Regulation 10 is the first enacted regulations in the MEASA region on the processing of personal data via autonomous and semi-autonomous systems such as AI or generative, machine learning technology. Image Credit: Supplied

Dubai:The latest Data Protection Rules announced by the Dubai International Financial Centre (DIFC) will provide further clarity on personal data breach obligations.

First proposed in April, followed by a 30-day public consultation period, the DIFC said on Thursday that the new amendments have come into effect.

The amendments allow for more ethical management of personal data processing and operations, and offer greater insight into situation such as when a temporary custodian finds personal data that has been inadvertently left behind or lost.

The amendments will also clarify the use and collection of personal data for marketing and communications, particularly regarding appropriate notices when employing systems that may impair individuals’ rights to restrict or remove their personal data.


They also provide guidelines on investigations and enforcement powers of the commissioner when a controller or processor may employ unfair or deceptive practices.

Jacques Visser, DIFC Commissioner of Data Protection, said: “DIFC’s outcomes-based approach vis-a-vis application of the DP Law 2020 obligations to the development and use cases for systems provides a more collaborative, transparent way of creating and maintaining an innovative yet safe autonomous system.”

Regulation 10

The financial hub also said it has enacted ‘Regulation 10’, a set of rules addressing how personal data is handled in autonomous systems like AI and machine learning.

One aspect of Regulation 10 is that it allows the DIFC to serve as a platform for making different guidelines for governments and organisations to work together. This ensures that the correct principles are applied for ethical and responsible personal data processing in AI technology development.

Visser said that user cases are expected to be tested through further consultation, inspection or supervision. The DIFC Commissioner’s Office is also considering testing use cases through participation in a regulatory sandbox comprised of technology developers, users, regulators and non-governmental organisations.