Practices
Sectors
Country Groups
Client Solutions
Find a Lawyer

Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.

Find out more

Game Theory

The Competition Law Playbook:
In the fast-moving world of MENA competition law, staying ahead means understanding the game’s rules. This month’s Law Update issue: Game Theory, unpacks key legal developments, from evolving merger control trends to landmark rulings in the UAE, KSA, Egypt, and Iraq.
Read Now

Eyes
On 2025

Legal Updates in
Middle East & North Africa

Read More
Eyes On 2025

2025 is set to be a game-changer for the MENA region, with legal and regulatory shifts from 2024 continuing to reshape its economic landscape. Saudi Arabia, the UAE, Egypt, Iraq, Qatar, and Bahrain are all implementing groundbreaking reforms in sustainable financing, investment laws, labor regulations, and dispute resolution. As the region positions itself for deeper global integration, businesses must adapt to a rapidly evolving legal environment.

Our Eyes on 2025 publication provides essential insights and practical guidance on the key legal updates shaping the year ahead—equipping you with the knowledge to stay ahead in this dynamic market.

The leading law firm in the Middle East & North Africa region.

A complete spectrum of legal services across jurisdictions in the Middle East & North Africa.

Today's news and tomorrow's trends from around the region.

17 offices across the Middle East & North Africa.

Cancel
Find out more

Our Firm Back

Our Services Back

Our Knowledge Back

Our Offices Back

Published: Jun 26, 2019

Proposed new DIFC Data Protection Law – Consultation Paper

The DIFC has issued a consultation paper (a copy of which can be found here), seeking comments from the public in relation to a new Data Protection Law (“Proposed Law”). The Consultation Paper will be of interest to businesses in the DIFC which process personal data, as well as their employees, customers and suppliers.

The Proposed Law is intended to reflect the principles and concepts underlying the EU’s General Data Protection Regulation (“GDPR”) as well as elements of the the California Consumer Privacy Act so as to maintain consistency with best practices adopted by international data protection laws.

 

Key Features

Some of the key features of the Proposed Law include:

  • New responsibilities and liabilities for Data Processors and Joint Controllers (with respect to certain obligations), noting that Data Controllers, Joint Controllers and Processors are able to contractually reallocate risk between themselves;
  • Requirement for legally binding agreements which are compliant with the Proposed Law, to be in place between Data Controllers and Processors. As currently drafted, the Proposed Law will mean that relevant DIFC entities that do not have such agreements will be in violation from the moment the Proposed Law is enacted, however the DIFC Authority (“DIFCA”) acknowledges this issue and it is open to considering a grace period to allow such agreements to be put in place, as well as the possibility of publishing model contract clauses to assist Data Controllers and Processors to this end. It is anticipated that these measures may avoid the sort of problems encountered in Europe where parties spent considerable time and effort trying to negotiate amendments to existing Data Protection Agreements so as to make them compliant under the GDPR, often with little success as parties sought to impose their own Coterms.We expect these new requirements will result in a sharp increase in the use of Data Transfer Agreements / Data Protection Agreements, which have not been widely used in the region to date;
  • Requirement for Data Controllers undertaking ‘High Risk Processing Activities’ to appoint a UAE resident Data Protection Officer (“DPO”) and to undertake data protection impact assessments. This will be an added compliance burden with increased cost for most DIFC entities. However DIFC entities that are part of an international group, may use their existing DPO outside of the UAE to perform the relevant role under the Proposed Law, and they may also rely on impact assessments carried out by another member of their group if the assessment complies with the requirements of the Proposed Law;
  • Provisions relating to the transfer of Personal Data outside of the DIFC have been enhanced to align with current international adequacy standards. This includes more accountability for processors, controls on transfers to jurisdictions lacking an adequate level of protection for Personal Data, and recognition of additional transfer mechanisms such as Binding Corporate Rules; and
  • Enhanced rights for individuals whose Personal Data is processed (including right to receive compensation and to be notified in the event of a Personal Data breach).
    It is important to note that the Proposed Law may be refined as part of the consultation process, and as such, it should not be relied on until it is enacted by way of a notice on the DIFCA’s website.

It is important to note that the Proposed Law may be refined as part of the consultation process, and as such, it should not be relied on until it is enacted by way of a notice on the DIFCA’s website.

Feedback

The consultation process provides all stakeholders with an opportunity to shape the new data protection regime. We encourage all interested parties, particularly businesses established in the DIFC to email their comments and views to consultation@difc.ae by 18 August 2019. Your comments may be published anonymously by the DIFCA on its website or elsewhere, unless you expressly request otherwise at the time the comments are made.

We would be happy to assist should you require further detail or wish to make a submission to the DIFCA.

 

If you have any questions, please feel free to reach out to us:

Martin Hayward
Head of Technology, Media & Telecommunications
m.hayward@tamimi.com

Haroun Khwaja
Senior Associate, Technology, Media & Telecommunications
h.khwaja@tamimi.com