UAE’s DIFC Issues Adequacy Decision Recognizing CCPA for Cross-Border Data Transfers

Once a closely guarded secret, personal information now roams across continents due to the expanding digital landscape. The free exchange of such valuable data has enabled innovation and collaboration at an unprecedented scale. However, it has also started a debate about enabling secure data exchange across national borders while respecting individuals' rights to privacy. Here, cross-border data transfer regulations come into the picture.

The Dubai International Financial Centre’s (DIFC) landmark adequacy decision regarding the California Consumer Privacy Act 2018 (CCPA), as amended by the California Privacy Rights Act 2020 (CPRA), adds a fascinating chapter to this ongoing saga. The recent move by DIFC will enable the free flow of information from DIFC to entities in California, US. The landmark decision was announced via a press release on August 9, 2023.

DIFC Adequacy Decision for Data Transfers to California

In August 2023, the Commissioner of Data Protection (Commissioner) of the Dubai International Financial Center (DIFC) released its Assessment of California’s Data Protection Regime as Substantially Equivalent and Low Risk. The assessment recognizes the CCPA’s equivalence with the DIFC Data Protection Law 2020 (DIFC DPL).

The DIFC is a leading financial free zone in the Middle East, Africa, and South Asia (MEASA). The assessment evaluated and recognized that the CCPA provides data protection regulations and measures equivalent to the DIFC DPL. The adequacy decision was based on the DP Law's nine fundamental components, including:

1. Data protection concepts and definitions
2. Grounds for lawful and fair processing of personal information
3. Existence of data protection principles
4. Data subjects’ rights
5. International data transfers
6. Data breach reporting
7. Accountability, redress, and enforcement
8. Data sharing for additional lawful purposes
9. The existence of international commitments and conventions binding on California

The assessment primarily centers around the CCPA, but it further recognizes other California laws and federal regulations containing the same data protection elements, such as California Civil Code sections 1798.83- 1798.84, California Electronic Communications Privacy Act (CalECPA), and Children’s Online Privacy Protection Act (COPPA), to name a few.

The DIFC also recognizes the California Privacy Protection Agency (CPPA) as the regulatory body that ensures adequate data protection measures for the secure transfer of personal information. Another similarity between DIFC and CPPA is that both are members of the Global Privacy Enforcement Network and the Global Privacy Assembly.

Under Observation 5 of the assessment, the DIFC acknowledges that the CCPA doesn’t restrict the cross-border transfer of personal data. However, it does report that the regulation contains the term “transferring” under the definitions of “selling” and “sharing”. Similarly, the CCPA Regulations further require third parties to be contractually bound to comply with the requirements of the CCPA and ensure the same level of data protection as provided in the CCPA for the data received from a foreign jurisdiction.

The adequacy decision requires businesses in the DIFC to consider contractual measures for data transfers made to any entity in California, such as in the form of standard clauses or agreements. The adequacy decision further lists the requirements for the onward transfers made after receiving the data in California from any DIFC-operated business, such as:

• The onward data transfer can be made to only acknowledged regions, such as the UK, the EU, or the DIFC.
• Use of Ethical Data Management Risk Index (EDMRI) tools or other verified technical measures to ensure secure data processing and storage practices.
• Assurance of compliance with similar data protection laws in the receiving region.
• Contractual measures, such as standard clauses.

Comprehensive Implications of the DIFC’s Adequacy Decision

The landmark adequacy decision by the DIFC in favor of the CCPA carries a number of broader implications. For starters, the immediate implication of the adequacy decision is facilitating the free flow of data to the US state of California. As a result, both regions will certainly experience a potential boost in business operations and collaboration.

Another significant implication of the adequacy decision is that it potentially opens doors to the free flow of data to more US states in the future. This is an unprecedented opportunity for both the DIFC and US states’ businesses. The adequacy decision will help regulatory bodies in the US states eventually consider the data transfer policies with the DIFC and reduce the existing compliance complexities.

Streamline Cross-Border Data Transfers with Securiti

Securiti’s Data Command Center is a centralized platform offering deeper intelligence and context into data, enabling organizations to automate data privacy, security, governance, and compliance controls. With the integration of Securiti PrivacyOps, organizations can streamline DSR automation, data mapping, breach notification, privacy notices, consents, and cross-border data transfer policies.

Request a demo to learn how Securiti PrivacyOps can help you ensure compliance with international data transfers.