The United Kingdom (UK) is demonstrating its agility on data transfers after leaving the European Union (EU). Through its global data plans and new strategic alliances (i.e., adequacy procedures) the UK is moving ahead to reshape international data flows and the global digital economy. The United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre, Colombia, India, Brazil, Kenya, and Indonesia are the territories with which global partnerships are being sought to boost data-driven growth and innovation.
The UK also wants to maintain a standard of protection that is equivalent to the one in the EU; this is undoubtedly a significant challenge, as indicated in my recent blog about the United Kingdom’s “data challenge” to the EU following the announcement of the UK’s “post-Brexit global data plans to boost growth, increase trade and improve healthcare”. Nevertheless, the UK is positioning itself at the center of the global data-driven economy, in a very determined way, in an attempt to unhinge the balance of global data politics and take the lead.
Following these introductory considerations, in this blog I will focus on the Dubai International Financial Centre’s potential adequacy decision and provide a short summary of DIFC Law No. 5 of 2020.
The UK Department for Digital, Culture, Media & Sport Department (DCMS) is officially in the process of determinizing the adequacy of the Data Protection Law, DIFC Law No. 5 of 2020.
The process will look at whether or not the DIFC Law No. 5 is “substantially equivalent” to the UK General Data Protection Regulation and UK Data Protection Act of 2018.
“Substantially equivalent” status would help to ensure free flows of data between the UK and the DIFC and according to the DIFC itself, would contribute to “reinforc[ing] data flows between the jurisdictions, help build better trade relationships and promote high standards of accountability and transparency in businesses that deal with DIFC entities.” It would essentially signify that the rules established by the DIFC in 2020 provide adequate protections for the data of UK citizens processed in the DIFC.
Assessment by the DCMS
According to the DCMS, the assessments to be carried out will “ensure high data protection standards” and will “build significantly on the £80 billion of data-enabled service exports to these 10 destinations from the UK every year.” It’s interesting to note that the UK already has 42 adequacy agreements in place.
The UK department will therefore employ a “rigorous review process” based on the DIFC’s provision of sufficient evidence and will make the decision in “due course”.
Main points of the Data Protection Law No. 5 of 2020
On 1 June 2020, the Dubai International Financial Centre enacted the Data Protection Law No. 5 of 2020 which from 1 July 2020 replaced the former data protection law. (See this press release for more information.) The Law is said to be inspired by the GDPR and the Californian CCPA thanks to the inclusion of concepts such as accountability, record keeping, the appointment of a DPO, administrative fines, prior consultation requirements, the requirement to carry out DPIAs, the regulation of cross-border transfers, etc.
Under the law, data subjects are endowed with the right to withdraw consent, right to access, to rectify or have their personal data erased, to object to the processing, to restrict the processing, the right to data portability, right to object to any decision based solely on automated processing, including profiling, etc. Furthermore, data subjects have the right to “non-discrimination” which forbids discriminating against subjects who have exercised their rights to restrict processing, for example.
The Law’s geographical scope is limited to the Dubai International Financial Centre and “applies to the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not” and to “a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. This Law applies to such Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), including transfers of Personal Data out of the DIFC.”
Similar to the GDPR, the law establishes data protection principles and an accountability requirement by which controllers and processors are required to be able to demonstrate their compliance with such principles. It also includes six bases for lawful processing including consent, necessity and legitimate interest, performance of a contract, etc. Law No. 5 of 2020 furthermore requires data controllers to register processing activities with the DIFC data protection commissioner by way of filing a “notification of processing operations” which must always be kept up-to-date and published in a “publicly available register maintained by the Commissioner.”
A number of enforcement measures are foreseen ranging from warnings to “directions” (requiring controllers and processors to stop carrying out certain activities), damages to data subjects, payment of costs incurred to the Commissioner, fines, and allows the Board of Directors of the Dubai International Financial Centre Authority (DIFCA) to further draft regulations concerning such remedies, liability, and sanctions.