The new DIFC Data Protection Law (the ‘DIFC Law’), which aims to safeguard the personal data of individuals whose data is processed by DIFC-registered controllers, is a landmark in the region. It aligns to global best practice, taking a heavy influence from the EU General Data Protection Regulation (GDPR) as well as other world-class data protection laws. This is to be celebrated for several reasons as we will set out below, and which should act as an incentive for future national data protection laws globally to follow suit.
Data protection laws primarily exist to protect the privacy and personal data of individuals whose personal data is being processed. They also serve to provide consistency to businesses on how they may process personal data. The purpose of the EU General Data Protection Regulation (GDPR) for example, was two-fold: 1) to increase the protection provided to individuals’ personal data and the powers of regulators; and 2) to harmonise enforcement and increase certainty for businesses processing personal data. As a result of these purposes, and due to the extraterritorial effect of the GDPR, businesses across the globe have invested time, effort and resources into developing data privacy compliance programmes that are aligned with the GDPR.
The DIFC Law, due to its alignment with global best practice, provides businesses in the DIFC with an international standard framework through which they can carry out and align their compliance activities. This means that businesses that have already developed data privacy programmes based on compliance with the GDPR and other global data protection laws will not have to completely change their organisations approach in order to comply with the new law. This link to the DIFC Law, highlights the changes that have been made and will help organisations navigate the new changes.
Generally, and in the wake of COVID-19, international businesses and investors are becoming more cost-sensitive than ever and will be watching (and assessing) with interest as to how the data privacy landscape develops in different regions to understand the subsequent impact and cost of compliance to their business, as well as any potential risks of non-compliance to both the organisation and its employees. Any data privacy law that deviates from international best practice becomes an additional burden, increasing the ongoing cost of doing business. For example, many international organisations will have already aligned to global best practice, and will therefore have data privacy frameworks in place that they can roll out quickly in a much more cost effective manner than if a new law deviates from such standards and they have to start from scratch.
When drafting any future national data protection laws, governments may wish to consider whether the regulator’s powers of enforcement are aligned to international best practice. We have seen some jurisdictions utilise criminal sanctions, however this is fairly rare and other options around issuing warnings, directions or recommendations and, in the case of serious breaches, initiate proceedings before courts, impose fines or bring claims for compensation on behalf of affected individuals are better suited to such laws.
Businesses will not want to put themselves or their employees at risk of criminal penalties when they could instead expand/develop elsewhere and be free of such a risk and instead risk only financial sanctions. Indeed, even when the GDPR came into force, due to the high financial risk associated with non-compliance (when compared with the US at the time), some companies stopped doing business in the EU, for example by blocking their websites and withdrawing services from EU-based consumers.
Like the DIFC Law, future national data protection laws should also ensure that the rights offered to individuals in relation to their personal data are developed in detail to meet emerging global standards. An organisation that decides to expand or develop into a jurisdiction where such rights are lacking will inevitably be scrutinised and risk receiving bad press and the consequential reputational and brand damage, likely to result in customer attrition. When deciding where to invest, businesses will therefore prioritise jurisdictions with data privacy laws that uphold individuals’ rights in line with global standards in order to avoid such risks.
Finally, in countries with economic free zones (such as the UAE), governments may wish to be mindful to ensure that any national data protection laws are carefully considered in line with existing free zone laws. This will avoid a conflict of laws issue, and will ensure that no extra burden is created for organisations. Having a conflict of data protection laws in such a way would undermine this benefit and potentially stifle investment and growth. In addition, going through the exercise of adequacy recognition between the free zone and the national government provides an opportunity for transparency, documenting the assessment and ensuring privacy principles accepted between the two are agreed in writing.
We are at the forefront of the data privacy regulatory landscape and have dedicated data privacy lawyers working alongside data privacy and technology specialists to offer holistic legal and assurance support. For more information on the services we provide across the GCC to support compliance with the EU GDPR, the national laws in Bahrain and Qatar, or sector and free zone laws across the region, please get in touch.
Middle East Marketing & Communications Leader, PwC Middle East
Get in touch with the PR team, PwC Middle East