Monday, 1 August 2011

DIFC Data Protection Law

The 45 hectare free zone in Dubai known as the Dubai International Financial Centre has its own data protection law (DIFC Law No 1 of 2007). According to James Michael, editor of Privacy Laws & Business this is the first data protection law in an Arab country (see his interview with the DIFC data protection commissioner, Nasser H. Saidi of Feb 2007 (Issue 86)).

Why the DIFC has a Data Protection Law
On the day that Syrian troops attack Hama and with civil war raging in Libya one would have been forgiven for thinking that the Arab world would have had more pressing concerns. So why does the DIFC bother? In "Why Data Protection Matters" the DIFC Data Protection Commissioner offers this answer:
"The result of the processing and mishandling –voluntary or involuntary- of personal data can have significant consequences, including credit card and identity theft. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect personal data and its processing. Today governments and regulators world-wide, with the EU countries in the fore-front, are increasingly calling for measures to protect privacy and the adoption of data protection regimes to enforce such safeguards."
In other words, financial institutions in Dubai need to be able to exchange personal data with financial institutions in London and other financial centres in the EU and they can do that only if they offer protection for such data that is comparable to the protection available in the UK and other EU member states.

Application
Art 5 of Law No. 1 of 2007 ("the Law") makes clear that it applies to the DIFC only. There is no comparable legislation for the rest of the emirate or the other emirates of the UAE.

Commencement
According to art 4, the Law replaces a Data Protection Module that had been in force since 2004. The new legislation appears to have been implemented by an order k known as "Enforcement and Compliance Notice Circular No 1" issued by the Data Protection Commissioner ("the Commissioner") on 27 May 2007.

Secondary Legislation
The law is supplemented by the Data Protection Regulations 2007 ("the Regulations") which are made by the DIFC Authority pursuant to art 27 (1) of the Law. It is also necessary to refer to the Enforcement and Compliance Notices known as "Circulars" made by the Commissioner from time to time. According to the DIFC website there have been two such circulars so far:
  • Circular No. 1 of 27 May 2007 which has already been mentioned as it appears to serve the same purpose as a commencement order in England; and
  • Circular No. 2 of 27 Aug 2009.
The legislative institutions of the DIFC are introduced in my short article on the DIFC Courts.

The Commissioner
Art 21 (1) of the Law provides for the appointment of the Commissioner by the President of the DIFC. The Commissioner is required by art 7 (1) to administer the Law and Regulations. The Commissioner has powers under art 25 that are broadly comparable to those conferred by Part VI of the Data Protection Act 1998 on the Information Commissioner in England.

Duty to Notify
Art 19 (2) requires data controllers (that is to say, persons in the DIFC who alone or jointly with others determine the purposes and means of processing personal data (para 3 of the Schedule)) to notify the Commissioner of their processing. Regulation 6 of the Regulations sets out in detail the content of such notification. Art 2 of Circular No. 1 set a deadline of 30 June 2007 for such registration in the case of existing businesses.

General Requirements
The equivalent of the data protection principles in the British legislation are set out in art 8 (1) of the Law:

"Data Controllers must ensure that Personal Data which they Process is:

(a) Processed fairly, lawfully and securely;
(b) Processed for specified, explicit and legitimate purposes in accordance with the Data Subject’s rights and not further Processed in a way incompatible with those purposes or rights;
(c) adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further Processed;
(d) accurate and, where necessary, kept up to date; and
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further Processed."

As in the UK there are special provisions for the processing of sensitive personal data which is defined as personal data "revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life."

Sensitive Personal Data
Sensitive personal processing requires a permit from the Commissioner under art 10 (2) of the Law unless the requirements of art 10 (1) are met. The procedure for obtaining such a permit are set out in Regs 2 to 4.

Data Subjects' Rights
Data subjects have the following rights under art 17 (1) of the Law:

"(a) confirmation as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
(b) communication to him in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and
(c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of the Law."

In addition, they are entitled

"(a) to object at any time on reasonable grounds relating to his particular situation to the Processing of Personal Data relating to him; and
(b) to be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses."

Transfer of Data Abroad
Art 11 (1) prohibits the transfer of personal data outside the DIFC without a permit from the Commissioner under art 12 except to a country or territory listed by the Commissioner that offers comparable protection for personal data. The latest list includes the countries of the European Economic Area including the United Kingdom, Channel Islands and the Isle of Man and, interestingly, the USA to companies that comply with the Commerce Department's "Safe Harbor" Policy. Reg 5 of the Regulations sets out the procedure for obtaining a permit for the transfer of personal data outside the DIFC.

Enforcement
The Commissioner has very extensive powers of investigation and enforcement under art 25 (3). These include the power to fine under art 25 (3) (f) and to initiate a claim for compensation under art 35 for contravention of the law to the detriment of a data subject under art 26 (3) (g). Data subjects may complain in the first instance to the Commissioner under art 33 (1) who may mediate between the data subject and data controller under art 33 (2). Data controllers may appeal from the Commissioner to the DIFC Court under art 34 (1). The DIFC Court is, of course, a common law English language court before which I and other members of the English Bar can appear.

Contact
Further information about data protection in the DIFC can be obtained from the The Data Protection Administrator at the
Dubai International Financial Centre Authority
Level 14, The Gate
PO Box 74777,
Dubai, United Arab Emirates
Email: administrator@dp.difc.ae
Tel : +971 4 362 2623
Fax: +971 4 362 2656

Further Information
Should you require further information or advice in a specific case or representation in a mediation or appeal or application to the DIFC Court, do not hesitate to call me on 0800 862 0055 if you are in the UK or use my contact form. As you can see data protection has been one of my interests since 1984.

No comments:

Post a Comment