DIFC: Proposed updates to data transfer guidance materials - part two
In this Insight Article, Laura Voda and Maquelin Pereira, from Fichte & Co Legal Consultancy, provide an update to part one of this series. As discussed previously, the Dubai International Financial Centre (DIFC) has a collection of tools for data processors and controllers to rely on, in terms of protection of data, specifically when they are transferring data outside of the DIFC.
There have been considerable developments in the past year in relation to data transfer tools in the DIFC. The DIFC has updated the Ethical Data Management Risk Index (EDMRI) guidance in August 2022, October 2022, and most recently in April 2023. Additional developments include the publication of the Abbreviated Article 27 Standard Contractual Clauses (Abbreviated SCCs) as well as the Guidance on Article 24 Clauses and Abbreviated SCCs (SCC Guidance) in June 2023.
In light of these developments, it is fitting to provide an overview of the data protection and data transfer mechanism in DIFC. This Insight Article will delve into the transfer tools that can be used by entities in the DIFC and the procedures to be followed when transferring data outside the DIFC. These enhanced procedures aim to ensure that data transfers are conducted in a manner that safeguards the personal data of the data subject.
Data protection laws across the world have mechanisms for safely sharing personal data across borders. The DIFC closely follows the UK model and as such, similarities can be found in the tools used in both jurisdictions.
The EDMRI guidance
The objective of EDMRI updates is to include more jurisdictions within the Index, providing exporters with information on the risks involved in specific regions. The EDMRI guidance provides risk ratings for various jurisdictions, including a thorough analysis of risk factors and compliance indicators. It is worth noting that some jurisdictions with a data protection law may still be categorized as high-risk if importers within those countries do not comply with the laws. The EDMRI continues to be updated regularly, and other countries' ethical data management environments are being evaluated at the moment. The EDMRI and its modified version (EDMRI+) serve as valuable tools to assist exporters in DIFC in making ethical decisions about exporting data.
The EDMRI+ Due Diligence Risk Assessment is not mandatory yet, however, the DIFC urges exporters of personal data to consider this when transferring data to an importing entity. The EDMRI+ supplements the EDMRI and is used to assess the compliance risk of the business in a jurisdiction holistically. The questions within EDMRI+ provide the data exporter with a broad understanding of the level of risk that sharing personal data with a particular importing entity entails. If the risk factors are high, the exporter must take steps to mitigate these risks.
The SCC guidance
The goal of the Standard Contractual Clauses (SCC) guidance is to assist controllers and processors in implementing the Article 24 clauses and the Abbreviated SCCs, and to guide entities on the circumstances under which these become applicable. To achieve this goal, the SCC guidance provides a flowchart to understand the requirements for data transfers. The parties can determine their obligations merely by answering simple Yes/No questions, and, in the end, decide if the transfer of personal data is permitted or not and the conditions that must be met for the transfer.
If the parties do not adopt the SCCs when required, the transfer of personal data will not be permitted. Furthermore, if the transfer of personal data involves the UK or EU within the transfer chain, the respective SCCs may be used. If either of these jurisdictions is not involved, it is recommended to use the DIFC SCCs.
Article 24 data protection clauses
The SCC guidance also provides clarity on the usage of the Article 24 clauses. These data protection clauses provide for provisions to be included in the contract if the existing contract between the parties does not have a data protection section and the scope of work under the contract involves the processing of personal data. The clauses provide for all the requirements given under the Data Protection Law, DIFC Law No.5 of 2020 (the Law), with the aim to provide parties with sufficient contractual power to safeguard the rights of the data subjects. If data protection is already provided for in the contract, it is sufficient to check if the requirements of Articles 23 and 24 of the Law are met. It is not mandatory to use these clauses in their given form, and the Data Protection Commissioner's (the Commissioner) Office will consider and accept the use of clauses if conditions laid down under the Law are met.
Article 24 mandates that when personal data is processed on behalf of a controller by a processor, and where applicable, a subprocessor, a legally binding written agreement must exist between the parties which should lay down minimum contractual protections as specified in Article 24(5).
The guidance provides drafting notes for these clauses, under which parties can modify the clause based on their specific circumstances, and references to data protection laws include UK and EU laws as well. In case of personal data being transferred to a jurisdiction that does not have adequate protection, the parties must supplement the current contract with the Standard Contractual Clauses (SCCs) approved by DIFC.
Article 27 provides for the implementation of appropriate safeguards for data transfers outside the DIFC when an adequate level of protection is not available in the host jurisdiction. One such safeguard is the SCCs, which need to be appended to the agreement between the exporter of personal data and the importing entity.
Business entities in the DIFC, especially those having a a presence in various jurisdictions across the globe, must comply with data protection principles and ensure utmost caution when conducting cross-border data transfers.
Since the DIFC heavily relies on data protection principles as applied in the EU and the UK, parties can choose from the DIFC SCCs, UK SCCs, EU SCCs, or other SCCs provided by the importer or exporter. Similar to the DIFC Abbreviated SCCs, the UK International Data Transfer Agreement (IDTA) provides for a pre-filled form where parties can enter details as applicable. These forms are designed to reduce compliance burdens and make compliance with data protection legislation easy, even for small businesses.
The Abbreviated SCCs come with pre-filled Annexes and serve to reduce the documentation required to comply with data protection law. These Annexes must be added as a schedule or appendix to the relevant agreement between the parties. The introductory language in the abbreviated SCCs or a similar provision may be included, which provide that the selected SCCs are deemed to be appended to the general framework agreement between the parties. The only selection left to be made by the parties is in relation to subprocessors, where they must select out of the two options, i.e., either specific prior authorization or general written authorization. The other clauses of the SCC remain applicable as is, with parties only needing to fill information within the Annexes.
In the event of a conflict between the SCCs and any agreement between the parties, the provisions of the SCC will prevail, unless the agreement between the parties provides greater protection for the data subject's rights.
There are three Annexes to the Abbreviated SCCs, the first requiring details relating to the personal data, including the category of data processed, category of the data subject, parties processing the data, nature and purpose of the processing, retention period, etc. The second Annex lists the technical and organizational measures implemented by the data importer to ensure an appropriate level of security. The third Annex requires a list of processors and/or subprocessors, along with a record of subprocessing activity.
As can be seen from the various data transfer tools provided in DIFC, the focus is on protecting the rights of the data subjects when there is a cross-border data transfer. Especially in cases where the jurisdiction does not provide an adequate level of protection, the DIFC tools ensure that data transfer is still carried out ethically, keeping in mind obligations under the Law.
Business entities in the DIFC must use the EDMRI and EDMRI+ to assess the risk of the data transfer and take steps to mitigate risks, if any. Though not mandatory, usage of these tools shows that the data exporter has taken reasonable steps towards compliance with the Law. All the tools are aimed at making compliance easier for DIFC business entities, and the DIFC has been quite successful in meeting this goal.