Transfer of personal data across borders is an issue that concerns individuals, businesses, regulators and governments. While businesses, particularly data-driven ones with cross-border operations, would desire liberal frameworks with minimal hurdles for transfers, governments and regulators are duty bound to ensure that the rights and interests of individuals (usually referred to as Data Subjects in most data protection frameworks) are adequately protected.

One mechanism for cross-border transfer of personal data, is through the issue of an 'adequacy decision' by one jurisdiction, in favour of other jurisdictions. Before we delve into what an adequacy decision is, it is important to take note of some recent developments.

On 9th August 2023, the Dubai International Financial Centre (DIFC) issued an 'adequacy decision' regarding the California Consumer Privacy Act of 2018 (CCPA). This indicates that DIFC acknowledges and accepts that the CCPA is considered equivalent to the DIFC's own Data Protection Law, known as DIFC Law No. 5 of 2020 (DP Law 2020). The adequacy decision facilitates personal data transfers between DIFC and California-based entities in accordance with the DP Law 2020, without having to apply additional contractual measures or relying on other derogations. This is good news for DIFC-based businesses, which may need to transfer personal data to California based entities, as it creates smoother workflows. Similarly, in July 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for transfer of personal data from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the framework, without having to put in place additional data protection safeguards.

These decisions highlight the continuing importance of adequacy decisions as a major facilitative mechanism of cross-border personal data sharing.

ADEQUACY AND ITS GENESIS

In simple terms, when one jurisdiction issues an adequacy decision in favour of another jurisdiction, it determines that the recipient jurisdiction's laws will adequately protect and safeguard the personal data so transferred.

An adequacy decision is, therefore, instrumental in facilitating seamless and secure cross-border data transfers. Ensuring an "adequate level of protection" in the recipient jurisdiction provides an assurance that the personal data transferred will continue to receive protection equivalent to that in the transferring jurisdiction.

The genesis of adequacy determination can be traced back to the Data Protection Directive 95/46/E.C (Directive) (now repealed), a precursor to the GDPR, which aimed to standardise data protection within the European Union (EU). Article 25 of the Directive mandated that transferring personal data from the EU to non-member states requires an "adequate level of protection," ensuring individual rights across borders. The Directive's implementation required, among other things, the evaluation of a number of factors, including the legal framework in the recipient jurisdiction. Since then, adequacy determination has been included in the GDPR and several other data protection frameworks, including the UAE, DIFC and ADGM.

While adequacy decisions have historically served as validation benchmarks in the evolving landscape of cross-border data transfers, contemporary organisations can access other alternatives to navigate this terrain.

LEGAL ALTERNATIVES TO ADEQUACY DETERMINATION

Today, there exist several lawful bases to transfer data across borders. Some of these are:

Jurisdictional Adequacy – Whitelisting vs Blacklisting

Adequacy determinations are the cornerstone of a "whitelist" approach to cross-border data transfers. Under this approach, jurisdictions are first assessed and then, if they are deemed to provide adequate protection to personal data, they become part of a whitelist of jurisdictions to which personal data can be transferred.

Another approach is the formulation of a negative list of jurisdictions to which personal data will not be transferred. Under this approach, the competent authority may, from time to time, designate certain jurisdictions as 'prohibited jurisdictions', to which personal data transfer is disallowed. The basis for a jurisdiction to be included in the negative list (or blacklist) would be that it does not provide an adequate level of protection to personal data. Personal data can be transferred to jurisdictions other than those on the negative list, subject to compliance with all other provisions of applicable data protection laws.

Notably, the Directive was issued at a time when very few countries had any data protection laws and principles. It provided the much-needed security for enabling data transfers in the most secure possible manner. However, the scenario has significantly changed since then. Today, nearly 140 countries have some form of data protection laws. Taking advantage of this, India has introduced the "negative list" approach to cross border personal data transfers, in its recently passed Digital Personal Data Protection Act, 2023.

Contractual Clauses, Corporate Rules and Certifications

Jurisdictions with established data protection regulations (E.g., the EU, ADGM, DIFC) generally permit cross border data transfers even in the absence of an adequacy determination. For example, if the transferring and receiving entities implement safeguards, such as Standard Contractual Clauses (for inter-group personal data transfers) or Binding Corporate Rules (for intra-group personal data transfers) approved by the relevant regulator, then personal data transfers will be allowed in the absence of an adequacy decision.

Contractual arrangements are a robust choice for organisations engaging in cross-border data transfers. Standard Contractual Clauses (SCCs) have gained prominence among these mechanisms, providing pre-approved, standardised contractual terms by the European Commission and now adopted, with customizations, by other jurisdictions including the DIFC and ADGM.

