DIFC: Proposed updates to data transfer guidance materials - part one
In light of the global developments around data protection, specifically on the cross-border transfer of data, the Dubai International Financial Centre ('DIFC') seeks to provide enhanced tools to equip businesses and ensure compliance with both the DIFC, as well as international standards. Being a global business hub, the DIFC is home to international players that undertake both an inward and outward data flow, these businesses being at the crossroads of multiple jurisdictions when it comes to data compliance.
The DIFC has recently proposed updates to its data transfer guidance materials namely, the Standard Contractual Clauses ('SCCs'), the Ethical Data Management Risk Index ('EDMRI'), and the Data Export and Sharing Handbook ('DES Guide'). Dr. Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultants, provide an overview of the proposed updates and evaluates its impact in meeting the goals of the Data Protection Law, DIFC Law No.5 of 2020 ('the Law').
The transfer of personal data outside of the DIFC may be made in accordance with Article 26 of the Law, where the transfer is to a third country or international organisation with an adequate level of protection, and in accordance with Article 27, where an adequate level of protection is absent. If the conditions prescribed under these Articles are not met, the transfer is then 'restricted' or in violation of the Law.
Adequacy recognition is a determination by the Commissioner of Data Protection ('the Commissioner') that the legal framework in the third country or international organisation provides similar or equivalent level of protection regarding personal data. A list of jurisdictions considered as adequate are available on the DIFC website. Prima facie, this enables exporting entities within the DIFC to make a restricted transfer to an entity within a jurisdiction considered as adequate, provided other requirements of the Law are met.
In the event that data is to be transferred to jurisdictions that are not considered as 'adequate', the DIFC directs businesses to use other appropriate safeguards laid down in the Law, which essentially create similar conditions to those in the DIFC. One such safeguard is a contract between the data exporter in the DIFC and the data recipient incorporating the DIFC SCCs to ensure protection of the data transferred.
The SCCs have been updated in line with the revision of EU Model Clauses in 2021, which was necessitated by the decision of the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In this case, the CJEU invalidated data sharing from the EU to the US under an arrangement called the Privacy Shield, consequentially all transfers from the EU to the US were deemed illegal, thus impacting any onward transfers to the DIFC as well. Due to the potential of cross-border data sharing impacting multiple jurisdictions, it is essential that all the safeguards under the Law are undertaken by the DIFC entity. The SCCs, being a contractual measure, are more commonly used to apply appropriate data protection principles to what would otherwise be considered as a restricted transfer.
The current SCCs have done away with the previously applicable distinct requirements for processors and controllers and have now adopted a unified document applicable to all data exporting entities. This is in accordance with the Commissioner's view that the Law, barring minor differences, largely creates similar obligations on the controller and the processor. Where a particular clause can be shown to be inapplicable, the parties will not be held liable.
The DIFC, having relied upon the EU Model Clauses and the UK's International Data Transfer Agreement, created the DIFC SCCs slightly deviating from the EU in the format of the contract. The DIFC has based the contract on the concept of 'one module, no choosing' distinct to the four-options module provided by the EU. Unlike its EU counterpart, the DIFC SCCs give rights to data subjects to enforce these clauses, even if not a party to the contract for data transfer. The SCCs cannot be amended by the parties to the contract and have to be adopted as a whole, bringing uniformity in the application of these contracts. The DIFC SCCs not only ensure compliance with the Law, but also aim to comply with laws such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
The EDMRI is the proposed risk index to assess the risks of other data protection regimes in a holistic manner, including risks such as those negatively affecting data subjects' rights, of data breach or loss, and of contravention of the local data protection law. The proposed tool aims to guide companies as to the requirements of processing data in that particular jurisdiction. A distinctive feature of the EDMRI is that it also evaluates risks in jurisdictions which are already considered as possessing 'adequate' data protection laws. The risk is measured on a scale ranging from 'Low Risk' to 'Very High Risk' jurisdictions.
The risk assessment requirements in the EU also mandate companies to conduct Transfer Impact Assessments ('TIAs') when using the EU SCCs, directing companies to evaluate on a case-by-case basis the adequacy of protection of personal data in another jurisdiction, which is consistent with the approach of the DIFC as well. However, if the European Commission has already declared the jurisdiction as adequate, the business entity need not take any further steps. On this aspect, the DIFC is more stringent, allowing businesses to insist on additional safeguards even if the jurisdiction is deemed adequate by any supervisory authority. The rationale being that an adequacy decision does not ensure that the business entity is compliant with the laws within the jurisdiction.
A modified version of the EDMRI, called the EDMRI+, further enables DIFC exporters to conduct due diligence on data importers in other jurisdictions. It is a tool to assess the importing entity rather than the host jurisdiction which would be assessed under the EDMRI. The tool enables DIFC exporting entities to conduct due diligence on importers of data in third countries, and even challenge the Commissioner's rating based on their own survey results. The proposal lays down simple yes/no questions which will lead to a determination of adequacy of protection within that importing entity. The Commissioner's Office solicits views on the usage of this tool, specifically if such assessment should be mandatory particularly in high-risk jurisdictions.
The DES Guide was issued by the Commissioner as guidance to data transfer for business entities and provides practical explanation of the relevant principles, specifically providing a comment on Articles 26, 27, and 28 of the Law. The DES Guide is not to be considered as legal advice and is targeted at ensuring that businesses understand obligations with respect to data sharing.
The DES Guide also discusses the obligations of controllers and processors under Article 28 of the Law in providing personal data to any governmental authority. The gist of the requirements under Article 28 is that the entity is given three options to ensure that the data provided to governmental authorities is controlled. The approaches are either unilateral, bilateral, or with the intervention of a third party, in order to ultimately ensure that there is safe and assured data sharing after assessing the risks involved.
The underlying theme across all the developments in relation to data transfer from the DIFC is a holistic evaluation and understanding of the recipient jurisdiction as well as the entity importing the personal data. Businesses are thus required to use the various tools provided by the DIFC in making a determination if the data exported to a third country jurisdiction can be afforded the same level of protection as is afforded to it within the DIFC.
It is contemplated that the tools and guidance are used together in order to achieve the goal of protecting personal data. This would mean that a DIFC entity considers the EDMRI, the EDMRI+, the SCCs, the adequacy decisions of the Commission, the data protection laws in the host jurisdiction, and a host of other factors before finally effecting the transfer of data.
A key takeaway for business entities in DIFC is a higher sense of responsibility placed on the exporter of data from the DIFC to ensure that the importer of data in a third country jurisdiction can afford the level of protection prescribed by the DIFC. All the tools and updates introduced by the Commissioner seek to bring about more compliance with the Law and enable businesses to make an informed decision with respect to data sharing with third parties. As of now, there is no timeline given for the new tools to be brought into effect. The effectiveness of the tools in practice can only be determined with time.