On September 1, 2023, the Dubai International Financial Centre (DIFC) Director of Data Protection announced, via LinkedIn, that the DIFC Authority (DIFCA) had released Regulation 10 on Processing Personal Data Through Autonomous and Semi-Autonomous Systems which amends the Data Protection Regulations 2020 (Data Protection Regulations), entering into force on the same date. The Director noted that the amendment followed a period of public consultation.

In particular, the amendment includes:

• obligations on controllers and processors regarding controls and safeguards in connection with the use of digital enablement technology systems, such as artificial intelligence (AI) systems, including transparency and information provision obligations towards data subjects; and
• concepts to incorporate Privacy by Design or by Default into generative AI, machine learning, or similar systems, which include fairness, ensuring ethical practices, transparency, security, and accountability.

You can read the LinkedIn post here and the amended Regulations here.

Update: September 21, 2023

DIFC highlights key amendments to Regulations

On September 7, 2023, the DIFC announced the enactment of the amendments to the Data Protection Regulations, which address the means for better, safer, and more ethical management of personal data processing and operations. In particular, the DIFC outlined that the amendments provide clarity on:

• personal data breach assessment and reporting obligations in Regulation 8, including situations where a temporary custodian finds personal data that has been inadvertently left behind or lost;
• use and collection of personal data for marketing and communications, particularly regarding appropriate notices when employing systems that may impair data individuals' rights to restrict or remove their personal data, default cookies settings, and conditions for consent, set out in Regulation 9;
• investigations and enforcement powers of the Commissioner of Data Protection when a controller or processor may employ unfair or deceptive practices, as defined in Regulation 6.2; and
• personal data processed through digital generative technology systems, under Regulation 10.

Notably, the DIFC highlighted that Regulation 10 is the first enacted regulation in the Middle East, Africa, and Southern Asia (MEASA) region on the processing of personal data via autonomous and semi-autonomous systems such as AI or generative machine learning technology. 

The DIFC also pointed out that guidance would be issued to accompany the amended Regulations in due course.

You can read the press release here.