Dubai Introduces Amendments to Data Protection Law  

Posted by Written by Giulia Interesse

Dubai has amended its Data Protection Law to strengthen individuals’ rights—introducing a Private Right of Action and clarifying extraterritorial scope and data-sharing rules—aligning with global standards and increasing compliance obligations for businesses. These changes enhance data privacy protections while reinforcing DIFC’s commitment to a robust, transparent legal environment.

The Dubai International Financial Centre (DIFC) continues to affirm its position as a leading global financial hub in the Middle East, Africa, and South Asia (MEASA) region through ongoing legal reforms that align its regulatory framework with international best practices.

On 8 July 2025, the DIFC enacted a series of important amendments under the DIFC Laws Amendment Law, Law No. 1 of 2005, which came into effect on July 15, 2025. Among the most significant changes are enhancements to the Data Protection Law designed to strengthen the rights of individuals and provide clearer guidance for businesses operating within the jurisdiction.

These legislative updates underscore DIFC’s commitment to fostering a transparent, robust, and globally competitive legal environment—one that safeguards personal data, promotes investor confidence, and supports sustainable growth in the financial and business sectors.

This article explores the key amendments introduced, their implications for data privacy and compliance, and how they fit into DIFC’s broader strategy of continuous legal evolution.

Key Amendments to the Dubai Data Protection Law

The recent amendments to the DIFC Data Protection Law introduce several critical updates aimed at strengthening data privacy protections and enhancing legal clarity for businesses and individuals alike. These changes not only reflect global trends in data protection but also signal DIFC’s commitment to maintaining a robust regulatory environment aligned with international standards.

Introduction of a Private Right of Action

One of the most notable enhancements is the introduction of a Private Right of Action for Data Subjects. This new provision empowers individuals whose personal data has been processed in violation of the Data Protection Law to initiate legal proceedings through the DIFC Courts. Previously, data subjects had limited avenues for direct legal recourse, relying primarily on regulatory enforcement bodies to address breaches. The ability to pursue claims independently marks a significant shift, placing greater responsibility on data controllers and processors to ensure full compliance.

For businesses operating within the DIFC, this development introduces heightened legal exposure. Data controllers and processors must now adopt more stringent data governance frameworks to mitigate the risk of litigation. The prospect of private legal action incentivizes proactive data protection measures and elevates accountability across all entities handling personal data.

From the perspective of individuals, this amendment offers a stronger safeguard for privacy rights. It provides a clearer mechanism to seek remedies, including compensation, for harm caused by unlawful data processing. Ultimately, this enhancement supports DIFC’s broader goal of fostering trust in the digital economy by reinforcing the protection of personal information.

Clarifications on scope of application and extra-territoriality

The amendments also clarify the scope of the Data Protection Law, particularly regarding its jurisdictional reach. The law now explicitly defines its application both within the DIFC and extraterritorially, extending certain obligations to entities located outside the jurisdiction that process personal data related to individuals within the DIFC.

This clarification is especially significant for multinational companies and cross-border operations. Firms with complex international data flows must carefully assess their compliance obligations, even if their physical presence lies beyond the DIFC boundaries. By defining this extra-territorial scope, the DIFC aligns itself with international frameworks like the European Union’s General Data Protection Regulation (GDPR), which also imposes extraterritorial requirements.

This clearer definition reduces legal uncertainty and ensures that data protection responsibilities are appropriately assigned, supporting better risk management for global businesses operating in or with the DIFC.

Update to Article 28 on data sharing

Another important update is the revision of Article 28, which governs data sharing and transfers of personal data to third countries. The amendment clarifies the criteria for assessing the adequacy of third countries receiving personal data from DIFC entities. This “adequacy referential” now aligns more closely with international best practices, including the GDPR’s adequacy decisions framework.

By setting clear standards for what constitutes an adequate level of data protection in recipient countries, the amendment facilitates secure cross-border data transfers while safeguarding individuals’ rights. It ensures that personal data leaving the DIFC is subject to comparable protections, reducing the risk of data breaches or misuse.

For businesses engaged in international data exchanges, this update provides essential guidance to structure their data sharing arrangements lawfully. It encourages due diligence in evaluating third-country partners and adopting appropriate safeguards where necessary.

Implications for businesses and Data Subjects

The recent amendments to the DIFC Data Protection Law bring meaningful changes that affect both businesses and individuals. By introducing stronger protections and clearer legal pathways, the law reshapes the landscape of data privacy in the DIFC.

For Businesses:
The introduction of a Private Right of Action means that individuals can now bring claims directly through the DIFC Courts for unlawful processing of their personal data. This elevates the legal risks faced by companies and underscores the necessity for stricter compliance measures. Organizations must enhance their data governance frameworks, ensuring transparent and accountable handling of personal information. Failure to do so could lead to costly litigation and reputational damage.

The amendments also clarify the law’s extra-territorial scope, extending its reach to certain entities operating outside the DIFC but processing data related to individuals within the jurisdiction. This places an onus on multinational companies to carefully assess their global data practices and ensure they meet DIFC standards regardless of their physical location.

Key points for businesses include:

  • Increased exposure to private legal claims by data subjects.
  • A need for robust data protection policies and ongoing compliance monitoring.
  • Attention to cross-border data flows and adequacy of recipient countries’ protections.

For Data Subjects:
The amendments empower individuals by providing a clear legal route to seek redress if their data privacy rights are violated. This not only enhances protection but also builds trust in the DIFC as a jurisdiction committed to upholding personal data rights. The availability of remedies, including potential compensation, signals a stronger enforcement landscape where data subjects are no longer solely reliant on regulatory authorities.

In summary:

  • Data subjects gain greater control and recourse over their personal information.
  • Businesses and individuals alike benefit from clearer rules on international data transfers, aligning the DIFC with global best practices.

Overall, these changes reinforce DIFC’s reputation as a forward-looking financial centre that balances innovation and privacy, encouraging all stakeholders to adapt proactively to the evolving legal framework.

Also read: UAE Corporate Tax Filing 2025: Key Compliance Steps for Audit and Transfer Pricing Readiness

 

About Us

Middle East Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Dubai (UAE), China, India, Vietnam, Singapore, Indonesia, Italy, Germany, and USA. We also have partner firms in Malaysia, Bangladesh, the Philippines, Thailand, and Australia.

For support with establishing a business in the Middle East, or for assistance in analyzing and entering markets elsewhere in Asia, please contact us at dubai@dezshira.com or visit us at www.dezshira.com. To subscribe for content products from the Middle East Briefing, please click here.

Related reading
Want the Latest Sent to Your Inbox?

Subscribing grants you this, plus free access to our articles and magazines.

SUBSCRIBE

DEZAN SHIRA & ASSOCIATES

Meet the firm behind our content. Visit their website to see how their services can help your business succeed.

About Us Find an Advisor
Back to top