Outsourcing: Dubai Strengthens Data Protection Law

On Monday (1/8) the Dubai International Financial Centre (DIFC) implemented a stronger Data Protection Law and appointed a Data Protection Commission to oversee the DIFC.

“The Data Protection Law, which has been amended following a period of public consultation, ensures the protection of all personal information, including any sensitive personal data, and is compliant with the provisions of the laws and directives of the European Union and the guidelines of the Organisation for Economic Co-operation and Development (OECD), including the transfer of data.”

You can find the text of the new law by clicking here.
Looking through this law, it does follow the OECD privacy guidelines. However, as with the OECD privacy guidelines, it is high-level and sections are potentially open to misinterpretation.
The following are the sanctions for this law:

“33. Directions
(1) If the Commissioner is satisfied, after duly conducting all reasonable and necessary inspections and investigations, that a Data Controller has contravened or is contravening the Law or Regulations made for the purpose of the Law, he may issue a direction requiring him to do either or both of the following:
(a) to do or refrain from doing any act or thing within such time as may be specified in the direction; or
(b) to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction.
(2) The Commissioner of Data Protection shall carry out, as a minimum, due process by means of undertaking all the reasonable and necessary inspections and
investigations to be adequately satisfied to establish the Data Controller’s contravention with the Law or Regulations made for the purposes of this Law.
(3) A direction issued under Article 33 (1) shall contain:
(a) a statement of the contravention of the Law or Regulations which the Commissioner of Data Protection is satisfied is being or has been committed; and
(b) a statement to the effect that the Data Controller may seek a review by the Court of the decision of the Commissioner of Data Protection to issue the direction.
(4) A Data Controller who fails to comply with a direction of the Commissioner of Data Protection under this part of the Law contravenes this law and may be
subject to fines and liable for payment of compensation.
(5) A Data Controller may ask the Commissioner of Data Protection to review the direction within fourteen (14) days of receiving a direction under this part of the Law. The Commissioner of Data Protection may receive further submissions and amend or discontinue the direction.”

A couple of key definitions:

“Identifiable Natural Person is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity.
Personal Data any information relating to an Identifiable Natural Person.”

There are a large number of organizations under Dubai rule to which personally identifiable information (PII) processing is outsourced.
If your organization outsources to one of these organizations, you should know that now they are legally required to safeguard the PII even if you do not have such protection requirements within your business partner contract with them.

Tags: , , , , , , , ,

Leave a Reply