Dubai Becomes First Arab Nation to Enact Data Protection Law
On May 29, 2007, the Data Protection Commission of Dubai issued an Enforcement and Compliance Notice. It directs all DIFC entities, whether or not regulated by the Dubai Financial Services Authority, to register with the Commissioner of Data Protection by June 30, 2007, and to comply with all aspects of the Dubai Data Protection Law. Companies failing to comply will be subjected to fines and penalties.
In January, 2007, the Data Protection Law 2006 became effective, which applies in the jurisdiction of the Dubai International Financial Center (DIFC). The law regulates and protects individuals’ “personal information,” and will have immediate implications for companies operating in Dubai, especially those companies that transfer data from one office to another in different jurisdictions. “Personal information” is defined broadly as “any information relating to an identifiable natural person.” The law also protects “sensitive data” such as information about a person’s political affiliation or racial identity.
The most significant provisions of the Dubai Data Protection Law concern international transfer of data, governing the transfer of personal information out of the DIFC to other countries. It requires that those recipient countries provide “an adequate level of protection” for the personal information, which is the same as the standard imposed by the EU Data Privacy Directive. Transfers of personal information to countries without such protection (including the United States) are permitted only with the consent of the newly appointed Commissioner of Data Protection. The regulations, which became effective in March, 2007, do not specify which countries qualify as having an “adequate level of protection,” however, although it is anticipated that the DIFC will simply adopt the list of the EU “certified” countries.
The regulations also provide for an application process to obtain a permit to process information out of the DIFC to a country that does not provide an adequate level of protection. There are other stated conditions to the transfer of personal information, such as the written consent of the data subject, or that the transfer is necessary or legally required on grounds important in the interests of the DIFC.