The Riffle
The Dubai International Financial Centre (DIFC) has launched a public consultation on proposed amendments to its Data Protection Regulations, reflecting its broader ambition to become the world’s first AI-native financial centre. The proposals introduce a more detailed framework for the use of Artificial Intelligence (AI), autonomous systems and machine-based decision-making while strengthening privacy, transparency and accountability obligations.
Key Highlights
DIFC Moves Towards an AI-Native Regulatory Framework
The proposed amendments form part of the DIFC’s broader strategy to establish itself as an AI-native financial centre. The framework seeks to embed AI governance, accountability and safety directly into the DIFC’s data protection regime.
New Deployer and Operator Framework
The proposals introduce AI-specific governance roles, distinguishing between “Deployers” and “Operators” of autonomous and semi-autonomous systems. The framework aligns responsibilities more closely with the realities of AI deployment while broadly reflecting the traditional Controller and Processor model.
Autonomous Systems Officer Requirement
For systems involved in high-risk processing activities, organisations may be required to appoint an Autonomous Systems Officer (ASO). The ASO would be responsible for overseeing technical governance, maintaining certifications and ensuring ongoing compliance with applicable requirements.
Safety Becomes a Core Data Protection Principle
In addition to existing concepts such as fairness, transparency, accountability and security, the proposals introduce “Safety” as a standalone principle. Organisations would be expected to identify personal data risks, assess potential harms and implement safeguards against discriminatory outcomes.
AI Transparency Obligations Expanded
Deployers and Operators will be required to provide clear disclosures regarding the operation of autonomous systems, including the principles governing their use, applicable policy frameworks and safeguards designed to identify and address biased or unfair outcomes.
Commissioner Gains Certification Powers
A new Regulation 11 would empower the Commissioner of Data Protection to recognise accreditation and certification frameworks, as well as third-party certification bodies. This could create recognised compliance pathways for organisations implementing AI governance and privacy standards.
Why It Matters
The proposals represent one of the most significant developments in the DIFC’s data protection framework since its introduction. Rather than treating AI as a standalone technology issue, the DIFC is seeking to integrate AI governance directly into its privacy and data protection regime.
The consultation also includes a number of broader operational updates, including enhanced consent requirements for digital communications and behavioural advertising, updated record-keeping expectations, and new obligations for entities that inadvertently obtain personal data.
For DIFC firms deploying AI tools, automated decision-making systems or machine-learning technologies, the proposed framework signals increased expectations around governance, transparency, risk management and accountability.
The Riffle Takeaway
The DIFC is moving beyond traditional data protection and towards a regulatory framework that places AI governance at its core. If adopted, the proposals will require organisations to think not only about privacy compliance, but also about the safety, transparency and accountability of the systems they deploy. Firms using AI should begin assessing whether their governance frameworks, internal controls and oversight arrangements are capable of meeting these emerging expectations.
