Last review date: 23 December 2024

• omnibus – all personal data

The Dubai International Financial Centre (DIFC), a free trade zone in the Emirate of Dubai, is subject to its own data protection laws, which are derived from the EU data protection legal framework. The legal framework for the DIFC will be addressed in this chapter.

• constitutional

Last review date: 23 December 2024

The main laws are:

• DIFC Data Protection Law (DIFC Law No. 5 of 2020)
• UAE Penal Code (Federal Law No. 3 of 1987)
• UAE Cybercrime Law (Federal Law No. 5 of 2012)

Last review date: 23 December 2024

Cybersecurity tends to be regulated at a sector level, with requirements contained in a mixture of primary legislation, such as in regulations, as well as secondary legislation passed by sector regulators, such as policies, standards and guidelines. Not all of these requirements are routinely made public. Specific security requirements also apply to certain types of service or technology (e.g. Internet of Things solutions). Certain of these requirements will apply equally to organizations conducting business in the DIFC.

Aside from the data protection law, the main source of requirements that apply to organizations doing business in the DIFC are set out in the UAE’s Penal Code and Cybercrimes Law, which prohibits certain activities from being carried out in the digital space or using technological means. These criminal laws apply equally in the UAE's free zones, including financial free zones such as the DIFC.

Financial institutions that are regulated by the Dubai Financial Services Authority ("DFSA") are encouraged, although not mandated, to implement the DFSA Cyber Risk Management Guidelines issued in December 2020 ("Guidelines"). The Guidelines are mainly principle based and reflect good industry practices to assist financial institutions to: (i) establish a robust cyber risk management framework within which to identify, manage and mitigate cyber risks effectively in an integrated and comprehensive manner; and (ii) strengthen the security, reliability, resiliency and recoverability of their systems.

Last review date: 23 December 2024

There is no general regulation of non-personal data in the DIFC.

Last review date: 23 December 2024

No, although the DIFC Commissioner of Data Protection continues to develop supporting guidance and other aspects of the implementation framework for the DIFC Data Protection Law and its Regulations.