InfoBytes Blog

Dubai to facilitate personal data transfers with California-based entities

On August 9, the Dubai International Financial Centre Authority (DIFC) Commissioner of Data Protection issued a “first-of-its-kind” adequacy decision, declaring California’s data protection regime as “substantially equivalent and low risk.” The DIFC deemed the California Consumer Privacy Act (CCPA) of 2018, as amended by the California Privacy Rights Act of 2020, equivalent to DIFC’s DP Law 2020—opening the door to facilitate personal data transfers between DIFC and California-based entities without the need to apply additional contractual measures. The DIFC further noted that CCPA Regulations provide procedures, guidance, and clarity on the requirements of the CCPA and highlighted the key aspects of CCPA, including (i) concepts and definitions; (ii) breach notification requirements; (iii) enforcement authority; (iv) notifications to the commissioner; and (v) commissioner authority and objectives. The DIFC’s decision outlines nine observations regarding California’s data protection regime that informed its adequacy decision. In its press release, the DIFC noted that the CCPA “gives consumers control and protection over personal data collected by businesses” and limits data collection and processing to what is fair, lawful, and necessary. The DIFC added that this adequacy decision sets a precedent for Dubai to build “similar relationships with various US states and the US privacy framework in the future.” 

Privacy, Cyber Risk & Data Security State Issues CCPA UAE DIFC California