DIFC: DIFC launches public consultation on updated guidance materials for data transfers
The Dubai International Financial Centre ('DIFC') issued, in April 2022, a consultation paper seeking public comments on its proposal to issue updated guidance materials regarding the proposed Ethical Data Management Index research and methodology ('EDMRI'), the Standard Contractual Clauses ('SCCs'), and the updated Data Export & Sharing Handbook ('the Handbook') regarding obligations under Article 28 of the DIFC Data Protection Law No. 5 of 2020 ('the Law'). In particular, the DIFC highlighted that the EDMRI is the Office of the Commissioner's ('the Office') own risk index to guide companies in determining additional, enhanced due diligence and contractual requirements that should be implemented when processing personal data in a specific environment.
Furthermore, the DIFC added that the EDMRI was created to help companies, as well as the Office itself, assess jurisdictions for holistic risk, including being equivalent to the data protection law (if there is one), government and law enforcement access to personal data, and also including all other critical elements that may make up for a lack of a data protection law, and promote a commitment to privacy obligations nonetheless. Notably, the DIFC highlighted that unlike the European Data Protection Board's ('EDPB') recommendations following the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'), the DIFC takes the approach that EDMRI risk assessments may be conducted regardless of whether the third country is deemed adequate by the supervisory authority. In this regard, the consultation paper further explains with examples how DIFC entities may make use of the EDMRI and sets out the proposed EDMRI assessment questions.
Moreover, the DIFC specified that in connection with the EDMRI, the Office solicits views on the following:
- proposed questions to be added to the EDMRI for use by DIFC entities when conducting 'importing entity due diligence' or 'prior company adequacy audits'; and
- whether conducting the EDMRI assessment should be mandatory and when, i.e., when exporting to a high to very high risk jurisdiction.
Furthermore, with regards to the DIFC's updates to the Handbook, the DIFC noted that, among other things, the Handbook contains guidance on how to apply Article 28 of the Law, as well as information on practical application of the revised DIFC SCCs.