The Dubai International Financial Centre (DIFC) Commissioner for Data Protection has issued guidance to DIFC entities on the export of personal data outside the DIFC in light of a landmark data protection ruling by the European Court of Justice (ECJ).
According to both European and DIFC data protection law, personal data may only be exported to jurisdictions that provide an adequate level of protection for that personal data. The DIFC Data Protection Law (DIFC Law No.1 of 2007, as amended) is modeled closely on the EU Data Protection Directive 95/46/EC. “Personal data” for the purposes of the DIFC Data Protection Law includes all information that is processed, or intended to be processed, automatically or which is recorded as part of a relevant filing system and which relates to an identifiable natural person.
On 6 October 2015, the ECJ ruled in Case C-362/14 (the Schrems case) that the EU Commission’s “US Safe Harbor” decision is invalid. The “US Safe Harbor” decision had permitted the transfer of personal data between Europe and the US by establishing that an adequate level of data protection was ensured by the EU-US Safe Harbor scheme.
The ECJ ruling invalidated this EU Commission decision with immediate effect. As a consequence, businesses in Europe are no longer able to rely on the EU-US Safe Harbor scheme as a legal ground for exports of personal data to the US.
Impact of Schrems in the DIFC
The DIFC Data Protection Regulations list the EU-US Safe Harbor scheme as a regime providing an adequate level of data protection for the export of data from the DIFC. The Commissioner’s guidance issued on 26 October 2015 in response to the Schrems case confirms that European data protection laws “continue to be a model for general guidance to the Commissioner in the administration of the Law”. It is further acknowledged that the ECJ’s ruling has provided “cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients”.
The guidance contains a recommendation that data controllers seeking to export personal data from DIFC to the US should rely on the alternative data transfer mechanisms provided for in the DIFC Data Protection Law. These mechanisms comprise a list of various conditions that allow data transfers to occur by way of derogation from the general prohibition on export. These conditions include where the data subject has provided written consent to the transfer, where the transfer is necessary for the performance of certain contracts or where the transfer is necessary for compliance with legal obligations.
What action should DIFC data controllers take?
It is important for all businesses transferring personal data from DIFC to the US to consider immediately the basis on which those transfers occur. While the Commissioner acknowledges that there are discussions between Europe and the US on a so-called “Safe Harbor II,” it is not clear when or how such new regime would be implemented. As noted above, there are a number of derogations that could be used which may not have been fully considered by a DIFC data controller when the decision to use EU-US Safe Harbor was originally taken. As a first step, these derogations should be checked to ascertain which transfers can be legitimised without further action.
In Europe, most organisations are looking to the EU Commission approved model clauses (“EU Model Clauses”) as a solution. While there is no formal recognition of DIFC-approved model clauses in the Law or Regulations, the DIFC Commissioner’s general guidance on the DIFC Data Protection Law states that the use of “appropriate contractual clauses” may be considered adequate safeguards for the Commissioner to grant a permit for the transfer according to Article 12(1)(a) of the Law. Similarly, if the data controller can show the Commissioner that it applies binding codes of corporate conduct (known as “binding corporate rules” in European data protection law) this would also likely be considered an adequate safeguard by the Commissioner.
All organisations in the DIFC should review existing and proposed data transfers, consider the potential risks and ensure that the transfers are compliant with the law.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.