Landmark Decision by United Arab Emirates DIFC in CCPA Data Protection Adequacy Decision

Kathryn Rattigan
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

Earlier this month, the Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), a financial free-zone in the United Arab Emirates (UAE), issued the first adequacy decision regarding the California Consumer Privacy Act (CCPA), which recognizes the CCPA as an equivalent to the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL).

This decision allows businesses to transfer data between the DIFC and companies located in California, in accordance with the DIFC DPL, without any additional contractual measures. In the DIFC Commissioner’s public statement about this decision, he said, “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement, and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.” This decision will also likely serve as precedent for the DIFC to establish a similar relationship with other U.S. states. As of today, there are only 49 establishments and/or locations (countries, jurisdictions, and organizations) subject to an adequacy decision by the DIFC.

The decision comes as a result of an assessment by the DIFC commissioner of the grounds for lawful and fair processing of data under the CCPA, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing, and breach reporting and accountability. To read the full decision, click here.  

However, since the CCPA does not have a provision related to the transfer of personal information outside of California or the U.S., DIFC exporters that send personal information to a California-based importer under the decision would still need to ensure that the onward transfer of such personal information is safeguarded. Additionally, this decision will be reviewed annually by the DIFC Commissioner to ensure that the CCPA’s protections still meet expectations.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide