Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR.

By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran

The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and the Data Protection Regulations (together, the DIFC DP Legislation).  The new law, which became effective on 1 July 2020, sets a significant benchmark for data privacy in the Middle East and aligns the DIFC’s data protection framework with international data protection regulations, including the EU’s General Data Protection Regulation (GDPR).

The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”.

By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden

What Do DIFC-Registered Entities Need to Know?

In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing and Electronic Communications Guidelines, aimed at DIFC-registered entities that collect and maintain personal data for electronic direct marketing purposes.

The document provides practical guidance on the rules relating to the collection, maintenance, and use of personal data for electronic direct marketing purposes set out in the Data Protection Law, DIFC Law No.1 of 2007 (DP Law), which is based on the (now superseded) UK Data Protection Act 1998 and EU Data Privacy Directive 1996. However, the guidelines also take into account the latest direct marketing requirements under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Directive 2002, providing practical examples of “do’s” and “don’ts” for entities to consider. The guidelines also appear to leverage provisions from the October 2018 draft of the EC’s new e-Privacy Regulation (ePR) which is currently anticipated to come into force in 2021.