DIFC – Data Protection Law Pioneers

DIFC observes Data Protection Day

The DIFC Data Protection Commissioner’s Office recently engaged in several events to mark Data Protection Day. At a recent edition of a monthly webinar provided through DIFC Academy, the topic was International Data Protection Day. The webinar covered issues such as current data protection best practices and principles, developing issues, what businesses in the region can do to get senior management buy-in and investment in privacy compliance, and tackled individual queries on in an open conversation with participants.

Supporting compliance through innovative tools

Also addressed in the webinar were enhancements to the DIFC DP website, which may enable smaller companies to find plain language information so they can do their own compliance work. The webinar highlighted new tools that DIFC entities can use to comply with the DP Law 2020, including the updated standard contractual clauses (SCCs), and the Ethical Data Management Risk Index (EDMRI). For information about how to approach transfers of personal data outside of the DIFC, the Data Export and Sharing page and Handbook would be particularly helpful.

DIFC’s SSCs and the EDMRI

SCCs

A key area of data sharing and export is the understanding when and how to apply the DIFC SCCs, which are used for the transfer of personal data to countries that may not have an equivalent level of data protection in place. They comprise current thought leadership in international transfers, as well as blending the EU Model Clauses and the UK IDTA. The current DIFC SCCs replace the two sets of clauses previously used. Most importantly, the Handbook clarifies that if other model clauses are required by a different jurisdiction, the Commissioner’s Office will accept the use of such clauses provided very easy to meet conditions are applied.

Ethical data management risk index (EDMRI)

The EDMRI has been created by the DIFC Commissioner’s office to assess holistic risk of data sharing, looking not only at whether a data protection law exists in a country or jurisdiction, but many of the other aspects of the jurisdiction the data is going to, such as whether the company receiving DIFC personal data is properly applying the law in an accountable, transparent way. The key distinguishing factor that makes the EDMRI a powerful tool is that the risk rating of each jurisdiction regards the risk of the importer in that jurisdiction complying with applicable data protection (or even other) laws and regulations, which, if high risk, could severely and negatively impact data subjects and their rights. Moreover, and what is the most forward-thinking aspect of this tool, is that it aims to show any gaps that may exist and constructively challenge generally accepted norms.

The EDMRI+ is a due diligence tool that supplements the guidance in the EDMRI. If an importer is in a high risk jurisdiction, or even if it is not, the EDMRI+ helps the exporter better understand the compliance preparedness of its importers, thereby helping them make better, ethical decisions about exporting personal data. More information on the EDMRI and EDMRI+ is available on the DIFC DP website.

In store for 2023

In the weeks and months following the Data Privacy Day, the Commissioner’s Office is planning more helpful, collaborative outreach and implementing tools to continue the theme set out in the final webinar, including expanding the list of countries reviewed in the EDMRI, for use in decision-making around data transfers outside the DIFC. The most activity in the coming year will be around issuing, and potentially receiving, adequacy recognition by the UK, also known in the UK as creating a Data Bridge.

As a major, highly anticipated move supporting the UK’s post-Brexit plans for building strong international relationships of its own, the UK’s first six priority partners include the DIFC, which is the only jurisdiction in the Middle East being assessed, standing amongst leading global economies such as the United States and Australia. The aim is to demonstrate that the DP Law 2020 is substantially equivalent to the UK’s data protection law. It will also confirm that DP Law 2020 is fair and effective enough to protect UK-originating data being processed by entities in the Centre.

In simple terms, such recognition results from an assessment that determines whether the data protection law in one jurisdiction is equivalent to the law of the assessing jurisdiction. Recently, the UK government and DIFC leadership issued a joint statement noting the significant progress made in building a Data Bridge, and how completion of this important project will result in free flow of data with trust between DIFC and UK-based companies.

Recently, the DIFC DP Commissioner’s Office issued its own decisions recognising the equivalence of Colombia’s data protection law, Statutory Law 1266 of 2008, as well as Singapore’s Personal Data Protection Act, Republic of Korea’s Personal Information Protection Act, and the APEC Cross-Border Privacy Rules (CBPR). The Commissioner’s Office has been an active participant in meetings with APEC Member Economies to establish the Global CBPR Forum as well, and plans to continue this work through the year.

Additional projects include continued exploration into the possibility of multilateral equivalence through the use of emerging technology, as well as thematic assessments and reports, and building a thriving community of privacy professionals, all of which are geared toward supporting DIFC’s main objective, sustainability for the future of finance.