On September 7, 2023, the Dubai International Financial Centre (DIFC) enacted new amendments to its Data Protection Law No. 5 (2020) (DPL). The new amendments mark a significant step forward in the DIFC's role as a regional hub for technology and innovation, by introducing, among others, regulation regarding the use of artificial intelligence and machine learning to process personal data.

Broadly, the new amendments to the DPL address the following:

1. Personal Data Breach Assessment and Reporting Obligations (Regulation 8): The amendments clarify data controllers’ obligations to report personal data breaches, including logistics of how to report such breaches to the DIFC Commissioner, circumstances under which notice may be required to affected data subjects or to the public, and fines for non-compliance with reporting obligations. The amendments also create a new designation of “temporary custodian” for anyone who inadvertently obtains personal data (neither controller nor processor) and instructions for the return of such personal data.
   
   
2. Electronic Marketing and Digital Communications (Regulation 9): The amendments address the use and collection of personal data for use in electronic marketing and digital communications. They emphasize the need for appropriate notices—especially where a data subject's rights to restrict or remove their personal data may be impacted. The law also clarifies standards for default cookie settings and consent conditions.
   
   
3. Investigations and Enforcement Powers (Regulation 6.2): The amendments enhance the DIFC Commissioner’s power to investigate and enforce the DPL when a data controller or processor engages in unfair or deceptive practices (e.g., misleading notices, false claims of adherence to law).
   
   
4. Autonomous and Semi-Autonomous Systems (Regulation 10): Arguably the most innovative amendment is the introduction of new obligations for entities who “deploy” or “operate” “autonomous and semi-autonomous systems” (Systems) to process personal data. Such systems include AI and generative machine learning tools. Note that most compliance obligations fall to the “deployers” (analogous to data controllers) rather than “operators” (analogous to data processors). In particular, deployers must:
   
   
   1. Provide clear and explicit notice to users regarding the underlying technology and the way in which use of the System may impact privacy rights. Notice should also describe the purpose for processing, principles by which the System has been designed, and any codes or certifications by which it has been designed (e.g., OECD AI Principles, NIST AI Framework).
      
      
   2. Design Systems in accordance with specific best practice principles, including that the System be: ethical (i.e., algorithmic decisions and flow of data are unbiased), fair (i.e., all individuals are treated equally by race, gender, and other factors), transparent (i.e., processing can be explained in non-technical terms and with supporting evidence), secure (i.e., appropriate measures are in place to prevent data breaches), and accountable (i.e., regular auditing is in place).

Regulation 10 is one of the first laws in the Middle East, Africa, and Southeast Asia (MEASA) to govern the processing of personal data through AI or machine learning. Notably, even compared to other AI laws outside MEASA, Regulation 10 is unique in that it does not seek to regulate the content of AI or machine learning algorithms directly. Rather, it merely establishes behavioral boundaries for organizations that deploy or operate such algorithms in the processing of personal data.

Regulatory Sandbox: To further refine application of the DPL in different use cases, the DIFC Commissioner suggested it could test such new use cases in a regulatory sandbox. This approach would allow participants (e.g., developers, users, businesses) to explore and experiment with new products or services while collaborating with regulators and reducing risk of penalties later.

Overall, the DIFC's new amendments represent a significant milestone in data protection regulation and the responsible leveraging of AI and machine learning tools. Businesses operating within the DIFC or handling personal data through such tools should carefully review their data processing practices to ensure they align with the new standards set forth in Regulation 10.

If you would like to discuss your company’s compliance obligations in the DIFC or Middle East more broadly, please contact Baker Botts’ Privacy & Cybersecurity team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.