Request Call Back+971 2 886 9955
Monday - Friday9AM - 6PM
Dar Al Salam Building, Corniche, Abu Dhabi.
Visit our social pages
DIFC

Proposed Amendments to the DIFC Data Protection Law: Expanded Reach, Stronger Enforcement

April 9, 2025by Sudha Sampath0

Introduction

The Dubai International Financial Centre (“DIFC”) continues to strengthen its reputation as a forward-looking financial hub, not just through financial innovation but also by fostering a robust legal framework. A key component of this evolution is the DIFC Data Protection Law No. 5 of 2020 (“DPL”), which governs the protection of personal data 1 processed by DIFC-based businesses and, in some cases, entities outside the DIFC processing 2 data “in the DIFC” under stable arrangements. As outlined in the DIFC Authority’s Consultation Paper No. 1 of 2025, the DIFC is taking proactive steps to amend and modernize its data protection framework. These changes are not just a formality, they are a strategic evolution designed to keep the DIFC competitive and interoperable with global data protection regimes.

What is the objective of the DIFC Data Protection Law?

The DIFC Data Protection Law6 aims to regulate how personal data1 is processed2 by controllers3, processors4 , and relevant third parties5 within the jurisdiction. At its core, the legislation promotesresponsible and transparent data handling, anchored in principles of fairness, legality, and security. By establishing a comprehensive legal and procedural framework, it ensures that individual’s personal data is handled with care, whether being stored, accessed, or shared. The law seeks to balance two critical interests: the individual’s right to privacy and control over their personal data, and the legitimate need for organizations to process such data for lawful business or regulatory purposes.

 

This blog is a part of DIFC Practice Services.

Core Framework: Recap of the DIFC Law No. 5 of 2020

Originally replacing DIFC Law No. 1 of 2007, the DPL entered into force on 1 st July 2020 and became enforceable as of 1 st October 2020. It was further updated in March 2022, with the most recent updates issued in September 2023, including additions relating to autonomous systems and direct marketing.
The law sets out clear general requirements under Article 9, including:

      • Processing must be lawful, fair, and transparent.
      • Data must be collected for explicit and legitimate purposes.
      • Personal data must be accurate and securely stored.
      • A lawful basis (Article 10) such as consent, contract, legal obligation, or legitimate interest
        must exist.

The definition of “personal data” under the DPL includes identifiers ranging from names to biometric and genetic data. The scope extends to controllers and processors, including those outside the DIFC who process data as part of ongoing arrangements within the Centre.

Understanding the scope: When does the DPL Apply?

Under the current framework of the DIFC DPL, the law applies in two primary situations 6 :

It covers the processing of personal data by Controllers or Processors that are incorporated in the DIFC, regardless of whether the processing activity physically takes place within the DIFC’s geographical boundaries. In other words, DIFC-registered entities remain accountable under the DPL for how they handle personal data, even if the processing occurs outside the Centre.

The DPL also extends to Controllers or Processors established outside the DIFC if they process personal data “in the DIFC” as part of what is described as a “stable arrangement.” The term “in the DIFC” is interpreted to mean that the infrastructure or personnel conducting
the processing are located within the DIFC. A “stable arrangement” typically refers to an ongoing or structured engagement, often contractually defined, between the non-DIFC entity and a DIFC-based party. However, the existing law contains an exclusion for processing that is conducted “on an occasional basis.” The proposed amendments seek to remove this exclusionary language, specifically the phrase
“other than on an occasional basis” from limb (b) of Article 6. By doing so, the amendment appears to broaden the scope of application to include one-off or ad-hoc arrangements involving the processing of personal data in the DIFC, even if such activities are not part of a continuing engagement.

Proposed Amendments: Consultation paper highlights

As part of its continued efforts to strengthen privacy safeguards and promote legal certainty, the DIFC Authority has proposed a series of targeted amendments to the DPL. These changes aim to bring the law into closer alignment with international standards while enhancing its practical effectiveness within the Centre’s jurisdiction. These proposed changes aim to clarify the law’s scope of application, improve access to legal remedies, and bolster data subject7 rights. The proposed revisions focus on three primary areas of reform: Article 6, Article 28, and Part 9 of the DPL.

