DIFC (United Arab Emirates)

DIFC (United Arab Emirates)

This content was last reviewed around May 2023.

Cloud-friendly

1. Are financial institutions legally permitted to use cloud services?

Yes, there is no prohibition on using cloud services under the applicable regulatory laws in the Dubai International Financial Centre.

2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Cloud services are not expressly regulated in the Dubai International Financial Centre. As such, there are no standalone regulations that regulate outsourcing and that would dictate what types of functions can be outsourced or what data can be stored with an outsourced service provider.

Dubai Financial Services Authority ("DFSA") Rulebook:

The general rules contained in the DFSA Rulebook contain requirements relating to material outsourcing. These rules are reinforced by the provisions of the DFSA's Regulatory and Policy Sourcebook. Accordingly, it will depend on the systems on which it will be hosted to determine whether the rules will apply.

Guidelines for Financial Institutions Adopting Enabling Technologies:

The Central Bank of the UAE, along with the DFSA and other UAE financial authorities, such as the Securities and Commodities Authority and the Financial Services Regulatory Authority of Abu Dhabi Global Market, jointly issued best practice guidelines relating to digitalization in the financial services sector entitled the "Guidelines for Financial Institutions Adopting Enabling Technologies" ("Guidelines").

The Guidelines apply to all financial institutions licensed and supervised by the DFSA that are using, or intend to use, among other technologies, cloud computing solutions. Financial institutions are expected to consider applying the Guidelines to their business activities in a manner that reflects the size and complexity of the relevant financial institution and the nature, scope, risk level, complexity and materiality of their activities. 

3. Are there any specific contractual requirements for cloud outsourcing?

The rules and guidelines of the Dubai Financial Services Authority ("DFSA") relevant to outsourcing state that the DFSA's regulated entities (i.e., Authorized Persons, as defined below) must abide by a number of specific contractual requirements for cloud outsourcing, namely the following:

• An Authorized Person (i.e., (i) An Authorized Firm — a person, other than an Authorized Market Institution, that holds a license or (ii) an Authorized Market Institution — a person licensed by the DFSA in relation to carrying out financial services) must establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programs.
• An Authorized Person must enter into an appropriate and written outsourcing contract.
• An Authorized Person must ensure that outsourcing contracts neither reduce its ability to fulfill its obligations toward customers and the DFSA, nor hinder the DFSA's supervision of the Authorized Person.
• An Authorized Person must ensure that the terms of its outsourcing contract with each service provider under a material outsourcing contract require the service provider to do the following:
  • Provide for the provision of information^[1] in relation to the Authorized Person and access to its business premises for the DFSA.
  • Deal in an open and cooperative way with the DFSA.

The Guidelines for Financial Institutions Adopting Enabling Technologies provide specific recommendations to be followed in relation to cloud service providers, including recommendations of what the contract should cover.

[1] This refers to the information listed under Section 11.1 of the DFSA Rulebook on information gathering and DFSA access to information. This section requires Authorized Persons — where reasonable — to share specific information related to their activities with the DFSA when required and to allow the DFSA to access it.

4. When does cloud outsourcing fall within the scope of the rules?

Cloud services are not expressly regulated in the Dubai International Financial Centre. As such, there are no standalone regulations that specifically regulate outsourcing and that would dictate what types of functions can be outsourced or what data can be stored with an outsourced service provider.

5. Does the outsourcing need to be notified to the regulator?

The Dubai Financial Services Authority ("DFSA") General Rule 5.3.21 imposes a duty on financial institutions to notify the DFSA of any new subcontracting.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

Breaches of the General Rulebook provisions of the Dubai Financial Services Authority ("DFSA") relating to outsourcing do not give rise to any specific administrative fines. However, the DFSA has a wide range of disciplinary measures at its disposal, including audits, specific orders, formal warnings to senior executives, requests for the removal of senior executives and, in the case of serious breaches, suspension or withdrawal of an entity's DFSA license.

Noncompliance with the guidelines is unlikely to lead to sanctions being imposed by the DFSA or any other civil, criminal or administrative sanctions, as they are not intended to be mandatory or binding on financial institutions licensed by the DFSA.

7. Are there any data privacy and/or data security laws that would apply?

Yes. The Dubai International Financial Centre ("DIFC") Data Protection Law (DIFC Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022) is closely aligned with the EU General Data Protection Regulation ("GDPR"). The contractual requirements to be included in an agreement with an outsourced service provider will be similar to those required under Article 28 of the GDPR, including the requirement to stipulate the subject matter and duration of the processing, the nature and purpose of the processing, and the type of personal data and categories of data subjects, as well as commitments to comply with documented instructions from the controller. This is to ensure that persons authorized to conduct processing do so under legally binding agreements or duties of confidentiality, and that they delete or return all personal data at the controller's option once the services have been provided.

8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?

Yes. There are restrictions on cross-border transfers of personal data, which are similar to those contained in the EU General Data Protection Regulation. Transfers should be to a jurisdiction that affords personal data an adequate degree of protection (a list of adequate jurisdictions is available here) or ensures that the transfer satisfies one of the other requirements set out in Article 27 of the Data Protection Law (Dubai International Financial Centre ("DIFC") Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022) ("DPL").

In relation to cross-border transfers of personal data to a jurisdiction that is not recognized as adequate, the parties are obliged to enter into the appropriate form of model clauses (available here) adopted by the DIFC commissioner (responsible for supervising and enforcing the DPL). Where processing is subject to the UK or EU standard contractual clauses (“SCCs”), the commissioner will allow the parties to rely on these SCCs (on the grounds that they are intended to achieve the same purpose as the DIFC SCCs) provided that details of the transfers to or from the DIFC are described in the exhibit and the parties expressly agree that the DIFC commissioner may have jurisdiction in respect of the processing being carried out. 

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

No.

10. Is express consent from customers or other data subjects required before moving data to the cloud?

No, it is not required expressly under the Dubai International Financial Centre ("DIFC") Data Protection Law (DIFC Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022) ("DPL"). Consent is an option. The DPL provides alternative grounds to rely on to legitimize transfers (e.g., legitimate interests).

11. Are there any local laws that require a cloud service provider to be able to access the data it hosts?

No. However, in practice, such obligations may be imposed contractually by the local telecoms operators.

12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

No, not expressly. Notwithstanding the obligation for Dubai Financial Services Authority ("DFSA") regulated entities to include in their contracts with service providers specific clauses to allow for the DFSA's access to certain information on the regulated entity (see Question 3 above), in practice, the local law enforcement agencies have broad rights to require disclosure of data in connection with investigations into alleged offenses. The local security agencies' rights are even broader where the disclosure request relates to a perceived risk to national security. Disclosure protocols have been adopted by a number of banks to support them when managing informal information-sharing programs implemented by law enforcement authorities in an effort to support the detection and prosecution of fraud.