DIFC issues first-of-its-kind adequacy decision regarding the California Consumer Privacy Act
- The decision establishes a determination of the Amended CCPA’s equivalence with DIFC’s DP Law 2020 and alignment with global data protection standards
- Facilitates personal data transfers between DIFC and California-based entities in accordance with the DP Law 2020 while protecting consumers
- This move sees the DIFC setting a precedent not only with respect to traditional adequacy determinations issued to date, but for building similar relationships with various US states and the US privacy framework in the future
Dubai, UAE; 9 August 2023: The Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), the leading global financial centre in the Middle East, Africa and South Asia (MEASA) region, has issued a first of its kind adequacy decision regarding the California Consumer Privacy Act of 2018, a standalone data protection law (CCPA). The CCPA was amended by the California Privacy Rights Act of 2020 (CPRA) which took effect on 1 January 2023 (together ‘Amended CCPA’). The decision establishes a determination of the Amended CCPA’s equivalence with the Data Protection Law, DIFC Law No. 5 of 2020 (DP Law 2020).
The decision, which is in line with DIFC’s commitment to drive privacy and data protection by continuously strengthening its knowledge of cross-border enforcement best practices, facilitates personal data transfers between DIFC and California-based entities in accordance with the DP Law 2020, without having to apply additional contractual measures. It also sees DIFC setting a first-time precedent for building similar relationships with various US states.
The DIFC Commissioner’s Office recognises the Amended CCPA and the California Privacy Protection Agency (CPPA) as an international organisation ensuring adequate data protection for purposes of personal data processed and transferred by the entities that it supervises.
The Amended CCPA gives consumers control and protection over personal data collected by businesses with built-in methods for confining data collection and processing to what is fair and lawful, and necessary, in adherence with global data protection standards as well as the Commissioner’s objectives in administering the DP Law 2020.
Jacques Visser, DIFC Commissioner of Data Protection, said: “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.”
Ashkan Soltani, Executive Director of the California Privacy Protection Agency, added: “We're pleased to be recognised by DIFC. California is set to become the world's 4th largest economy and is the de-facto leader in privacy in the US. This decision further demonstrates the incredible potential created by having strong consumer protections that facilitate responsible trade and innovation.”
The DIFC Commissioner's Office looks forward to working with the CPPA and the California Office of the Attorney General, which shares enforcement of the CCPA with the CPPA.