Dubai International Financial Centre (DIFC) has enacted a set of legal amendments that include granting individuals the right to bring private legal claims over data protection breaches through the DIFC Courts. The reforms, formalised under DIFC Laws Amendment Law No. 1 of 2005, took effect on July 15, 2025.
The amendments expand the Data Protection Law by introducing a private right of action for data subjects whose personal information is handled in violation of the law. The update also clarifies the law’s territorial scope, addressing data processing conducted outside but connected to DIFC, and revises Article 28 to define how third countries are assessed for adequacy in receiving personal data.
The reform aligns DIFC’s legal framework more closely with international standards such as the EU’s General Data Protection Regulation (GDPR), providing greater clarity to firms managing cross-border data transfers. Legal experts say the move strengthens individual enforcement rights and brings DIFC’s regime closer to global benchmarks.
The package also includes amendments to the Law of Security, Insolvency Law, and Employment Law. These changes are described as clarificatory in nature, aimed at aligning DIFC’s broader legal system with international practices. All amendments were approved on 8 July and entered into force a week later.
The DIFC’s legal update follows a growing regulatory focus across Gulf financial hubs on data governance and insolvency protection, with Abu Dhabi Global Market (ADGM) and Saudi regulators also tightening their compliance frameworks over the past year.
The amended laws are now accessible via the DIFC legal database. Entities operating in or through DIFC are expected to assess the impact of these changes, particularly regarding their data handling, employment terms, and insolvency protection structures.
