AI Regulation in the DIFC: Personal Data Processed through Autonomous and Semi Autonomous Systems

Regulation 10 of the Data Protection Regulations (the “DPR”) was introduced in late 2023 in the Dubai International Financial Centre (“DIFC”), and forms part of the UAE’s evolving regulatory framework governing the use of personal data in artificial intelligence (“AI”) systems. It establishes a framework for the processing of personal data by autonomous and semi‑autonomous systems in the DIFC and supplements the DIFC Data Protection Law (the “DPL”). Regulation 10 aligns with emerging international approaches by adopting interoperable concepts drawn from the OECD guidelines and data protection regimes in the United Kingdom and European Union. This Regulation 10 is significant given the introduction of both general and system-specific certification requirements, including enhanced obligations and restrictions on the deployment of high risk AI systems. The Information Commissioner is anticipated to provide further guidance on the deployment of high risk AI systems in due course.

Systems, Deployers and Operators

Regulation 10 defines a “System” as any machine‑based system that operates autonomously or semi‑autonomously and can process personal data for human‑defined purposes or for purposes the System defines within human‑set parameters and generates outputs on that basis.

Regulation 10 places accountability on the visible entities that authorise or benefit from System operation by introducing the following roles:

• A Deployer, being a person under whose authority or for whose benefit the System operates or who benefits from its output. The Deployer is deemed the controller for regulatory purposes. Systems that act under a Deployer’s authority draw liability back to that Deployer.
• An Operator, being the provider that operates or supervises a System on a Deployer’s direction and is deemed the processor.

Autonomous Systems and Personal Data

As a System is comprised of data, Regulation 10 clarifies that if a System resembles the physical appearance or behaviour of an identifiable natural person, its use may constitute processing of that person’s personal data even if no other personal data is processed. Virtual personas and avatars that identify an individual may fall within scope.

Where personal data is processed for use in or to enable the learning processes of a System, both Deployers and Operators must comply with the general requirements for lawful and legitimate processing in the DPL.

Transparency and User Notice

Deployers and Operators must provide notice at initial use or access to any application or website service that uses Systems to process personal data. The notice must:

• Alert users to technology and processes that undertake processing not initiated or directed by humans;
• Explain whether processing is confined to human‑defined purposes or whether the System can define further purposes; and
• Indicate any impact on the exercise of certain rights where technology limits a data subject’s ability to exercise rights such as erasure.

The notice must also include description of:

• The human‑defined purposes for which personal data is processed by the System;
• The human‑defined principles and limits that govern any self‑defined purposes; note that human‑defined purposes must prevail over System‑defined purposes and any dynamic purposes must be constrained by detailed principles hard coded into the System;
• The System’s outputs and how they are used;
• The principles underpinning System design and operation, including built‑in safeguards to ensure compliance with the DPL and Regulation 10; and
• Any codes, certifications, or principles on which the System relies, such as OECD, UNESCO, NIST, Dubai Digital Authority or relevant regulators’ guidelines.

Data subjects may challenge System outcomes by submitting complaints under the DPL. Deployers and Operators must ensure Systems facilitate the effective exercise of rights and must be able to explain processing in non‑technical terms with appropriate supporting evidence.

Evidence, Risk Controls and Registers

Deployers and Operators must be able to produce evidence of:

• Compliance with applicable audit and certification requirements;
• Algorithms that trigger human intervention where processing may produce unfair or discriminatory impacts or unjust bias, with associated risk and impact assessments that consider potential High Risk Processing;
• Algorithms that trigger human intervention when access by competent authorities is required for law enforcement, with risk and impact assessments;
• algorithms that trigger human intervention where processing may infringe the digital communication requirements in the DPR, with risk and impact assessments

Deployers and Operators must also maintain and provide a register of System use cases and processing activities, including necessity and proportionality, access mechanisms for data subject rights, whether the System is used to make automated decisions, the third parties or requesting authorities with whom personal data is shared and under which lawful bases, the locations of those parties, and export safeguards.

Misleading notices or misstatements about certifications and adherence to principles may trigger investigation and enforcement.

Principles and Certification

Systems must be designed to be ethical, fair, transparent, secure, and accountable. The Commissioner anticipates a permissive certification‑based regime rather than licensing. General certification requirements will be set in future guidance (expected in 2026), with specific and stricter requirements for High Risk Processing. Once established, all Systems must comply with applicable audit and certification requirements.

A System may be used only if it processes personal data for human‑defined or human‑approved purposes or for System‑defined purposes that are strictly based on human‑defined principles and within human‑defined constraints. Systems capable of dynamically generating purposes must remain bounded by those hard-coded human principles.

High Risk Processing

No person may use, operate, provide or offer a System to engage in High Risk Processing unless:

• The Commissioner has established audit and certification requirements for such Systems (further guidance expected in 2026);
• The System processes personal data solely for human‑defined or human‑approved purposes; or
• The Deployer or Operator has appointed an Autonomous Systems Officer (“ASO”) with substantially similar status, competencies and tasks to a DPO under the DPL. The ASO’s role mirrors the DPO’s focus on governance, DPIAs, risk review with senior management and recommendations for accountability and compliance.