On Aug. 9, the Commissioner of Data Protection of the Dubai International Financial Centre (DIFC) issued an “Assessment of California’s Data Protection Regime as Substantially Equivalent and Low Risk” (the Decision) establishing the equivalence of the California Consumer Privacy Act (CCPA) with the DIFC Data Protection Law. This marks the first time a foreign government has recognized a U.S. state as providing adequate data privacy protections, and allows for the free flow of personal information between the DIFC and the state of California.
The DIFC Data Protection Law applies to personal information processed by businesses incorporated in the DIFC as well as those that process personal information in the DIFC as part of stable arrangements, other than on an occasional basis. Processing “in the DIFC” occurs when “the means or personnel used to conduct the [p]rocessing activity are physically located in the DIFC.” Among other protections, the DIFC Data Protection Law provides that a transfer of personal information to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an adequate level of protection for the personal information. The DIFC has previously declared adequacy with a number of countries, including the EU countries, the United Kingdom, Canada, Argentina, Israel, Korea, Japan and Singapore. In 2021, the DIFC announced that it would permit transfers of personal information to the United States from DIFC-based firms that are registered or otherwise regulated by the U.S. Securities and Exchange Commission. The DIFC was clear, however, that this did not constitute an adequacy decision. Now, for the first time, a U.S. state has joined the ranks of countries deemed by the DIFC to have adequate consumer data protection laws.
The Decision
The Decision examined the CCPA and other California privacy laws according to nine “fundamental data protection principles and criteria,” including grounds for lawful and fair processing of personal information, controller and processor obligations, rights afforded to data subjects, security and data breach reporting, and the existence of international commitments and conventions binding on California or its membership in multilateral or regional organizations. While the Decision centered on the CCPA, it also considered other California laws that include data protection elements, including California’s “Shine the Light” law and the California Electronic Communications Privacy Act, as well as the California Constitution. The Decision also cites various federal privacy laws, such as the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accountability Act, the Telephone Consumer Protection Act, the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Act.
Ultimately, the DIFC concluded that “California’s laws and regulations, as well as the cultural and environmental approach to privacy and redress, align with the DIFC [Data Protection] Law 2020 such that transfers to California will receive the same or substantially equivalent protection by importers subject to the CCPA.”
As the Decision acknowledges, the CCPA provides privacy rights only to California residents (and not to residents of other states or foreign countries). Moreover, unlike the DIFC Data Protection Law, the CCPA does not impose limits on cross-border transfers of personal information. Though not expressly stated, the Decision seems to imply that businesses seeking to rely upon it should ensure that the protections of the CCPA are applied to all personal information the business exports from the DIFC, whether or not that information would otherwise be covered by the CCPA. This includes protecting the information when it is transferred outside of California or to vendors engaged in processing the information. Among other steps, the Decision recommends meeting this requirement through appropriate contractual measures in the form of standard clauses or a data processing agreement, transferring personal information only to other jurisdictions deemed adequate by the DIFC, and using verified technical and organizational measures to ensure the secure storage and processing of personal data. For many businesses, the simplest method may be to rely on the CCPA’s requirements for service providers and contractors to ensure that when personal information is disclosed, the recipient is obligated to treat the personal information in accordance with the CCPA.
The Decision is subject to annual review and reconfirmation, and can be repealed, amended or suspended at any time.
Broader Implications
This first-of-its-kind decision singles out California as the only U.S. state with a data protection regime adequate for cross-border transfers with a foreign regime. The Decision also cuts against a recent trend toward data localization and restrictions on cross-border transfers – exemplified by the increasing limits on transfers from China brought about by that country’s Personal Information Protection Law as well as hurdles to exporting personal data from the EU following the Schrems II decision. While it is unlikely that China or the European Union will follow the DIFC’s lead and issue an adequacy decision for California, the Decision may influence other countries to do so.
It remains to be seen whether the DIFC will issue adequacy decisions for other U.S. states with comprehensive privacy laws, such as Colorado, Connecticut and Virginia. In the meantime, the Decision places California at the forefront of international data transfers to the United States and will be helpful for businesses subject to both the CCPA and the DIFC Data Protection Law. Unsurprisingly, the California Privacy Protection Agency, whose board has previously discussed the prospect of adequacy for California in its push to avoid preemption of the CCPA by a potential federal privacy law, welcomed the decision as one that recognizes California as “the de-facto leader in privacy in the U.S.”
[View source.]
