DIFC Adequacy Decision for the California Consumer Privacy Act
The Commissioner of Data Protection (“Commissioner”) of the Dubai International Financial Centre (“DIFC”) recently issued an adequacy decision establishing equivalence and alignment between the amended version of the California Consumer Privacy Act of 2018 (“CCPA”) which took effect on 1 January 2023. The decision affirms that the amended CCPA is deemed comparable to the Data Protection Law, DIFC Law No. 5 of 2020 (“DP Law”). The alignment plays a pivotal role in streamlining the data transfer process between the DIFC and California-based entities, aligning with the DP Law. Notably, this eliminates the necessity for these entities to implement supplementary contractual measures.
This landmark decision marks a significant stride towards setting a precedent with respect to conventional adequacy determinations issued to date. It lays the foundation for forging analogous relationships with other U.S. states in the future.
There are several practical advantages related to the adequacy decision, with a peak advantage related to strengthening knowledge of cross-border enforcement of best practices and facilitating personal data transfers between both jurisdictions.
The Amended CCPA gives consumers control and protection over personal data collected by businesses with built-in methods for confining data collection and processing to what is fair and lawful, and necessary, in adherence with global data protection standards as well as the Commissioner’s objectives in administering the DP Law.
The issuance of the adequacy decision involved an assessment of the grounds for fair processing, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing, and breach reporting and accountability.
The adequacy decision explicitly highlights that the CCPA does not include a dedicated provision for the cross-border transfer of personal information beyond California or the U.S. As such, the adequacy decision requires that DIFC exporters that send personal data to a California-based importer under the adequacy decision must take measures to ensure that the cross-border transfer of such personal data fulfils all safety and security requirements.
It is further stated that this Decision undergoes an annual reassessment for its relevance. The Commissioner retains the authority to revoke, modify, or temporarily halt this Decision pertaining to California’s privacy regulations, as deemed necessary.