The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”.

By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden

What Do DIFC-Registered Entities Need to Know?

In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing and Electronic Communications Guidelines, aimed at DIFC-registered entities that collect and maintain personal data for electronic direct marketing purposes.

The document provides practical guidance on the rules relating to the collection, maintenance, and use of personal data for electronic direct marketing purposes set out in the Data Protection Law, DIFC Law No.1 of 2007 (DP Law), which is based on the (now superseded) UK Data Protection Act 1998 and EU Data Privacy Directive 1996. However, the guidelines also take into account the latest direct marketing requirements under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Directive 2002, providing practical examples of “do’s” and “don’ts” for entities to consider. The guidelines also appear to leverage provisions from the October 2018 draft of the EC’s new e-Privacy Regulation (ePR) which is currently anticipated to come into force in 2021.

The guidance covers key topics for DIFC-registered entities, including:

  • Web-scraping and web mining
  • Consent and opt-in options
  • Third-party consent and indirect consent
  • Soft opt-in rules
  • Preference services
  • Cold-calling and telemarketing
  • Spam and suppression lists
  • Statistics and research

The DIFC highlights in the guidelines that, due to its historical reliance on UK and EU data protection and privacy principles, the guidelines should be read in conjunction with existing UK and EU guidance. The guidelines do not expressly identify the relevant UK and EU data protection and privacy guidance, but we would anticipate that it includes the UK Information Commissioner’s Office (ICO) Direct Marketing Guidance.

The DIFC may decide to issue further updates to its guidance following the ICO’s replacement of the Direct Marketing Guidance with the new direct marketing code of practice (that will address the aspect of the GDPR and the UK’s Data Protection Act 2018) and again when the delayed ePR comes into force.

In the meantime, the DIFC guidelines are a welcome addition from the Commissioner for Data Protection and should be read and adhered to by all DIFC-registered entities that engage in direct marketing and electronic communications with individuals.