United Arab Emirates: DIFC updates Data Protection Law

In brief

Dubai International Financial Centre (DIFC) has rolled out amendments to its Data Protection Law ("Law") that came into effect in July 2025 following a consultation earlier in the year. The updates bring the law into greater alignment with the GDPR's approach to enforcement, providing additional protections for data subjects.


Contents

Key takeaways

The amendments introduced to the Law are as follows:

  • Changes to extraterritorial scope: Article 6 of the Law has been amended to clarify that the Law applies to the processing of personal data (a) by DIFC-incorporated controllers or processors (even if such entities process personal data outside the DIFC), and (b) in the DIFC by any controller/processor/sub-processor (even if they are not established in the DIFC) as part of stable arrangements. The position is not substantively changed, although the amendments have removed Article 6(3)(c), which stated that "in the DIFC" should be interpreted by reference to the use of means or personnel that are physically located in the DIFC.
  • Private right of action: Data subjects now have a right to sue for breaches of the Law directly via the DIFC Courts under new Article 64A rather than lodging a complaint with the DIFC Commissioner (though this option is still retained). Data subjects may sue for any damage suffered due to a contravention of the Law, including both financial and non-financial loss (e.g., distress).
  • Relaxed public authority disclosure rules: Under Article 28(2), controllers/processors are no longer expressly required to ensure that public authorities will respect data subject rights prior to transferring/disclosing personal data (which may have proved a substantial burden in practice). However, controllers/processors can only disclose or transfer personal data after they verify that the request received from the relevant authority is valid and proportionate.
  • New and increased fines: A new maximum financial penalty of USD 25,000 has been added to the Law for failing to complete an annual assessment in accordance with Article 19. This refers to the assessment of a controller's processing activity to be undertaken by a mandatorily appointed data protection officer that must be submitted to the Commissioner. Certain other fines under the Law have been increased as follows:
    • Failure to carry out a data protection impact assessment (DPIA) prior to conducting high risk processing activities in accordance with Article 20: maximum fine increased from USD 20,000 to USD 50,000; and
    • Failure to comply with the obligations around data sharing and disclosure to requesting authorities as per Article 28: maximum fine increased from USD 10,000 to USD 50,000.

The revisions were enacted by way of an amending law issued on 8 July 2025 (DIFC Amendment Law No. 1 of 2025) and came into effect on 15 July 2025.

Commentary

These amendments bring some practical relief to controllers with respect to data sharing with government authorities, but also represent a shift in favour of data subjects with the introduction of a private right of action. The new and increased fines reflect the Commissioner's intention to continue with robust enforcement of the Law as part of efforts to ensure that DIFC legislation and practices remain in line with international standards.

Organisations that operate in the DIFC should review existing DPIA/annual assessment processes and data sharing procedures, and conduct thorough assessments of compliance with the Law in light of the increased litigation risk posed by the new private right of action under the Law.

If you would like to discuss your approach to compliance with the Law, please reach out to our team of Middle East data protection specialists.


Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.