From July 1st 2020, life will not be same for Companies who opened offices in Dubai International Financial Center (DIFC) for various reasons. The New Data Protection Law of 2020 will become effective and will totally replace the earlier milder law of 2007.
The law will basically apply to processing of personal data by automated means and where the personal data is part of a filing system and will apply to all companies incorporated in DIFC irrespective of the place where personal data is processed. At the same time it applies to companies irrespective of incorporation if personal data is processed in DIFC as part of a stable arrangement for the processing of personal data in the context of activity in DIFC. It excludes processing of personal data by individuals exclusively for domestic purpose.
While we can discuss the changes in the Grounds of Processing or Data Subject’s rights and Compliance requirements separately, it may be immediately noticed that the new law enhances the remedies available to the Data Subjects and also imposes administrative fines in the form of fines from $50,000 to $ 100,000 for various contraventions, besides directions for cessation of business or reprimands. Additionally the Commissioner can also award compensation to the data subjects or the data subjects may make a claim for compensation through a grievance redressal process or with the intervention of the Court.
Where more than one Controller or Processor is involved, the liabilities will be applicable jointly and severally.
It is therefore time for Companies in India who have their Dubai offices to take a fresh look at their Data Protection Obligations. Many Indian companies might have entered into a business agreement with local companies but they will continue to be liable as either a Joint Controller or a Data Processor and hence have to make an assessment of their liabilities under the new law.
(More discussions will follow)