Search for:
AML & Financial Services Regulatory

United Arab Emirates: DIFC updates Data Protection Law

By and 3 Mins Read

In brief

Dubai International Financial Centre (DIFC) has rolled out amendments to its Data Protection Law (“Law“) that came into effect in July 2025 following a consultation earlier in the year. The updates bring the law into greater alignment with the GDPR’s approach to enforcement, providing additional protections for data subjects.

Key takeaways

The amendments introduced to the Law are as follows:

  • Changes to extraterritorial scope: Article 6 of the Law has been amended to clarify that the Law applies to the processing of personal data (a) by DIFC-incorporated controllers or processors (even if such entities process personal data outside the DIFC), and (b) in the DIFC by any controller/processor/sub-processor (even if they are not established in the DIFC) as part of stable arrangements. The position is not substantively changed, although the amendments have removed Article 6(3)(c), which stated that “in the DIFC” should be interpreted by reference to the use of means or personnel that are physically located in the DIFC.
  • Private right of action: Data subjects now have a right to sue for breaches of the Law directly via the DIFC Courts under new Article 64A rather than lodging a complaint with the DIFC Commissioner (though this option is still retained). Data subjects may sue for any damage suffered due to a contravention of the Law, including both financial and non-financial loss (e.g., distress).
  • Relaxed public authority disclosure rules: Under Article 28(2), controllers/processors are no longer expressly required to ensure that public authorities will respect data subject rights prior to transferring/disclosing personal data (which may have proved a substantial burden in practice). However, controllers/processors can only disclose or transfer personal data after they verify that the request received from the relevant authority is valid and proportionate.
  • New and increased fines: A new maximum financial penalty of USD 25,000 has been added to the Law for failing to complete an annual assessment in accordance with Article 19. This refers to the assessment of a controller’s processing activity to be undertaken by a mandatorily appointed data protection officer that must be submitted to the Commissioner. Certain other fines under the Law have been increased as follows:
    • Failure to carry out a data protection impact assessment (DPIA) prior to conducting high risk processing activities in accordance with Article 20: maximum fine increased from USD 20,000 to USD 50,000; and
    • Failure to comply with the obligations around data sharing and disclosure to requesting authorities as per Article 28: maximum fine increased from USD 10,000 to USD 50,000.

The revisions were enacted by way of an amending law issued on 8 July 2025 (DIFC Amendment Law No. 1 of 2025) and came into effect on 15 July 2025.

Commentary

These amendments bring some practical relief to controllers with respect to data sharing with government authorities, but also represent a shift in favour of data subjects with the introduction of a private right of action. The new and increased fines reflect the Commissioner’s intention to continue with robust enforcement of the Law as part of efforts to ensure that DIFC legislation and practices remain in line with international standards.

Organisations that operate in the DIFC should review existing DPIA/annual assessment processes and data sharing procedures, and conduct thorough assessments of compliance with the Law in light of the increased litigation risk posed by the new private right of action under the Law.

If you would like to discuss your approach to compliance with the Law, please reach out to our team of Middle East data protection specialists.

Categories:
Tags:
Author

Dino Wilkinson leads Baker McKenzie’s IP, technology and data practice in the Middle East. He is recognised as one of the leading technology lawyers in the region with top-tier team and individual rankings in Chambers Global Guide and the Legal 500.

Author

Marilyn is an associate in the Intellectual Property, Data and Technology team based in London. She joined Baker McKenzie as a Trainee Solicitor in September 2020 and was admitted as a solicitor in England and Wales in September 2022. During her training, Marilyn was seconded to Baker McKenzie's Dubai office for six months and later to Google's commercial legal team for six months.
Marilyn sits on the Steering Committee of Baker McKenzie's race and ethnicity network, BakerEthnicity.

Related Posts