DIFC Enacts Major Amendments to Data Protection Law
Why This Alert Is Important
The Dubai International Financial Centre (DIFC) has implemented significant reforms to its Data Protection Law, strengthening the rights of individuals and increasing compliance obligations for companies operating within or connected to the DIFC. These updates mark a clear effort to align the DIFC’s regulatory posture with leading global frameworks like the EU’s GDPR, reflecting Dubai’s strategic positioning as a competitive international financial hub with modernized data governance standards.
Overview of the Enforcement Action
On July 8, 2025, the DIFC enacted Law No. 1 of 2025, amending several key legislative instruments, including Data Protection Law No. 5 of 2020. The amendments officially took effect on July 15, 2025, and represent the most comprehensive changes to the DIFC’s data protection regime since its original implementation. This legislative overhaul follows a detailed public consultation initiated earlier in 2025, where businesses and legal stakeholders were invited to provide input on the evolving privacy landscape.
The updated law enhances protections for data subjects and expands obligations for both controllers and processors. Most notably, the introduction of a private right of action empowers individuals to bring legal claims directly in the DIFC Courts without first exhausting administrative remedies. Other revisions extend the law’s territorial reach, clarify obligations regarding cross-border disclosures to public authorities, and introduce new financial penalties for procedural noncompliance.
These developments come at a time when regulatory scrutiny of personal data processing is intensifying globally. By reinforcing its data protection framework, the DIFC aims to bolster trust among international investors and financial institutions, affirming its status as a jurisdiction that balances commercial competitiveness with data governance best practices.
What it covers
- Private Right of Action (Article 64A): Individuals can now file civil claims for data protection breaches directly in DIFC Courts, eliminating prior procedural hurdles.
- Jurisdictional Expansion (Article 6): Applies to non-DIFC processors/controllers if processing occurs within the DIFC or is linked to stable processing arrangements.
- Cross-Border Data Sharing (Article 28): Requires controllers/processors to assess legality and proportionality of foreign government access requests, and to ensure legal redress options for data subjects.
- New Penalties: Introduces tiered fines (e.g., USD 25,000–50,000) for failing to perform risk assessments or submit annual compliance documentation.
The DIFC’s July 2025 amendments to its Data Protection Law underscore a growing global convergence toward rigorous, rights-based privacy frameworks akin to the GDPR. By enabling individuals to bring direct legal claims and expanding the law’s jurisdictional scope, the DIFC has introduced a more litigious, high-stakes environment for compliance. Organizations processing data linked to DIFC must now proactively assess cross-border disclosures and implement defensible policies for risk assessments and documentation. Exterro’s integrated Data Privacy, Security, and Governance Suite—including tools for RoPA, DSARs, consent management, and risk assessments—offers a strong foundation for navigating these changes with automation, auditability, and regulator-aligned workflows.Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro
Data Privacy Tip
With these amendments in force, organizations subject to DIFC jurisdiction should evaluate their privacy policies, third-party processing agreements, and incident response workflows. A good understanding of how data is collected and used can start with a comprehensive, up to the minute data catalog. Find out how to get started in our recent whitepaper on the Risks Hiding in Your Data.
