The Dubai International Financial Centre (DIFC) has enacted significant amendments to its Data Protection Law, DIFC Law No. 5 of 2020, aiming to enhance data subject rights and align with international standards like the GDPR. These changes, which came into effect in July 2025, introduce a private right of action for individuals, increase financial penalties for non-compliance, and clarify the law’s extraterritorial scope.
The most impactful change is the introduction of a private right of action, allowing data subjects to directly sue organizations in the DIFC Courts for breaches of the law. Previously, individuals could only lodge a complaint with the DIFC Commissioner of Data Protection. This new provision empowers individuals to seek compensation for both financial and non-financial damages, such as emotional distress, due to contraventions of the law. This shift marks a significant move towards greater accountability for businesses and increased protection for individuals.
In a further display of a stricter enforcement stance, the new amendments have also increased and added new financial penalties. The maximum fine for failing to carry out a data protection impact assessment (DPIA) for high-risk processing activities has been raised from $20,000 to $50,000. Additionally, the penalty for failing to comply with data sharing and disclosure obligations has also been raised to $50,000 from $10,000. A new penalty of up to $25,000 has been introduced for failing to complete an annual assessment.
The updates also provide clarity on the law’s applicability. The amendments specify that the law applies to both controllers and processors incorporated in the DIFC, regardless of where the data processing takes place. It also applies to any entity, irrespective of its place of incorporation, that processes personal data within the DIFC.
The new regulations have also made adjustments to how organizations handle data disclosures to public authorities. While controllers and processors are no longer required to ensure that public authorities will respect data subject rights before a data transfer, they must now verify that any such request is both valid and proportionate. This change aims to provide some practical relief to businesses while still maintaining a layer of oversight on data sharing.
The DIFC’s latest amendments demonstrate a commitment to maintaining a robust and modern data protection framework. Businesses operating within the DIFC should immediately review their data protection policies, DPIA processes, and data-sharing procedures to ensure full compliance and mitigate the increased risk of litigation.
