The Dubai International Financial Centre (“DIFC”) has long maintained a robust data protection framework under the DIFC Data Protection Law (“DPL”) No. 5 of 2020. In recognition of the growing use of automated and AI-driven technologies, the DIFC introduced Regulation 10, a forward-looking provision that specifically addresses the processing of personal data through autonomous and semi-autonomous systems.

This regulation represents a key step in aligning the DIFC with international standards for data protection and responsible innovation, particularly in high-risk data processing contexts.

Background and Objectives

Regulation 10 was introduced as part of the DIFC Data Protection Regulations effective 1 September 2023. It is designed to govern processing activities where personal data is handled by technologies capable of operating with minimal human intervention, including machine learning models, AI systems, and other automated decision-making tools.

The regulation aims to:

• Ensure transparency and accountability when personal data is processed by autonomous systems.
• Establish a risk-based framework for assessing and mitigating potential harms to individuals.
• Support the DIFC’s position as a hub for responsible innovation and compliance with global data protection norms.

Scope of Regulation 10

Regulation 10 applies to all controllers, processors, and operators deploying autonomous or semi-autonomous systems in the DIFC. This includes:

• High-risk processing activities, such as profiling, large-scale data handling, or processing are likely to significantly affect individuals’ rights and freedoms.
• Any system that evaluates, predicts, or infers personal information with minimal human input.

By setting out clear obligations, Regulation 10 ensures that the use of innovative technologies does not compromise the fundamental rights of individuals whose data is processed.

Key Compliance Requirements

1. Transparency and Notice

Entities must provide clear, explicit notice to individuals when their data will be processed via autonomous systems. Notices should:

• Inform individuals of the use of autonomous systems.
• Explain the logic and purpose of the processing.
• Highlight potential impacts on individual rights, including options to object.

Transparency is essential to maintain trust and enable individuals to exercise their rights effectively.

2. Data Protection Impact Assessments (“DPIAs”)

High-risk autonomous processing requires a Data Protection Impact Assessment prior to implementation. DPIAs must:

• Describe the processing activities and technologies involved.
• Identify categories of personal data and affected data subjects.
• Assess the necessity, proportionality, and risks of the processing.
• Document technical and organizational safeguards to mitigate identified risks.

DPIAs are living documents that must be updated whenever the processing changes materially.

3. Accountability and Governance

Regulation 10 places responsibility on entities to demonstrate robust governance, including:

• Maintaining internal accountability structures for autonomous systems.
• Documenting design, deployment, and compliance decisions.
• Keeping records and cooperating with the DIFC Commissioner of Data Protection when required.

4. Certification and Accreditation

The regulation requires high-risk autonomous systems to be audited and certified under frameworks established by the DIFC Commissioner. Compliance ensures:

• Systems meet established safeguards.
• Risks to individuals are mitigated.
• Ongoing monitoring and periodic recertification are conducted.

Implications for DIFC Businesses

Regulation 10 underscores the DIFC’s commitment to responsible and ethical use of emerging technologies. For businesses, it:

• Emphasizes embedding privacy and accountability by design into autonomous systems.
• Ensures alignment with international best practices for data protection and AI governance.
• Protects the organization against reputational and regulatory risks by requiring documented safeguards and DPIAs.

Conclusion

Regulation 10 represents a significant evolution in the DIFC’s regulatory landscape, bridging the gap between traditional data protection principles and the realities of AI-driven innovation. For organizations operating in the DIFC, compliance is not merely a legal obligation—it is a strategic necessity that safeguards individuals’ rights and reinforces trust in the use of autonomous technologies.

By prioritizing transparency, accountability, and risk management, Regulation 10 sets a clear path for responsible data-driven innovation in the DIFC.