California Privacy Regime Secures Unprecedented Adequacy Recognition from Dubai
California is the first U.S. state to secure an adequacy decision from the Dubai International Financial Center Authority.
On August 7, 2023, the Commissioner of Data Protection of the Dubai International Financial Center Authority ("DIFCA") declared that California's privacy regime provides equivalent protection as the Dubai International Financial Center ("DIFC") Data Protection Law. Specifically, DIFCA noted that the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and the associated regulations essentially meet the data protection standards enshrined in the DIFC's 2020 Data Protection Law No. 5 and associated regulations.
Why the Decision Is Important
The decision is significant for companies operating in the DIFC—an economic free zone in Dubai that serves as a financial hub for the Middle East, Africa, and South Asia. DIFC entities can now freely transfer data to California without any additional contractual measures.
According to the press release, the California privacy regime adequacy determination by DIFCA is a "first-of-its-kind." Given the lack of a federal consumer privacy law in the United States, whether or not data can flow from the DIFC to entities based in the United States will largely be dependent on the privacy laws of the particular state in the United States to which the data is going. In the future, DIFCA hopes to "build similar relationships" as California with various other U.S. states. Until now, DIFCA had declared adequacy only for the European Union, the United Kingdom, Canada, Singapore, and a few other countries.
In reaching its adequacy decision, DIFCA considered several factors related to the California privacy regime, including the scope of consumer data rights, data minimization requirements, and limitations on processing of data for specific disclosed purposes, among others. DIFCA also highlighted the work of the California Privacy Protection Agency—the first government agency in the United States to regulate privacy issues exclusively—as "an international organization ensuring adequate data protection."
Companies located or doing business in the DIFC can now transfer personal data to California. It is important to note that DIFCA's adequacy decision is limited to California. Transferring data from the DIFC to other U.S. states still requires additional contractual measures. Companies, particularly large corporations with operations spanning across multiple U.S. states, will need to carefully consider whether and how such data remains in California. In the meantime, given that there are now 11 U.S. states (California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia) with comprehensive consumer privacy laws, DIFCA will need to assess each state law individually before data can be freely transferred to these other U.S. states.