 

Article 6 – Expanded and clarified scope of application

A key objective of the proposed amendments is to provide greater clarity regarding the scope of the DPL, particularly its extra-territorial application. The revisions proposed under Article 6 (3) are intended to ensure that the DPL comprehensively applies to all processing activities that affect DIFC-based individuals. This includes clarifying the obligations of entities operating outside the DIFC but processing personal data connected to it. Key highlights include:

a) Broader application criteria: The amendments make clear that any Controller or Processor, whether based within or outside the DIFC, will fall under the DPL if they are involved in the processing of personal data that takes place in the DIFC. This encompasses direct processing as well as processing carried out via intermediaries or through stable business relationships that involve DIFC residents or services.

b) Extra-territorial reach: To reinforce individual privacy rights beyond the physical jurisdiction of the DIFC, the proposed changes extend the law’s reach to include entities offering goods or services to individuals located in the DIFC or monitoring their behaviour. The proposed amendment to the DPL reflects a broader international trend by embracing the concept of extraterritoriality, closely mirroring the approach adopted under the European Union’s General Data Protection Regulation (“GDPR”). Central to this alignment is the adoption of the GDPR-derived principle of “targeting”, which extends data protection obligations to entities that offer goods or services to individuals in a specific jurisdiction or monitor their behaviour, even if those entities are not physically established there. The DIFC Commissioner of Data Protection 8 has expressly stated, both within the recent Consultation Paper and previous regulatory guidance, that the DIFC DPL is intended to be read in parallel with the GDPR, and that relevant European interpretations and commentary can serve as persuasive references. Accordingly, GDPR guidance on targeting will play an influential role in interpreting the extended reach of the DPL, especially in evaluating when non-DIFC entities are deemed to fall within its scope by virtue of their interaction with individuals based in the DIFC.

 

c) Inclusion of non-DIFC entities: Clarification is provided around the status of non-DIFC Controllers and Processors. These entities will be subject to the DPL if they maintain stable arrangements that result in the regular or systematic processing of personal data originating from within the DIFC. This ensures that cross-border data interactions remain within a framework of legal accountability9 . The intention is to ensure that individuals within the DIFC, referred to as “Data Subjects”, are afforded consistent and robust protection over their personal data, regardless of where that data is processed or stored. By reinforcing this position, the DIFC seeks to close potential gaps in jurisdiction and ensure that cross-border data processing does not dilute the rights of its residents.

Article 28 – Enhancing oversight of Government Data Requests and cross-border transfers

The proposed revisions to Article 28 (2) aim to enhance transparency and protection when personal data is shared with public or governmental bodies outside the DIFC. These amendments serve to uphold the rights of data subjects in international data sharing contexts
and support the Commissioner’s framework for assessing jurisdictional adequacy.

a) Redress obligations in third countries: Controllers and Processors will be required to evaluate whether appropriate legal remedies or procedural safeguards are available to data subjects in the jurisdiction receiving the data. This applies especially where data is shared with a foreign requesting authority. The purpose is to prevent situations in which individuals are left without meaningful recourse if their data is misused abroad.

b) Risk-based due diligence: Entities involved in such transfers must conduct structured due diligence assessments to evaluate the risk of harm to data subjects, particularly in cases involving sensitive data or governmental access. Entities will be expected to ensure that such disclosures are accompanied by appropriate safeguards, including mechanisms for redress available to the affected individuals. This codifies an approach already encouraged by the Commissioner, emphasising ethical data governance and informed, risk-aware transfers. Simply put, the amendments to Article 28 propose a more structured approach to evaluating the suitability of foreign jurisdictions, referred to as “third countries” when personal data is transferred beyond the DIFC. Specifically, the revised provisions will support the Commissioner of Data Protection in reassessing the adequacy referential, which forms the basis for determining whether third countries offer a comparable level of data protection.

