Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms

The Dubai International Financial Centre’s ("DIFC") data protection authority has published its proposals for updated tools and guidance on international data transfers. A consultation on these proposals by the DIFC Commissioner’s Office ("Commissioner’s Office") opened in April 2022.

Following recent EU and UK updates to standard contractual clauses ("SCCs") for international transfers of personal data, the Commissioner’s Office has drafted a simplified and compatible set of SCCs for entities conducting transfers to or from the DIFC. The Commissioner’s Office has also updated its guidance on businesses’ obligations with respect to transfers, reducing reliance on adequacy decisions made by the Commissioner’s Office and requiring businesses to be more proactive in assessing data protection risks. Whilst this shift has the potential to increase businesses’ compliance burden, the Commissioner’s Office seeks to alleviate that burden by publishing a jurisdiction-by-jurisdiction privacy risk index.

Standard Contractual Clauses

The DIFC’s current SCCs are based on the EU’s old SCCs which cannot be relied upon for EU-third country transfers after 27 December 2022. The DIFC’s proposed amendments under Article 28 DIFC Data Protection Law No. 5 of 2020 will bring the SCCs in line with the new EU SCCs, published on 7 June 2021 ("new EU SCCs"), and the UK’s new documentation for international data transfers which came into force on 21 March 2022.

The DIFC has drafted its revised SCCs on a ‘one module, no choosing’ basis which seeks to be compatible with the latest EU and UK documentation. The new EU SCCs utilise a four module template, requiring contracting parties to choose the module which describes the relevant controller/processor transfer relationship, while the UK's transfer documents require various choices to be made within the templates. In the proposed DIFC SCCs there is limited need to select clauses when entering into the SCCs. In theory, this makes the process of putting the documentation in place more simple. In practice, however, data exporters and data importers will need to be clear on their controller/processor relationships from the outset in order to implement the appropriate provisions of the SCCs.

It is intended that the SCCs are used in conjunction with EDMRI and EDMRI+ (see below), either on their own or in addition to another international data transfer mechanism such as adequacy decisions made by a supervisory authority about the data protection laws and regulation in force in a third country.

Ethical Data Management Index Research and Methodology ("EDMRI")

The EDMRI is the Commissioner’s Office’s proposed risk index, to be used to assess the data protection risks posed by other jurisdictions' data protection regimes – whether or not such jurisdictions have adequacy decisions in place.

This goes further than the European Data Protection Board’s recommendation that companies relying on adequacy decisions need only monitor whether the adequacy decision remains valid. The Commissioner’s Office places the onus on businesses to assess risk and employ controls, noting that an adequacy decision does not guarantee that a party to a data transfer is compliant with the relevant data protection laws and regulations. The EDMRI will collate information about various risk metrics (such as data protection law equivalence and government or law enforcement access to data) for businesses to use when assessing whether to employ supplementary transfer mechanisms, as well as enhancing the Commissioner’s Office’s own supervisory functions.

It is further proposed that EDMRI+ will be a series of simple yes/no questions designed to assess adequacy on an entity level, enabling exporting DIFC entities to conduct due diligence on data importers in third countries. The consultation asks whether an EDMRI+ assessment should be mandatory for DIFC entities exporting personal data to high risk jurisdictions.

Comment

The proposals to continue to broadly align DIFC SCCs with the EU/UK will reassure businesses juggling a multiplicity of data protection regimes. However, businesses transferring personal data out of the DIFC should note that the Commissioner’s Office is seeking to place greater responsibility on DIFC entities to conduct due diligence on parties to whom data is transferred and does not consider an adequacy decision to provide a complete solution. The EDMRI promises to be a valuable tool for assessing the level of protection of personal data for jurisdictions outside the DIFC and, whilst targeted at businesses in the DIFC, may also be useful for businesses assessing transfers of personal data out of other jurisdictions. Whether EDMRI+ assessments become mandatory will be of particular interest for DIFC entities transferring personal data to higher risk jurisdictions.

No timeline has yet been released for the adoption of the revised SCCs or EDMRI.