New DIFC Model Clauses of Data Export for Exporters in Non-Adequate Jurisdictions
The DIFC Standard Contractual Clauses (“SCC”) recently issued is intended to serve as the guideline and template that will teach parties entering into a contract, to use the correct wording and language protecting their respective rights and obligations under an export of data from DIFC to a data importer in a non-DIFC jurisdiction with no or unrecognized data protection laws.
The general principle of creating standard clauses is given as a form of guidance for all data users, operators, data subjects or any other related parties to teach them and guide them in facilitating and protecting their proper and respective rights and obligations.
The SCC are prescribed under article 27(2)(c) of the DP law 2020 and in regulation 5 of the Data Protection Regulations 2020. The purpose of these SCC is to ensure compliance with the requirements of the DPL for the protection of individuals with regard to the processing, including transfers, of Personal Data. There is now a set for restricted transfers between a controller and processor. They are based on the sets of model clauses adopted by the European Commission facilitating compliance by group companies and related entities established at different points of the world.
As we notice in recent years where the Court of Justice of the European Union clarified in the “Schrems II” decision that due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer, it is becoming more and more seen in MENA region that data protection schemes and regimes are being strengthened as well.
One of the main purposes of the SCC is to set guidelines for contractual clauses organizing the relationship between the parties. Moreover, one of the main concerns in the application of data protection laws is painted in the effects and the conditions taking place for a data export, specifically data export in the context that the third-country receiver is a non-adequate jurisdiction or a jurisdiction that does not recognize data protection laws.
Henceforth, the drastic importance given to Standard Clauses resonates with basic risk management of the data export to non-adequate jurisdictions.
Key SCC Clauses
Prohibitive nature of the operation
The DIFC Commissioner of Data Protection (the “Commissioner”) may exercise any existing powers to prohibit or suspend data flows to Third Countries in order to protect individuals with regard to the processing of their Personal Data in cases where:
- it is established that the law in the Third Country to which the Data Importer is subject imposes upon it requirements to deviate from the DPL that results in a substantial adverse effect on the guarantees provided by the DPL;
- another relevant supervisory authority has established that the Data Importer has not respected the DPL or comparable data protection laws and regulations or the standard contractual clauses in the Annex; or
- there is a substantial risk that the Data Processing Clauses in the Annex are not being or will not be complied with and the continuing transfer would result in imminent, grave harm to Data Subjects whose Personal Data is being processed.
Hierarchy of applicability
The SCC provides that in the event of a contradiction between the SCC and the provisions of related agreements between the Parties, the SCC shall prevail. However, it sets other exceptions to this principle in the event the SCC are inconsistent with the terms of the related agreements and the latter provides far way protection than SCC.
There is a possibility of giving access to a third party to the same agreement by signing the appendices and it shall have the same rights and obligations.
The SCC provides certain obligations for data importer and data exporter that should be followed. Amongst the criteria used in executing those obligations are transparency, purpose limitation, accuracy and minimization, storage limitation, duration of the processing and erasure of the data, security of processing, special category data.
The normal procedure would be before the courts of the DIFC as provided under the SCC. However, the data importer may offer independent dispute resolution through an arbitration body only if it agrees to be subject to the Arbitration Law, DIFC Law No 1 of 2008 and DIFC Arbitration Rules, or is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.
There are also other provisions and SCC treating liability, termination and SCC separately applied to take into consideration local laws of the data importer and data exporter and the respective safeguards.
Now, you can make a restricted transfer if you and the recipient have entered into a contract incorporating SCC adopted by the Commissioner. They must be entered into by the data exporter (based in the DIFC) and the data importer (outside the DIFC). The clauses contain contractual obligations on the data exporter and the data importer, and rights for the individuals whose Personal Data is transferred. Individuals can directly enforce those rights against the data importer and the data exporter. We are yet to see the implementation of the SCC and their impact on the market.