 

Part 9 – Introduction of a Private Right of Action (“PRA”)

Perhaps the most significant development is the proposed introduction of a PRA under Part 9 of the law. This provision gives data subjects the ability to directly pursue claims in the DIFC Courts for violations of their rights under the DPL.

a) Direct legal access: Data subjects will be able to bring a claim before the DIFC Courts without needing the Commissioner to first investigate or determine a violation. This marks a shift towards more active judicial participation in upholding privacy rights.

b) Compensation for distress and harm: The proposed amendments empower the Courts to award compensatory relief not only for financial loss but also for emotional harm or distress suffered due to unlawful data processing.

c) Strengthened compliance incentives: The PRA adds an additional enforcement layer by holding organisations more directly accountable for breaches. It increases the potential legal consequences of non-compliance, encouraging Controllers and Processors to adopt
stronger internal safeguards.

This development is particularly important as it provides an independent avenue for judicial redress, enabling individuals to seek compensation for harm suffered, whether financial or non-financial, such as emotional distress, without the need for prior intervention by the
Commissioner. It also serves as a strong incentive for Controllers and Processors to uphold their compliance obligations, knowing that affected individuals will have standing to enforce their rights in court.

Increased penalties signal stricter enforcement ahead

The proposed amendments to the DIFC Data Protection Law introduce a more robust enforcement regime, with several fines set to increase significantly. Most notably, a new fixed penalty of USD 25,000 is expected to be introduced for failing to submit the annual data
processing notification to the DIFC Commissioner. Historically, such non-compliance may have attracted minimal penalties or resulted in delayed enforcement. However, if this proposal is implemented, organisations may find that the fine is automatically and immediately applied
through the DIFC portal upon detection of a missed filing deadline. Businesses should therefore ensure that internal compliance teams closely monitor their notification obligations and submission timelines. Additionally, the proposed revisions would raise the fine for failing to complete a mandatory Data Protection Impact Assessment (“DPIA”) from USD 20,000 to USD 50,000, highlighting the increasing importance placed on proactive risk management in data handling. Similarly, the penalty for breaching Article 28, which governs the sharing of personal data with public authorities, would also rise, from USD 10,000 to USD 50,000. This substantial increase underscores the need for Controllers and Processors to apply rigorous standards of due diligence and legal justification when responding to disclosure requests from government
entities. These heightened penalties serve as a clear signal that the DIFC intends to tighten compliance enforcement, and organisations should revisit their data protection procedures to avoid costly sanctions.

Other complementary legislative reforms

In addition to the proposed amendments to the Data Protection Law, the DIFC Authority has also outlined clarificatory changes to several other key pieces of legislation, including the Law of Security, Insolvency Law, and Employment Law. While these revisions are more technical in nature, they aim to improve the consistency, interpretation, and practical application of these laws within the broader DIFC legal framework.

Public consultation and legislative process

The DIFC Authority has issued a Consultation Paper to gather public feedback on these proposed amendments. Once public feedback has been reviewed, the draft legislation may be revised before being formally enacted. Until such enactment occurs, the proposals remain in draft form and do not yet carry legal effect. Businesses and legal practitioners are advised to monitor developments closely and begin assessing how the changes could affect their data protection strategies. These proposed amendments reflect the DIFC’s forward-thinking approach to privacy and data protection, ensuring the legal framework continues to support both innovation and accountability in a digitally evolving environment.

Conclusion: Preparing for the future of Data Privacy in the DIFC

The amendments to DIFC Law No. 5 of 2020 mark a bold step toward operational excellence and legal certainty in data protection. The combined legislative and regulatory enhancements, grounded in the Consultation Paper No. 1 of 2025, equip the DIFC to remain competitive on the global stage.
Firms are encouraged to:

    • Review existing data protection policies
    • Update contracts with vendors and clients
    • Design DPIA templates and consent workflows
    • Train staff and prepare for AI-related compliance

Foot Notes

1. Personal Data refers to any information that relates to a natural person who is either identified or can be identified, directly or indirectly. This includes data such as an individual’s name, age, residential address, income level, marital status, educational background, or employment details, whether considered individually or in combination. It is important to note that the definition applies solely to natural persons; legal persons or organizations do not possess personal data under DIFC law.

