Dubai International Financial Center (DIFC), a financial free zone in United Arab Emirates, has enacted a data protection law, DIFC Law No. 5 of 2020 (2020 Law) replacing the data protection law, DIFC Law No. 1 of 2007 (2007 Law). 2020 Law was enacted on June 1, 2020 and shall come into force on July 1, 2020. However, timeline till October 1, 2020 has been given to the data processors and data controllers to ensure necessary compliances.
The 2020 Law is similar to the General Data Protection Regulation (GDPR) for the European Union enacted in 2016. Similar to the GDPR, 2020 Law provides rights to the data subjects like right to erasure, data portability etc. Right to non-discrimination ensures that the data subjects are not discriminated for exercising their rights under the 2020 Law by being denied the product or services or any price differentiation. However, 2020 Law addresses one additional issue where for technical reasons it is not possible to erase the data. In such a case, the data controller will be said to have complied with the 2020 Law if: (a) The data was collected from the data subject; and (b) The data subject was explicitly informed of the processing of the data and that the erasure of the data may not be feasible.
This relaxation granted to the data controller is appreciated as companies which provide services on the blockchain technology may not have a feasible means to alter the data. Therefore, as per Article 33(4) of the 2020 Law, an irrevocable consent can be obtained from the users refusing to exercise their statutory rights.
Article 12 of the 2020 Law requires that the consent of the data subject is freely given and revocation process be just as simple and explicitly mentioned. Such consent cannot be conditional. A conditional consent cannot be said to be freely given. Further, where the data is not for a single discreet purpose, the ongoing validity of such consent must be re-affirmed with the data subject.
Similar to GDPR, 2020 Law requires appointment of a data protection officers (DPO) by the DIFC bodies and controllers and processors performing high risk processing activities. Further 2007 Law did not have any accountability clause however, the 2020 Law under Article 14(1) specially states that the processors and controllers must establish compliance with the law.
The Data controller is required to notify the Commissioner where the confidentiality, security or privacy of a data subject is compromised. A notification to the data subject shall also be sent as soon as practicable if the data breach is likely to result in the high risk. Unlike 2020 Law, GDPR incorporates a specific timeline of 72 (seventy two) hours within which the data protection authority is required to informed.
Further, the date controllers and processors must necessarily enter into an agreement. Processors cannot appoint a sub-processor unless a written authorization from the controller is obtained. Imposition of penalties has been specified in Schedule 2 of the 2020 Law with a maximum fine of $100,000 and minimum of $ 10,000. While in the 2007 Law, the maximum fine was $25,000. GDPR has a maximum penalty of 20 million euros or 4% (four percent) of the entity’s global turnover.
Commentaires