Dubai International Financial Centre (DIFC), a global financial powerhouse in the Middle East, Africa, and South Asia (MEASA) region, has taken a significant leap forward in data protection with the introduction of amendments to its Data Protection Regulations. These changes solidify DIFC’s position as a leader in safeguarding personal data and, notably, open the door for responsible use of artificial intelligence (AI) and autonomous systems.
Enhancing data protection framework
The amendments to the Data Protection Regulations reflect DIFC’s commitment to fostering more secure and ethical personal data management. Among the key areas addressed are:
1. Personal Data Breach Handling (Regulation 8): The updated regulations provide clear guidelines for assessing and reporting personal data breaches, even in cases where temporary custodians discover unintentionally abandoned or lost personal data.
2. Marketing and Communication (Regulation 9): These regulations introduce comprehensive guidance for the collection and utilisation of personal data in marketing and communication efforts. Emphasis is placed on transparent notices, especially when employing systems that might affect individuals’ rights to control or delete their personal data. This includes provisions for default cookie settings and consent conditions.
3. Enforcement Powers (Regulation 6.2): The amendments lay out the investigative and enforcement powers of the Commissioner to tackle unfair or deceptive practices by Controllers or Processors.
4. Personal Data Processed via Technology Systems (Regulation 10): Perhaps the most groundbreaking aspect of these amendments is Regulation 10. It represents the first set of regulations in the MEASA region tailored to the processing of personal data through autonomous and semi-autonomous systems, such as AI and generative machine learning technology.
Pioneering Regulation 10
Regulation 10 marks a pivotal moment in data protection as it creates a unique platform within DIFC to encourage interoperability among the diverse guidelines and principles issued by sovereign governments and non-governmental organisations. This initiative aims to promote responsible and ethical personal data processing within AI and autonomous systems.
Jacques Visser, DIFC Commissioner of Data Protection, said, “DIFC’s outcomes-based approach vis-a-vis application of the DP Law 2020 obligations to the development and use cases for systems provides a more collaborative, transparent way of creating and maintaining an innovative yet safe autonomous system.”
What’s next?
These regulatory amendments are expected to undergo further scrutiny through consultations, inspections, or supervision. Moreover, the Commissioner’s Office is actively exploring the possibility of testing these use cases within a regulatory sandbox. This sandbox would bring together technology developers, users, regulators, and non-governmental or quasi-governmental organisations, all committed to ensuring the safety and practicality of digital-age systems.
Guidance will be issued to accompany the updated Regulations in due course. Further details about the amended Data Protection Regulations can be found in DIFC Legal Database, which can be accessed here.
