DIFC Issues First-of-its-Kind Adequacy Decision on The California Consumer Privacy Act
Mita Srinivasan
Legal
Published:

DIFC Issues First-of-its-Kind Adequacy Decision on The California Consumer Privacy Act

The decision facilitates personal data transfers between DIFC and California-based entities in accordance with the DP Law 2020, without having to apply additional contractual measures. It also sees DIFC setting a first-time precedent for building similar relationships with various US states.

The Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), has issued a first-of-its-kind adequacy decision regarding the California Consumer Privacy Act of 2018, a standalone data protection law (CCPA). The CCPA was amended by the California Privacy Rights Act of 2020 (CPRA) which took effect on 1 January 2023 (together ‘Amended CCPA’). The decision establishes a determination of the Amended CCPA’s equivalence with the Data Protection Law, DIFC Law No. 5 of 2020 (DP Law 2020).

The decision, which is in line with DIFC’s commitment to drive privacy and data protection by continuously strengthening its knowledge of cross-border enforcement best practices, facilitates personal data transfers between DIFC and California-based entities in accordance with the DP Law 2020, without having to apply additional contractual measures. It also sees DIFC setting a first-time precedent for building similar relationships with various US states.

The DIFC Commissioner’s Office recognises the Amended CCPA and the California Privacy Protection Agency (CPPA) as an international organisation ensuring adequate data protection for purposes of personal data processed and transferred by the entities that it supervises.

Jacques Visser, DIFC Commissioner of Data Protection, commented, “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.”

The Amended CCPA gives consumers control and protection over personal data collected by businesses with built-in methods for confining data collection and processing to what is fair and lawful, and necessary, in adherence with global data protection standards as well as the Commissioner’s objectives in administering the DP Law 2020.

Hala Harb, associate at BSA Ahmad Bin Hezeem & Associates added that “the adequacy decision will significantly facilitate the transfer of personal data to the US, which will enhance cooperation and collaboration between different entities of the same group, allow businesses to easily store data on cloud servers located in the US and therefore considerably reduce cost. We believe this adequacy decision will undoubtedly attract the incorporation in the DIFC of further US businesses, notably tech companies offering digital services and products.”

The adequacy decision issued by the DIFC Commissioner comes following the amendments introduced to the California Consumer Privacy Act (CCPA). These CCPA amendments included additional privacy protections to consumers, bringing the CCPA closer to global privacy standards.