UAE: Proposed Amendments to the DIFC Data Protection Law

The Dubai International Financial Centre (DIFC) has issued Consultation Paper No. 1 of 2025, inviting public comments on proposed legislative amendments, including significant changes to the DIFC Data Protection Law (DPL), DIFC Law No. 5 of 2020. These amendments aim to clarify and enhance data protection standards within the DIFC, aligning them with global best practices. The DIFC Authority has invited public feedback on these proposals by 26 March 2025, with final enactment expected later in the year.  Further information about the public consultation process is available here.

In this article, we outline some of the key proposed changes.

1. Clarification of the Extra-Territorial Scope (Article 6(3))

The proposed amendments aim to clarify the scope of the DPL’s application. The changes specify that the law applies to:

• DIFC-registered entities processing personal data, regardless of where the processing occurs.
• Any entity processing personal data within the DIFC as part of stable arrangements, even if not incorporated in the DIFC.
• Entities processing the personal data of individuals in the DIFC, including those offering goods or services or monitoring behaviours within the DIFC.

These revisions are intended to align the DPL’s extra-territorial application more closely with international standards such as the GDPR. Most notable of the amendments is the introduction of the final point, which will inevitably broaden the scope of the DPL significantly. 

2. Strengthening Cross-Border Data Transfers and Government Requests (Article 28(2))

The amendments propose additional obligations for controllers and processors transferring data to third countries or responding to government authority requests. Key changes include:

• A requirement to assess whether data subjects will have legal or other forms of redress in the importing jurisdiction.
• Strengthening the DIFC Commissioner’s role in reassessing the adequacy of third-country data protection regimes.

This approach seeks to reinforce risk-based due diligence in cross-border data transfers, ensuring that DIFC data subjects retain robust protections when their personal data is processed internationally.

3. Introduction of a Private Right of Action (Article 64A)

A major reform under the proposed amendments is the introduction of a Private Right of Action (PRA), allowing individuals to directly seek compensation through the DIFC Courts if their data protection rights are violated. Currently, data subjects must first file complaints with the DIFC Commissioner, who then determines whether enforcement action is necessary.

Under the new provision, data subjects could:

• Bypass the Commissioner and file claims directly in the DIFC Courts.
• Seek compensation for financial and non-financial harm, such as emotional distress caused by data breaches.

This change is modelled on similar provisions under the UK Data Protection Act 2018 and the GDPR, providing greater legal recourse for individuals while potentially increasing compliance pressure on businesses operating in the DIFC.

4. Updates to Penalties and Enforcement

Additional proposed updates include:

• Higher fines for certain breaches:
  • Failure to conduct annual assessments: $25,000.
  • Failure to carry out Data Protection Impact Assessments (DPIAs) for high-risk processing activities: Increased from $20,000 to $50,000.
  • Non-compliance with data-sharing obligations: Increased from $10,000 to $50,000.

Implications for Businesses

These amendments represent a step in aligning the DIFC’s data protection regime with international best practices while ensuring that businesses operating in the DIFC adopt higher compliance standards. The potentially increased scope of the DPL is likely to have significant implications for organisations located in the UAE (onshore) and further afield that have ‘non-stable’ arrangements in the DIFC. 

The DIFC Authority has invited public feedback on these proposals by 26 March 2025, with final enactment expected later in the year. Organisations operating within the DIFC should monitor developments closely and consider submitting comments to ensure the proposed changes align with practical business operations.

For any further information on this topic, please contact Nick O’Connell or Charlie Christie.