The Dubai International Financial Centre (DIFC), recognized as a global financial hub in the Middle East, Africa, and South Asia (MEASA) region, has recently introduced a series of amendments to its Data Protection Regulations. These revisions are designed to strengthen the existing data protection framework, reinforcing the DIFC’s position as a pioneer in data protection within the region.
The updated Data Protection Regulations encompass several key improvements that focus on ensuring more effective, secure, and ethical handling of personal data processing and operations. These amendments offer clarity on various aspects, including:
1. Personal Data Breach Assessment and Reporting: Regulation 8 now provides guidelines on how to assess and report personal data breaches. It outlines procedures, including scenarios where temporary custodians discover inadvertently left behind or lost personal data.
2. Use and Collection of Personal Data for Marketing and Communications: Regulation 9 addresses the use and collection of personal data for marketing and communication purposes. It emphasizes the importance of appropriate notices when employing systems that may affect individuals’ rights to restrict or remove their personal data, default cookie settings, and conditions for obtaining consent.
3. Investigations and Enforcement Powers: Regulation 6.2 outlines the investigative and enforcement powers of the Commissioner when a Controller or Processor engages in unfair or deceptive practices.
4. Personal Data Processed via Digital, Generative Technology: Regulation 10 is particularly groundbreaking as it represents the first regulation of its kind in the MEASA region. It focuses on the processing of personal data through autonomous and semi-autonomous systems, such as artificial intelligence (AI) or generative machine learning technology. Regulation 10 also aims to create a platform for interoperability with various guidelines and principles issued by governments and non-governmental organizations, facilitating responsible and ethical processing of personal data in such systems.
Jacques Visser, DIFC Commissioner of Data Protection, emphasized the significance of Regulation 10, stating that DIFC’s outcomes-based approach in applying DP Law 2020 obligations to system development and use cases fosters collaboration and transparency, promoting the innovation and safety of autonomous systems.
The application of these revised regulations will involve testing use cases through consultation, inspection, or supervision. Additionally, the Commissioner’s Office is exploring the possibility of evaluating use cases within a regulatory sandbox environment, comprising technology developers, users, regulators, and relevant organizations, all sharing a common interest in ensuring the safety and practicality of digital systems for the modern age.
The DIFC plans to release guidance alongside the updated regulations, offering further insight into their implementation. For comprehensive details about the amended Data Protection Regulations, refer to the DIFC Legal Database.