The Dubai International Financial Centre amends the Data Protection Law

On 16 July 2025, the Dubai International Financial Centre (DIFC) announced that it had enacted an amendment to the DIFC Data Protection Law 2020, following an earlier consultation in March.

Overview of the changes

The amendment makes a number of significant changes to the DIFC Data Protection Law as follows:

  1. The introduction of a private right of action through the DIFC courts for data subjects whose rights under the law have been contravened.
  2. A widening and clarification of the application and extraterritorial scope of the law, confirming that it applies to:
    • a Controller or Processor who processes personal data and is incorporated in the DIFC, regardless of whether or not the processing takes place in the DIFC; and
    • a Controller, Processor or Sub-processor, processing personal data in the DIFC regardless of their place of incorporation as part of stable arrangements, including transfers of personal data out of the DIFC.
  3. Clarification of the actions required by a Controller, Processor or Sub-Processor before sharing personal data with public authorities and, importantly, removing the obligation for a Controller, Processor or Sub-Processor to satisfy itself that the public authority will respect the rights of data subjects in the processing of personal data transferred to it.
  4. The introduction of a new fine of up to USD 25,000 for failing to complete the mandatory annual assessment regarding the requirement to appoint a Data Protection Officer, and an increase to the fines for failure to conduct a Data Protection Impact Assessment before commencing high risk processing activities and failure to comply with the requirements regarding data sharing with public authorities up to USD 50,000.

The amendment was enacted on 8 July 2025 and came into force on 15 July 2025.

Introduction of a private right of action

The introduction of a private right of action is a significant shift in approach.

The right for data subjects to claim compensation for damage they have suffered by reason of a contravention of their rights under data protection law is established in GDPR based countries, upon which the DIFC Data Protection Law is modelled. Claims of this nature have become increasingly common over the past five or so years in those jurisdictions.

Important points to note are:

  1. A data subject that has suffered damage as a result of contravention of a requirement of the DIFC Data Protection Law or the DIFC Data Protection Regulations is entitled to compensation for that damage from the Controller or the Processor and has the right to apply to the DIFC courts for such compensation. This goes much further than the previous position under the DIFC Data Protection Law.
  2. Data subjects can claim for financial and non-financial loss including mere distress - they do not need to prove that they have suffered a recognised psychiatric injury as a result of the infringement. This reduces the barrier to entry as expert medical evidence is not required in order to issue a claim.
  3. A data subject can claim compensation from both the Controller or the Processor. This is important for Processors to bear in mind as whilst the bulk of the responsibility generally sits with the Controller, e.g. notifying the Commissioner and affected data subjects of a personal data breach, this amendment makes clear that Processors will be held liable in circumstances where their unlawful actions or inappropriate security measures result in harm to data subjects.
  4. A Controller or Processor is not liable if they can prove that they are in no way responsible for the event giving rise to the damage. The burden lies with the Controller or Processor to demonstrate this when seeking an exemption from liability. For example, if an organisation utilises the services of a third party payment provider, and as a result of a compromise of that payment provider’s systems, the organisation’s customer data is exposed, they may have a defence under Article 64A(4) if they had performed appropriate due diligence before selecting the payment provider (the Processor) and had a valid data processing agreement in place. In these circumstances the Controller may be able to evidence that the event giving rise to the damage sits squarely with the Processor (albeit the Processor may have their own defence under this Article, for example if this incident was caused by the exploitation of a zero-day vulnerability for which there was no patch yet) and thereby escape liability.

Next steps

In line with jurisdictions where the GDPR applies, we expect to see a gradual increase in data subject claims in the DIFC as individuals become more informed about their rights and how to exercise them. In addition, we anticipate that there is likely to be an increase in subject access requests to gather information before bringing a claim.

In anticipation of the likely increase in claims and subject access requests, together with the potential for increased fines, we recommend that organisations re-visit their existing data processing activities and compliance procedures to ensure compliance with the DIFC Data Protection Law.

For more information on how we can help you manage your compliance obligations, please contact our Cyber and Data Risk Team at Kennedys.

Services

Locations