2 .Processing refers to any activity or series of activities carried out on personal data, whether performed manually or through automated means. This includes operations such as collecting, recording, organizing, structuring, storing, archiving, modifying, retrieving, consulting, using, sharing (through transmission or dissemination), transferring, aligning, restricting, erasing, or destroying personal data. However, the definition excludes certain activities. Specifically, it does not cover processing conducted: (1) by an individual for purely private or household purposes with no commercial intent; or (2) by law enforcement8 bodies for the purpose of preventing, investigating, or prosecuting criminal offences, enforcing penalties, or protecting public security.

3. A Controller is an individual or entity established in the DIFC that has the authority to decide why and how personal data is processed. In other words, the Controller determines the purpose of the data processing activity and the means by which it is carried out.

4. A Processor is any individual or entity that carries out the processing of personal data on behalf of a Controller. The Processor acts under the Controller’s instructions and does not determine the purposes or means of the processing itself.

5. A Third Party refers to any individual or entity other than the Data Subject, the Controller, or the Processor, including anyone not acting under the direct authority of the Controller or Processor who is authorised to process personal data.

6. DIFC Data Protection Law does not extend to purely personal or household data processing activities carried out by natural persons that have no commercial connection.

7 .A Data Subject is the natural person to whom the personal data pertains. For instance, if an organisation collects and maintains personal information about its employees, those employees are considered Data Subjects under the law.

8.The administration, supervision, and enforcement of the DIFC Data Protection Law fall under the authority of the DIFC Commissioner of Data Protection. This office is tasked with ensuring that entities comply with the law and operates as the principal body for interpreting and guiding its application. The current Commissioner is Jacques Visser.

9 Accountability, as outlined in Articles 14 to 22 of the DIFC Data Protection Law 2020, refers to the obligation of organisations to demonstrate responsible stewardship and transparent management of personal data, viewed as a critical business asset. This principle requires entities to implement internal measures that ensure data protection compliance is not only achieved but also verifiable. One such measure includes the appointment of a Data Protection Officer (DPO), an individual who operates independently to oversee compliance and foster a culture of privacy. Accountability further involves conducting Data Protection Impact Assessments (DPIAs) to proactively identify and manage risks related to data security, third-party sharing, and unauthorized access. Ultimately, accountability is about embedding data protection principles into the operational fabric of the organisation.

 

Disclaimer

The opinions expressed in this blog are those of the respective authors. ATB Legal does not endorse these opinions. While we make every effort to ensure the factual accuracy of the information provided in our blogs, inaccuracies may occur due to changes in the legislative landscape or human errors. It is important to note that ATB Legal does not assume any responsibility for actions taken based on the information presented in these blogs. We strongly recommend taking professional advise to ensure the best possible solution for your individual circumstances.

About ATB Legal

ATB Legal is a full-service legal consultancy in the UAE providing services in dispute resolution (DIFC Courts, ADGM Courts, mainland litigation management and Arbitrations), corporate and commercial matters, IP, business set up and UAE taxation. We also have a personal law department providing advice on marriage, divorce and wills & estate planning for expats.

Please feel free to reach out to us at office@atblegal.com for a non-obligatory initial consultation.

by Sudha Sampath

Sudha is a Senior Associate at ATB Legal. As a legal consultant she handles and extensively writes about Arbitrations in ICC, DIAC and arbitrateAD; DIFC and ADGM matters; and corporate and commercial litigations.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 − 4 =

previous
UAE’s New WPS Mandate for Domestic Workers: A Big Step Forward in Labour Reform
next
The Ultimate Guide to Intellectual Property Law

Services
DIFC Practice
Shipping & Maritime Law
Family and Personal Status Law
UAE Mainland Litigation Management
Debt Recovery Services
General Corporate and Commercial Advisory Services
Fintech Legal Services
ADGM practice
Arbitration
India Desk
Company Formation
Intellectual Property Law Services
Mergers and Acquisitions Legal Services
Wills & Probate
Real Estate Legal Services
UAE Startup Services
Tax Advisory Services
UAE Compliance Advisory
Banking Legal Services
Insolvency and AML Compliance
Social links
Connect. Talk. Engage. We’re a community for the betterment of business.

Copyright by ATB LEGAL. All rights reserved.

Social links