As we witness the evolution of the regulatory landscape across the MENA region, it was timely for us to investigate and lift the lid, on what is keeping the region’s legal decision-makers awake at night.
Our first-of-its-kind report titled Legal Leaders in MENA is out now! It captures the views of 700 legal decision-makers across nine countries and 13 industry sectors in MENA, as well as in-depth interviews with experts from key sectors such as financial services and education to name a few, which revealed the emerging risks and priorities challenging the legal sector across the region.
Read the full report and share your feedback with us at email@example.com.Read the full report
The Dubai International Financial Centre (“DIFC”) has issued a new Data Protection Law DIFC Law No. 5 of 2020 (“DIFC DP Law”). This law applies in the jurisdiction of the DIFC only.
In this article, we discuss an entity’s obligations under the DIFC DP Law when it wishes to transfer personal data outside the DIFC.
There are many reasons an entity may wish to transfer personal data to another jurisdiction outside the DIFC. Namely, that entity may have a parent or subsidiary entity, or an affiliate outside of the DIFC (including in onshore UAE). It may require transferring personal data for administrative purposes, to analyse and monitor that data, for record keeping of employee, contractor and client data, and even to provide personal data to third parties for marketing purposes.
Regardless of why the entity is transferring personal data, it is very important that the relevant entity has systems and procedures in place to ensure that personal data is processed for the purposes or related purposes which the data subject expected, unless one of the exemptions outlined in the DIFC DP Law applies. Entities should ensure they understand what personal data is being transferred, where and for what reason. Controllers and processors must maintain written records of processing activities (“ROPA”) for which it is responsible or carrying out as instructed. The ROPA must contain information that sets this out, and includes details of the technical and organizational measures that are applied to the processing.
According to the DIFC DP Law, entities must ensure they protect and safeguard personal data. One primary factor that determines an entity’s obligations under the DIFC DP Law is whether the outside jurisdiction receiving the personal data has a level of protection over personal data which is considered to be adequate or inadequate.
The adequate jurisdictions are set out in Appendix 3 of the DIFC DP Regulations and include transfers to: the United Kingdom, Europe and the Abu Dhabi Global Market. A jurisdiction which many house affiliates of many entities operating in the DIFC and is not considered an ‘adequate jurisdiction is the United States’. The “Privacy Shield” replaced Safe Harbour in 2016, and is a mechanism recognised by the European Commission for transferring personal data between the European Union / European Economic Area and the United States of America. The DIFC does not recognise it for this reason, as DIFC has no such agreement in place for transfers of personal data from the DIFC to the United States of America. Therefore, Privacy Shield cannot be relied upon for transfers from the DIFC to the United States of America.
On this basis, the DIFC DP Law requires that entities implement safeguards for transfers of personal data to jurisdictions such as the United States
In addition, the Commissioner may determine that a jurisdiction outside the DIFC does have an adequate level of data protection, in its discretion, by taking into account factors including:
If the Commissioner has determined that the third party jurisdiction does not have an adequate level of protection, a transfer may only take place under certain circumstances including that:
(A) The controller or processor in question has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate safeguards referred to in (a) above may be provided for by factors including:
The Commissioner has provided a set of standard clauses to be applied to contractual or other arrangements that require the transfer of personal data outside of the DIFC. They are available on the DIFC website. The standard clauses may not be altered other than to complete basic information or provide additional commercial requirements. If any alteration to the standard clauses is contemplated by the relevant entity utilizing them, the Commissioner should be consulted first and such alterations agreed in writing.
(B) A derogation applies, including:
Where a transfer could not be based on the safeguards or derogations set out above, such transfer may take place only if the transfer:
The DIFC DP Law also covers controller and processor obligations around data sharing (as distinct from data transfers). This occurs when a government entity requests the controller or processor to share personal data with it. It is common for government organizations or authorities to request data, including personal data, on demand for a variety of purposes. While the Commissioner encourages such sharing, the organization receiving such request still needs to consider what controls should be in place to govern the sharing and ensure that all parties involved will apply them. If the organisation deems a request too broad, it may ask for specificity or request appropriate, written binding assurances that the data will be ethically and responsibly managed.
Under the DIFC DP Law, where a controller or processor receives a request from any public authority the disclosure and transfer of any personal data, it should:
Before personal data is shared in response to a request for information the relevant entity should consider:
The DIFC DP Law Guide suggests the creation of policies regarding sharing personal data with government entities. Examples are contained on the Commissioner’s website.
An entity may choose or be required to transfer personal data outside the DIFC for many reasons, including record keeping and third party marketing purposes. Under all circumstances, it is necessary for the entity to scrutinise what personal data it is sending, to which third parties and for what purposes. Further, that entity should ensure it meets all requirements under the DIFC DP Law, depending on whether or not the third party jurisdiction has been considered to have an adequate level of protection in accordance with the DIFC DP Law.