DIFC passes Data Protection Law
Chris Hamblin, Editor, London, 9 June 2020
Effective on 1 July, the Dubai International Financial Centre's new Data Protection Law incorporates many of the features of the European Union's General Data Protection Regulation.
One feature of the new law is the mandatory appointment by each private bank and asset-management firm of a data protection officer to independently oversee relevant data protection operations in the manner set out in articles 16, 17, 18 and 19. He must have direct access to the board and "sufficient resources" to perform his duties well. He must monitor the bank's compliance with the new law and any other data-protection law to which his organisation is subject in the DIFC. He must inform and advise the bank pursuant not only to the new DIFC law but also to overseas laws with extra-territorial effect if his bank is subject to them as part of its operations in other jurisdictions.
As in the UK, there is a Data Protection Commissioner (although the law simply calls him "the commissioner") who cannot be held personally liable for his actions, unless he does a part of his job in bad faith. Every data protection officer will be obliged to be "transparent and co-operative" with the commissioner. Tellingly, article 18(1)(c) states that the DPO can do other jobs at the bank, although it is obliged to ensure that these other jobs do not distract him from his proper duties to protect data. This opens the door to banks using compliance officers as DPOs, a common enough practice in the UK and Ireland.
As in the EU, one route to the bank being able to process personal data is through the data subject's consent, which he can withdraw at any time (article 32).
As per article 13, a bank that is part of a group may have a legitimate interest in transferring personal data within that group for internal administrative purposes. The law will consider this a "legitimate interest" of the bank's if it is necessary and proportionate to prevent fraud or keep information safe or keep its network secure.
The DIFCA board of directors, unlike anyone in the UK, will be able to make regulations that exempt this-or-that bank from having to obey this law or any parts of it.
Rights
Each data subject, as in the EU, has the right to carry his data about or, as the DIFC law and the GDPR both put it, the "right to data portability." He will be entitled to receive personal data that he has given his bank in a structured, commonly used and machine-readable format, and to instruct the bank to send it on to another bank. He will have the right to object to any decision based solely on automated processing, including profiling. The bank cannot discriminate against him if he exercises these rights by denying him services, or changing its prices, or providing him with services of lower quality.
Rights to access are included. After 1 July, he will be able to tobtain from the bank, without charge and within one month, confirmation in writing as to whether or not his personal data relating to him is being processed and information about the purposes of the processing, the categories of data involved and the recipients, and a copy of the data.
Article 40 dictates that the bank has to make available a minimum of two methods by which a data subject can contact it to ask to exercise his rights. These methods must not be onerous; one of them may be through a website.
If the basis for processing changes, ceases to exist or a bank is required to cease processing due to the exercise of a data subject’s rights, the bank has to delete all that person's data, or at least put it beyond further use. It is article 33 that gives him the "right to erasure," also known in the EU as the "right to be forgotten."
A question of adequacy
Processing of personal data that involves the transfer of personal data from the DIFC abroad (the new law actually uses the EU term "a third country") may take place only if an "adequate level of protection" for that data is ensured by the law of the foreign country. This doctrine of "adequacy" is a major feature of the GDPR as well and stands in contrast to "equivalence," a higher standard called for in other European laws such as the Money Laundering Directive.
Penalties
A fine of US$50,000 awaits any bank that fails to comply with: article 9 (general requirements); article 10 (lawful processing); article 11 (obtaining consent properly); article 12 (lawful processing); article 14(2) (taking steps to protect the data); and articles 16(2 and 3) (appointing a DPO).
A fine of US$25,000 awaits any bank that fails to comply with article 14(1 and 3-5) (accountability); article 14(7) (registering with the commissioner); and article 15 (keeping records).