Dubai’s New Data Protection Law Takes Effect


As of July 1, 2020, the New Data Protection Law No. 5 of 2020 or New DP Law has taken full effect, said the National Law Review. Companies have until October this year to make necessary arrangements and comply with the bill.

To be implemented by the Dubai International Financial Center (DIFC), the New DP Law takes the place of the DFIC Law No. 1 of 2007. The recent bill partially seeks to bring Dubai up to the protection standards of the European Commission and the United Kingdom.


The bill will affect firms within DIFC, no matter where the info is processed. Those incorporated by others but will process info in the DFIC will also be affected by the bill.

Dubai’s New Data Protection Law

The bill makes exceptions for the “Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.”


Dubai is taking this step as the financial center for Africa, the Middle East, and South Asia in the hopes of getting an “adequacy” rating from the EC and UK. This will allow the DIFC to receive personal info from the European Union and the UK without using a transfer mechanism.

Transfer mechanisms such as standard contractual clauses are required for those that do not have an adequate level of protection in pursuance of the provisions in the General Data Protection Regulation (GDPR).

This is why it features prominent aspects of the GDPR including accountability requirements, principles, lawful bases for processing, rights, transfers, breach notifications, special categories, and controller-processor agreements, as well as officers and assessments.

One of the most significant features of the bill is the appointment of a Data Protection Officer (DPO) who will conduct Data Protection Impact Assessments (DPIAs), especially for “high-risk processing activities.”

Moreover, the bill requires controllers to “notify the Commissioner of Data Protection of any personal breach that compromises a data subject’s confidentiality, security, or privacy.” Subjects will also be notified is the issue can cause risks to their security or rights.

Aside from features based on the GDPR, the New DP Law also took notes from the California Consumer Privacy Act of 2018 (CCPA). Dubai’s law uses CCPA’s prohibition on companies discriminating against consumers for pursing CCPA rules.

The DFIC also offers a financial incentive, or price or service difference, aside from prohibitions. Incentive offers are subject to exemptions.