Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

UAE’s DIFC Issues Adequacy Decision Recognizing CCPA for Cross-Border Data Transfers

Published September 29, 2023
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

Once a closely guarded secret, personal information now roams across continents due to the expanding digital landscape. The free exchange of such valuable data has enabled innovation and collaboration at an unprecedented scale. However, it has also started a debate about enabling secure data exchange across national borders while respecting individuals' rights to privacy. Here, cross-border data transfer regulations come into the picture.

The Dubai International Financial Centre’s (DIFC) landmark adequacy decision regarding the California Consumer Privacy Act 2018 (CCPA), as amended by the California Privacy Rights Act 2020 (CPRA), adds a fascinating chapter to this ongoing saga. The recent move by DIFC will enable the free flow of information from DIFC to entities in California, US. The landmark decision was announced via a press release on August 9, 2023.

DIFC Adequacy Decision for Data Transfers to California

In August 2023, the Commissioner of Data Protection (Commissioner) of the Dubai International Financial Center (DIFC) released its Assessment of California’s Data Protection Regime as Substantially Equivalent and Low Risk. The assessment recognizes the CCPA’s equivalence with the DIFC Data Protection Law 2020 (DIFC DPL).

The DIFC is a leading financial free zone in the Middle East, Africa, and South Asia (MEASA). The assessment evaluated and recognized that the CCPA provides data protection regulations and measures equivalent to the DIFC DPL. The adequacy decision was based on the DP Law's nine fundamental components, including:

  1. Data protection concepts and definitions
  2. Grounds for lawful and fair processing of personal information
  3. Existence of data protection principles
  4. Data subjects’ rights
  5. International data transfers
  6. Data breach reporting
  7. Accountability, redress, and enforcement
  8. Data sharing for additional lawful purposes
  9. The existence of international commitments and conventions binding on California

The assessment primarily centers around the CCPA, but it further recognizes other California laws and federal regulations containing the same data protection elements, such as California Civil Code sections 1798.83- 1798.84, California Electronic Communications Privacy Act (CalECPA), and Children’s Online Privacy Protection Act (COPPA), to name a few.

The DIFC also recognizes the California Privacy Protection Agency (CPPA) as the regulatory body that ensures adequate data protection measures for the secure transfer of personal information. Another similarity between DIFC and CPPA is that both are members of the Global Privacy Enforcement Network and the Global Privacy Assembly.

Under Observation 5 of the assessment, the DIFC acknowledges that the CCPA doesn’t restrict the cross-border transfer of personal data. However, it does report that the regulation contains the term “transferring” under the definitions of “selling” and “sharing”. Similarly, the CCPA Regulations further require third parties to be contractually bound to comply with the requirements of the CCPA and ensure the same level of data protection as provided in the CCPA for the data received from a foreign jurisdiction.

The adequacy decision requires businesses in the DIFC to consider contractual measures for data transfers made to any entity in California, such as in the form of standard clauses or agreements. The adequacy decision further lists the requirements for the onward transfers made after receiving the data in California from any DIFC-operated business, such as:

  • The onward data transfer can be made to only acknowledged regions, such as the UK, the EU, or the DIFC.
  • Use of Ethical Data Management Risk Index (EDMRI) tools or other verified technical measures to ensure secure data processing and storage practices.
  • Assurance of compliance with similar data protection laws in the receiving region.
  • Contractual measures, such as standard clauses.

Comprehensive Implications of the DIFC’s Adequacy Decision

The landmark adequacy decision by the DIFC in favor of the CCPA carries a number of broader implications. For starters, the immediate implication of the adequacy decision is facilitating the free flow of data to the US state of California. As a result, both regions will certainly experience a potential boost in business operations and collaboration.

Another significant implication of the adequacy decision is that it potentially opens doors to the free flow of data to more US states in the future. This is an unprecedented opportunity for both the DIFC and US states’ businesses. The adequacy decision will help regulatory bodies in the US states eventually consider the data transfer policies with the DIFC and reduce the existing compliance complexities.

Streamline Cross-Border Data Transfers with Securiti

Securiti’s Data Command Center is a centralized platform offering deeper intelligence and context into data, enabling organizations to automate data privacy, security, governance, and compliance controls. With the integration of Securiti PrivacyOps, organizations can streamline DSR automation, data mapping, breach notification, privacy notices, consents, and cross-border data transfer policies.

Request a demo to learn how Securiti PrivacyOps can help you ensure compliance with international data transfers.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New