The law addresses for the first time the processing of personal data via autonomous and semi-autonomous systems

In brief

On 7 September 2023, the Dubai International Financial Centre (DIFC) enacted amendments to Data Protection Law No. 5 of 2020 (“DIFC Data Protection Law“) which came into force starting on 1 September 2023. These amendments were preceded by a 30-day public consultation launched by the DIFC in April 2023.

The amendments are aimed at enhancing the current data protection framework in the DIFC, addressing the means for better, safer, and more ethical management of personal data processing and operations. The new provisions are also intended to keep the DIFC at the forefront of data protection by having the first framework in the Middle East region to address the processing of personal data via autonomous and semi-autonomous systems, such as artificial intelligence or generative machine learning technology.

Key takeaways

The amendments to the DIFC Data Protection Law provide clarity on the following key topics:

1. Personal data breach reporting obligations (e.g., actions required for controllers to assess and manage such an incident).
2. Use and collection of personal data for electronic marketing and digital communications (e.g., use of appropriate notices when using systems that may impair a data subject’s rights to restrict or remove their personal data, default cookies settings, and conditions for consent).
3. Investigations and enforcement powers of the DIFC Commissioner (the DIFC’s competent regulator) when a controller or processor utilizes unfair or deceptive practices (which may include misleading notices of processing activities or public representation regarding certifications or adherence to principles, codes, and compliance standards).
4. Personal data processed through autonomous and semi-autonomous systems (e.g., technical, organizational, and ethical measures around personal data collection and use via platforms built through technological systems such as artificial intelligence or generative machine learning technology).

Arguably, the most significant update is the introduction of provisions regarding processing activities conducted through autonomous and semi-autonomous systems since this is the first regulation of this type enacted in the Middle East region. With these amendments, the DIFC introduces new obligations for users and operators aimed at developing a responsible and ethical approach with regard to the processing of personal data in such systems.

Use cases are expected to be tested through further consultation activities. In this regard, the DIFC Commissioner is considering testing use cases through participation in a regulatory sandbox (which is a tool allowing participants to explore and experiment with new and innovative products, services, or businesses under a regulator’s supervision) comprised of technology developers, users, regulators, and non-governmental and quasi-governmental organizations, all having an interest in keeping systems safe and their uses practical for the digital age.

For further details, you can access the amended DIFC Data Protection Law here.

To speak to us or for any assistance in relation to any data and technology-related matters or issues generally, please feel free to contact one of the Baker McKenzie team members listed above.

For future updates, you can visit and subscribe to our Middle East Insights blog: me-insights.bakermckenzie.com