The Dubai International Financial Centre (DIFC or the Centre), the region’s international financial center, has formally engaged with the UK’s Department for Digital, Culture, Media and Sport (DCMS) on the Data Protection Law DIFC Law No. 5 of 2020. (DP Law 2020). In addition to the assessments above of DIFC and five other top priority countries, the partnership between DIFC and DCMS is part of the UK’s overall strategy for international data transfers, which includes establishing an International Data Transfers Experts Council. The purpose of this approach is to see if DP Law 2020 is substantially identical to the UK General Data Protection Regulation and the UK Data Protection Act of 2018. (UK DPA). If the DIFC’s Data Protection Law is found to be adequate, it means that it is fair and effective in protecting UK-originating data processed by the Centre’s firms.
Recognition would strengthen data flows between the jurisdictions, aid in developing better trade connections, and encourage enterprises dealing with DIFC organizations to adhere to high standards of accountability and openness.
Arif Amiri, CEO of DIFC Authority, said: “At DIFC, we are committed to implementing best-in-class regulations and standards across all of our business functions, to ensure the provision of integrated financial services commensurate with the needs of our partners. Data protection and the preservation of privacy are key factors that impact the work done by companies working in the DIFC; therefore, we are pleased to cooperate with the UK Digital, Culture, Media, and Sport Department to secure adequacy recognition by the UK and reinforce DIFC’s alignment with international standards. This step would further highlight how DIFC’s practical and effective legal infrastructure serves as a model for data protection in the region and contribute to the consolidation of DIFC’s position as one of the leading financial centres in the world.”
The DIFC’s DP Regulation 2020 is an upgraded version of the GCC region’s oldest data protection law. The initial law was passed in 2004, and it was later changed in 2007. The DP Law 2020 establishes expectations for Controllers and Processors in DIFC in terms of numerous fundamental privacy and security principles, based on UK, EU, and global data protection principles and best practices. It blends other forward-thinking, technology-agnostic notions with comprehensive protections for individuals’ privacy rights by combining best practices from a number of current, world-class data protection regulations. Transferring data from the DIFC to other countries with no or different data protection laws poses a risk to privacy rights, necessitating either acceptance of a jurisdiction’s law as equivalent or “sufficient.”
Under its national data protection law, the United Kingdom has the authority to recognize foreign regulations. The Centre anticipates that the DP Law 2020 would be recognized as compliant enough with the UK DPA as a result of DCMS’s rigorous evaluation procedure of DIFC data transfers and the unique legal and regulatory framework of DIFC as a free zone. The final decision by DCMS will be made in due course, following the completion of the comprehensive, independent investigation.
The assessment procedure is complete, and DIFC has provided enough evidence of the needed aspects.
The DIFC Commissioner of Data Protection, it should be noted, has similar adequate decision-making authority. Please see the Commissioner’s prior announcement from March 2019 about the UK’s continued recognition post-Brexit, as well as the list of jurisdictions that the Commissioner’s Office has already recognized. Additional adequacy determinations of GCC and other regional legislation or cross-border transfer consortia will be released in due course, in addition to engaging with different data protection regulators on promoting data privacy and security within the UAE and abroad.
