top of page

DIFC- New Data Protection Law No. 5 of 2020

Updated: Dec 18, 2020

  • Law keeps Dubai and DIFC at the forefront of data protection in the region

  • Enhancements relate to global data, security and privacy best practice

  • Requirements relating to accountability, individuals’ control of personal data and fines for breaches included in the new law

  • The new law will come into effect from 1 July 2020.

His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, has enacted the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 on 1st of June 2020

The promulgation of the Law enables the pre-eminent international financial hub in the Middle East, Africa and South Asia (MEASA) region to strengthen its leadership in enhancing data protection practices.

The current law, Data Protection Law DIFC Law No. 1 of 2007, will remain in effect until this date. The Data Protection Law further develops the current DIFC Data Protection regime which was already one of the most advanced in the region.

The Board of Directors of the DIFC Authority has also issued new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.

DIFC’s updated Data Protection Law and Regulations set out expectations for Controllers and Processors in the Centre regarding several key privacy and security principles. The Data Protection Law combines the best practices from a variety of current, world-class data protection laws, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act and other forward-thinking, technology-agnostic concepts.

The requirements reflect the DIFC’s commitment to developing an enabling business ecosystem with robust regulatory and compliance guidelines for all organisations operating from the Centre.

They will enable DIFC to continue to build upon the Centre’s reputation as a leading global financial centre focused on innovation and collaboration, whilst also promoting ethical data sharing. Importantly, the Data Protection Law and Regulations provide a framework that will support DIFC’s bid for adequacy recognition by the European Commission, the United Kingdom and other jurisdictions, easing data transfer compliance requirements for DIFC businesses.

Data protection officers

In more detail, the changes legislate for accountability of Controllers and Processors through compliance programmes requirements, appointing data protection officers where necessary, conducting data protection impact assessments and imposing contractual obligations that protect individuals and their data.

Rights of individuals

Enhanced rights of individuals are clarified in terms of data usage by entities that collect and manage personal data, including contractual clarity of such rights when engaging with vendors of emerging technologies, such as Blockchain and Artificial Intelligence (AI). Permit options for cross-border data transfers and special category personal data processing have been removed. The Data Protection Law and Regulations include appropriate data sharing structures between government authorities, which represent a key step forward in data sharing standards within the UAE and the region.

Administrative fines in case of breach

General fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits, have been introduced.


DPL 2020 replaces the existing data protection law, DIFC Law No. 1 of 2007 (DPL 2007). Like its predecessor legislation, DPL 2020 will regulate the collection, handling, disclosure and use of personal data in DIFC. However, DPL 2020 includes enhanced governance and transparency obligations that mirror many of the principles of the EU General Data Protection Regulation (GDPR), a European Union data protection law that has sparked privacy and data law reform worldwide.

DPL 2020 will come into force on 1 July 2020, however, the Commissioner of Data Protection is not expected to actively enforce the law until 1 October, giving businesses an implementation window of four months in which to review their data protection processing activities and to prepare.

DPL 2020 aims to further DIFC's desire to be recognised internationally as a top-tier jurisdiction for data protection. The law could be a step on the road towards the DIFC achieving "adequacy" status as a destination for free transfers of personal data from Europe.

In light of the current global pandemic, while the Data Protection Law will be effective from 1 July 2020, businesses to which it applies will have a grace period of three months, until 1 October 2020, to prepare to comply with it, after which it becomes enforceable.


Search and composed By Sheher Bano

bottom of page