Binding Corporate Rules (BCRs) signify an organisation's commitment to global data privacy compliance. BCRs are recognised by several jurisdictions, such as the E.U., U.K., Brazil, Singapore, South Africa, DIFC, and ADGM. BCRs facilitate internal cross-border data transfers within organisations. Yet, their implementation complexity is evident, as they require approvals from relevant data protection authorities.

Under the GDPR, businesses are permitted to conform to certification schemes, which signify their compliance with the rules. The APEC Cross-Border Privacy Rules (CBPR) System is one example of this approach. This certification demonstrates adherence to privacy standards, enabling organisations to convey their compliance to stakeholders. However, establishing a certification scheme demands considerable resources.

Consent and other derogations

In the absence of an adequacy decision as well as these contractual safeguards, personal data transfer may still be allowed based on the express consent of the Data Subject (which must be free, informed, clear and unambiguous), contractual necessity, judicial processes or public interest.

REGULATIONS IN THE UAE

Mainland

The UAE's principal data protection law is the Federal Decree Law No. 45 of 2021 on Personal Data Protection. This law, which came into force in January 2022, provides the foundation for safeguarding personal data across various sectors and industries within the UAE. The UAE Data Protection Law authorises personal data transfers to countries recognised by the Data Office to uphold an "adequate level of protection." These encompass jurisdictions with specialised personal data protection laws or those which are part of bilateral or multilateral personal data protection agreements along with the UAE. The list of such countries is still to be notified.

Exceptions within the law allow personal data transfers to countries lacking adequate protection, through:

  • Contractual safeguards: Organisations can establish contractual safeguards applying UAE Data Protection Law provisions to transferred data.
  • Express consent: Data Subjects can provide explicit consent for data transfers.
  • Contractual obligations: Transfers necessary for contract initiation or fulfillment in Data Subjects' interest.
  • Legal and judicial obligations: Transfers mandated by legal duties, rights enforcement, or international judicial collaboration.
  • Public interest: Transfers crucial for public interest safeguarding.

The DIFC and the ADGM, have enacted data protection laws aligning with international best practices

ADGM

The ADGM introduced its data protection regulations in February 2021. The general principles for transferring personal data encompass several safeguards, including:

  • The Commissioner of Data Protection's determination that the recipient jurisdiction maintains adequate personal data protection.
  • Adoption of binding corporate rules (BCRs) and standard clauses.
  • Transfer based on vital public interest within ADGM.
  • Transfers required by UAE law enforcement agencies.
  • Transfers necessary to protect individuals' lives.
  • Explicit consent from data subjects for proposed transfers.
  • Transfers required for contract performance between Data Subjects and controllers.

Under the ADGM's data protection regulations, when assessing the adequacy of the level of protection of Personal Data, the following elements are taken into account:

  • the rule of law, respect for individuals' rights, relevant legislations rules and regulations impacting personal data, availability of rights and judicial redress to the Data Subject.
  • the existence and effective functioning of one or more independent supervisory authorities in the receiving jurisdiction with responsibility for ensuring and enforcing compliance with adequate data protection rules including adequate enforcement powers, for assisting and advising the Data Subjects in exercising their rights.
  • the international commitments the receiving jurisdiction has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

Notably, the data protection framework of the UAE mainland is not yet considered adequate by ADGM, However, several other jurisdictions benefit from an adequacy decision by the ADGM, enabling data transfers to these jurisdictions.

DIFC

The cornerstone of the DIFC's data protection efforts is the Data Protection Law, Law No. 5 of 2020, which came into effect on 1st July 2020, with enforcement commencing on 1st October 2020.

Under the DIFC's data protection law, when assessing the adequacy of the level of protection of Personal Data, the following elements are taken into account:

  • the rule of law, the general respect for individual's rights and the ability of individuals to enforce their rights via administrative or judicial redress; the access of a public authority to personal data;
  • the existence of effective data protection law, including rules on the onward transfer of personal data to another jurisdiction
  • the existence and functioning of one or more independent, competent data protection or similar supervisory authorities with adequate enforcement powers; and
  • international commitments and conventions binding on the jurisdiction and its membership of any multilateral or regional organisations.

The DIFC deems 43 jurisdictions to provide an adequate level of protection to personal data. These include ADGM but not the UAE. Notably, while the DIFC Commissioner deemed the ADGM adequate, the European Commission held a different view. This divergence underscores the complexities of harmonising data protection standards across jurisdictions as well as the subjectivity of adequacy decisions.

CONCLUSION

Amid several alternatives, adequacy decisions remain an accepted mechanism for cross-border data transfers. However, given that adequacy decision as a concept gained currency at a time when very few jurisdictions had dedicated data protection frameworks, there may be a case to be made to examine its continuing relevance in a global environment where approximately 140 countries have privacy and data protection laws and regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.