Earlier this month, the Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), a financial free-zone in the United Arab Emirates (UAE), issued the first adequacy decision regarding the California Consumer Privacy Act (CCPA), which recognizes the CCPA as an equivalent to the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended the DIFC DPL).

This decision allows businesses to transfer data between the DIFC and companies located in California, in accordance with the DIFC DPL, without any additional contractual measures. In the DIFC Commissioner’s public statement about this decision, he said, “The importance of additional safeguards for imported personal data is evidenced by the factors set out in published adequacy protocols as well as the DIFC Ethical Data Management Risk Index (EDMRI) and due diligence tool. In evaluating California’s privacy law and regulations, together with implementation, enforcement, and other holistic factors, it became clear that in large part, California importers will treat personal data from DIFC ethically and fairly.” This decision will also likely serve as precedent for the DIFC to establish a similar relationship with other U.S. states. As of today, there are only 49 establishments and/or locations (countries, jurisdictions, and organizations) subject to an adequacy decision by the DIFC.

The decision comes as a result of an assessment by the DIFC commissioner of the grounds for lawful and fair processing of data under the CCPA, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing, and breach reporting and accountability. To read the full decision, click here.  

However, since the CCPA does not have a provision related to the transfer of personal information outside of California or the U.S., DIFC exporters that send personal information to a California-based importer under the decision would still need to ensure that the onward transfer of such personal information is safeguarded. Additionally, this decision will be reviewed annually by the DIFC Commissioner to ensure that the CCPA’s protections still meet expectations.