On October 26, 2015, Raja Al Mazrouei, the Commissioner for Data Protection for the Dubai International Financial Centre (the DIFC), issued guidance on the adequacy of US Safe Harbor for the purpose of exporting personal data from the DIFC. The guidance is significant for organisations that transfer personal data from the DIFC to the US and such organisations should urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to comply with the DIFC Data Protection Law (No 1 of 2007).
The guidance follows the decision of the European Court of Justice (the ECJ) in Case C-362/14 – Maximillian Schrems v Data Protection Commissioner that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid.
The key message from the guidance is that:
“the invalidation of the Adequacy Decision by the ECJ provides cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients. However, the Commissioner also understands that there are ongoing negotiations between Europe and US authorities towards an improved Safe Harbor framework and that these negotiations are well advanced.
In light of the ruling of the ECJ it is important for organisations in the DIFC to protect individuals’ personal data when it is transferred to the US and to consider the potential risks by implementing appropriate legal and technical solutions in a timely manner. It is also recommended that personal data transfers to the United States should rely on the alternative data transfer mechanisms provided for in Article 12 of the Law until there is further clarity emanating from the aforementioned EU-US negotiations.”
By way of background, the DIFC is a free zone within Dubai that has its own body of law, including corporate, contracts, employment and data protection laws, as well as its own court system. Data protection is regulated by the DIFC Data Protection Law and the DIFC Data Protection Regulations, both of which were updated in 2012 and, as the guidance notes, are largely modeled on EU privacy and data protection principles and guidelines. We have previously published a blog post on data protection in the Middle East and further guidance on the data protection regime in the DIFC can be found on the DIFC website.
What does this mean for organisations that transfer personal data from the DIFC to the US?
The simple answer is that if organisations in the DIFC have been relying on Safe Harbor as the basis for the transfer to date, they should not continue to rely on this going forwards and should review Article 12 of the DIFC Data Protection Law to ascertain whether they can rely upon that as a basis for transferring personal data from the DIFC to the US. For reference, Article 12(1) permits a transfer of personal data to a recipient outside of the DIFC where:
(a) the Commissioner has granted a permit or written authorisation for the transfer or the set of transfers and the data controller applies adequate safeguards with respect to the protection of the personal data;
(b) the data subject has given written consent to the transfer;
(c) the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject’s request;
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party;
(e) the transfer is necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data;
(g) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
(h) the transfer is necessary for compliance with any legal obligation to which the data controller is subject or the transfer is made at the request of a regulator, police or other government agency;
(i) the transfer is necessary to uphold the legitimate interests of the data controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by legitimate interests of the data subject relating to the data subject’s particular situation; or
(j) the transfer is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or the prevention or detection of any crime that apply to a data controller.
While Article 12 does not expressly envisage the use of EU-style model clauses or binding corporate rules, the Commissioner has previously issued guidance that it will take use of model clauses or binding corporate rules into account as evidence that an organisation is applying adequate safeguards where an organisation applies for a permit to transfer under Article 12(1)(a). Failure to comply with Articles 11 and 12 of the DIFC Data Protection Law may result in a claim for compensation by a data subject at the DIFC Courts, an inspection by the Commissioner and issue of direction requiring compliance and the imposition of a financial penalty by the Commissioner for non-compliance. Given the potential for financial penalties and the absence of a grace period for compliance with the guidance, we would suggest that organisations urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to remain compliant.