[co-author: Andrew Morrison]
The DIFC Data Protection Law No. 5 of 2020 (DIFC Data Protection Law) was amended on 8 July 2025 to introduce several substantive changes.
The changes broadly reflect those proposed in a consultation paper released in February 2025 (available here) (Consultation Paper). However, there are several interesting changes proposed in the Consultation Paper that did not end up being enacted.
New Private Right of Action for Data Subjects
The most significant amendment is the introduction of a statutory cause of action for data subjects against a controller or processor who contravenes the DIFC Data Protection Law. This change is modelled on the equivalent rights granted to data subjects under the EU's GDPR.
Previously, a data subject was only permitted to apply to a court for compensation after first filing a complaint with the DIFC Data Protection Commissioner (Commissioner) and where the Commissioner either declined to take enforcement action or took enforcement action the data subject disagreed with. Data subjects may now apply directly to court where any contravention of the DIFC Data Protection Law results in them suffering damage, including financial or non-financial loss (such as distress).
Scope of Application of DIFC Data Protection Law
Amendments to Article 6(3) of the DIFC Data Protection Law clarify its extra-territorial scope and application. As amended, the DIFC Data Protection Law now applies to:
- controllers or processors incorporated in the DIFC, regardless of where they process personal data; and
- the processing of personal data in the DIFC (including any transfers outside the DIFC) by any controller, processor (or any of their sub-processors), even if not incorporated in the DIFC, as part of stable arrangements.
These changes codify the Commissioner’s historical interpretation and prior guidance on the scope of the DIFC Data Protection Law, as well as explicitly identifying that a controller or processor's sub-processors may also be subject to the DIFC Data Protection Law.
In an interesting development likely to be welcomed by controllers and processors who provide services on an infrequent or occasional basis to data subjects in the DIFC, proposed amendments to expand the scope of the DIFC Data Protection Law, in line with the EU'S GDPR, to include controllers and processors offering goods or services to data subjects in the DIFC, or to those monitoring the behaviour of a data subject in the DIFC outlined in the Consultation Paper, were not adopted.
Despite the full scope of the proposed amendments outlined in the Consultation Paper not being adopted, it is interesting to note that Article 6(3)(c), which previously defined processing to occur 'in the DIFC' if the means or personnel for the processing were physically located in the DIFC, has been deleted. It remains to be seen whether this deletion signals an intention for the Commissioner to adopt a broader interpretation of what constitutes processing 'in the DIFC.'
Obligations when Sharing Data with Public Authorities
The obligations under the DIFC Data Protection Law in relation to the disclosure or transfer of personal data to a public authority under Article 28 have also been amended, with a controller or processor now only permitted to disclose the personal data after it has satisfied itself that the request is valid and proportionate.
Interestingly, in a move likely to be welcomed by controllers and processors who transfer personal data outside of the DIFC, the previous requirement for the controller or processor to ensure the public authority will 'respect the rights of data subjects' whose personal data is transferred has been removed. This removal is notable given the Consultation Paper not only outlined an intention to retain the obligation, but to also impose additional compliance obligations before personal data could be disclosed to a public authority.
New and Increased Financial Penalties
Certain financial penalties under the DIFC Data Protection Law have also been amended, with:
- a failure to complete, and submit to the Commissioner, the annual assessment of whether a controller is required to appoint a Data Protection Officer now identified as a breach which can attract a financial penalty up to a maximum fine of USD25,000;
- the maximum fine for failing to undertake a data protection impact assessment prior to undertaking high risk processing activities having been raised from USD20,000 to USD50,000; and
- the maximum fine for failing to comply with the obligations in relation to the disclosure or transfer of personal data to a public authority under Article 28 having been raised from USD10,000 to USD50,000.
[View source.]
