with the DIFC Data Protection Commissioner. Data subjects may now apply directly to court where any contravention of the DIFC Data Protection Law results in them suffering damage, including financial or non-financial loss.
Scope of Application
Revisions to Article 6(3) of the DIFC Data Protection Law provide greater clarity on its extra-territorial scope and application, specifying the Law now applies to:
- controllers or processors incorporated in the DIFC, regardless of where they process personal data.
- the processing of personal data in the DIFC (including any transfers outside the DIFC) by any controller, processor (or any of their sub-processors), even if not incorporated in the DIFC, as part of stable arrangements.
These changes codify the Commissioner’s interpretation and prior guidance on the scope of the DIFC Data Protection Law, as well as explicitly identifying that a controller or processor's sub-processors may also be subject to the DIFC Data Protection Law.
Additionally, Article 6(3)(c), which previously defined data processing to occur ‘in the DIFC' as; if the means or personnel for such processing were physically located in the financial centre, has been erased. This targeted amendment demonstrates the DIFC’s responsiveness to evolving business models, potentially paving the way for a more nuanced interpretation of what constitutes processing ‘in the DIFC.’
Obligations when Sharing Data with Public Authorities
Article 28 asserts that a Controller’s or Processor’s obligations regarding accountability, transparency and compliance with general data protection principles regarding transfers out of the DIFC, where a Controller or Processor receives a request from any public authority for the disclosure and transfer of any Personal Data, should:
- exercise reasonable caution and diligence to determine the validity and proportionality of the request
- ensure that any disclosure of Personal Data is made solely for the purpose of meeting the objectives identified in the request from the Requesting Authority
- assess the impact of the proposed transfer in light of the potential risks to the rights of any affected Data Subject and, where appropriate, implement measures to minimise such risks
minimising risks may include:
- redacting or minimising the Personal Data transferred to the extent possible
- utilising appropriate technical or other measures to safeguard the transfer
Overall, Personal Data may be transferred to the Requesting Authority where after reasonable steps have been taken to satisfy that the request is valid and proportionate, and the Requesting Authority will respect the rights of affected Data Subjects under this Law in the Processing of any Personal Data transferred to it by the Controller.
Furthermore, any affected Data Subject has the right to seek legal, or other forms of suitable redress, in the Requesting Authority’s jurisdiction for purposes of Article 28.
Newly Increased Financial Penalties
- A failure to complete, and submit to the Commissioner, the annual assessment of whether a controller is required to appoint a Data Protection Officer, now identified as a breach, can attract a penalty up to a maximum fine of USD 25,000.
- The maximum fine for failing to undertake a data protection impact assessment prior to undertaking high risk processing activities has been raised from USD 20,000 to USD 50,000.
- The maximum fine for failing to comply with the obligations in relation to the disclosure or transfer of personal data to a public authority under Article 28 has been raised from USD10,000 to USD50,000.
Looking Forward
Entities operating in the UAE are urged to conduct a thorough review of their data collection and processing practices to determine whether their operations are compliant with the DIFC Data Protection Law. It is imperative to ensure that all data handling practices are fully aligned with its subsequent requirements, particularly in light of the heightened financial penalties for non-compliance and the introduction of the additional approach of potential liability through the data subject’s direct right of action against controllers and processors.
This blog is for informational purposes only and does not constitute legal or regulatory advice. The information provided has been compiled from publicly available sources, and while we have made every effort to ensure its accuracy and relevance at the time of publication, we do not guarantee its completeness or applicability to specific situations. Readers are encouraged to seek independent professional advice before making any decisions based on the content herein.
