On August 7, 2023, the Commissioner of Data Protection of the Dubai International Financial Centre (the DIFC), a financial free-zone in the United Arab Emirates, issued the first adequacy decision regarding the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, the CCPA), recognizing the essential equivalence of the CCPA with the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL). Importantly, the issuance of the decision helps to facilitate the transfer of data between the DIFC and entities based in California in accordance with the DIFC DPL without requiring such entities to apply additional contractual measures. Furthermore, the Commissioner’s press release expressly notes that the issuance of the adequacy decision may serve as a precedent for the DIFC establishing a similar relationship with other U.S. states. California is now one of 49 countries, jurisdictions or organizations subject to an adequacy decision by the DIFC (the full list can be found here).
The issuance of the adequacy decision involved an assessment by the Commissioner of California’s data protection regime through a review of California’s laws and regulations that included the CCPA as well as other laws and regulations with privacy features at the state and federal level. The assessment included, but was not limited to, consideration of the grounds for lawful and fair processing, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing and breach reporting and accountability. In its 32-page adequacy decision, the Commissioner outlined nine key observations regarding the California data protection landscape, setting out a detailed assessment underpinning the basis of its adequacy decision. For example, the Commissioner pointed to the fact (i) the CCPA sets out various data subject rights, key obligations on businesses and lawful grounds for processing personal data, (ii) the California Offices of the Attorney General have taken “extensive measures” to investigate compliance with the CCPA and (iii) the California Privacy Protection Agency is a member of the Global Privacy Assembly and Global Privacy Enforcement Network, both of which are organizations where the DIFC Commissioner’s Office is also a member.
The adequacy decision expressly notes, however, that the CCPA does not have a provision dedicated to the transfer of personal information outside of California or the United States. As such, the adequacy decision requires that DIFC exporters that send personal data to a California-based importer under the adequacy decision would need to ensure that the onward transfer of such personal data is safeguarded. In addition, the Commissioner recommends that the decision be reviewed and reconfirmed annually where appropriate and further confirms that the Commissioner may amend or suspend the decision at any time.
We continue to monitor developments in this area. Please do reach out to any member of the team to discuss the implications of the adequacy decision for your business further.