Five Key Things to Know about Dubai DIFC Data Protection Law 2020

The Dubai International Financial Centre (DIFC) Data Protection Law 2020 (DP Law) applies to the DIFC financial services free zone in Dubai, United Arab Emirates and took effect on 1 July 2020. The DIFC DP Law protects the personal data held and processed by organisations that are registered in the DIFC as well as linked external organisations. New data protection rights include the right to access personal data, the right to data portability, the right to withdraw consent, the right to object to automated decisions (including profiling) and the right not to suffer discrimination for exercising data protection rights. Businesses have an overriding duty to demonstrate compliance with the data protection principles. The DIFC Commissioner of Data Protection is the regulator. Regulator enforcement starts on 1 October 2020.

1.What types or organisations are covered by DIFC DP Law?

The law applies to businesses that are registered in the DIFC or businesses that process personal data in the DIFC as part of stable arrangements. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law.

2. What types of data or information are covered by DIFC DP Law?

The DIFC DP Law protects personal data which is defined as information that identifies or makes living individuals identifiable. Identified or identifiable means reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors about an individual’s biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

3.What are the main DIFC DP Law obligations for businesses?

Businesses must:

  1. Comply with additional data protection principles of accountability (demonstrate compliance), transparency and process personal data in line with the rights of individuals.
  2. Appoint a Data Protection Officer (DPO), if they are DIFC bodies or carry out high risk processing on a systematic or regular basis. Other controllers or processors may appoint DPOs.
  3. Report data breaches as soon as practicable in the circumstances to the DIFC Commissioner of Data Protection and to individuals affected (if the breach is a high risk to security or individual rights).
  4. Register with the regulator and publish detailed data protection notices.
  5. Complete Data Protection Impact Assessments (DPIAs) for high risk data processing.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with DIFC DP Law?

Yes, in large part, but not completely. GDPR and DIFC DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. DIFC DP Law was enacted to include provisions that largely mirror GDPR. It is likely that the DIFC will make an application to the European Union (EU) for an adequacy decision to ease international data transfers between the DIFC and the EU. GDPR data mapping and records of processing activity logs can help to identify DIFC DP Law impacted personal data. GDPR Privacy Notices, policies and GDPR processes used to respond to GDPR rights can assist DIFC DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated.

5. Does the DIFC DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses process personal data and are registered in DIFC or process personal data in the DIFC as part of stable arrangements in the DIFC, then the DIFC DP Law will apply. The law also applies to businesses that process data on behalf of organisations registered in the DIFC or for organisations that process data in the DIFC as part of stable arrangements. The DIFC Commissioner for Data Protection can impose administrative fines of up to $100,000. DIFC Courts can order businesses to pay compensation to individuals.

Schrems II: Rethinking Privacy Shield & Standard Contractual Clauses

Briefing

On 16 July 2020, the European Union’s highest court, the Court of Justice of the European Union (CJEU) delivered the much anticipated decision in the Max Schrems Case (Schrems 2). The court was asked by Ireland’s High Court to decide on key mechanisms for international transfers of personal data from the EU to the United States. The underlying cases arose out of Austrian privacy activist Max Schrems’ complaint against Facebook and Ireland’s Data Protection Commission over interpretation of key data protection provisions. Max Schrems objected to US surveillance of foreign nationals which conflicted with the General Data Protection Regulation (GDPR). The court decided that US surveillance laws and practices stand in opposition to the GDPR’s fundamental human rights protection of EU citizens. As a result, personal data transfers are non-compliant to EU law and need special attention, assessment, reviews and additional safeguards to make these compliant. The case has been called constitutional and cannot be appealed.

Privacy Shield

The Court of Justice of the European Union found that the EU/US Privacy Shield data protection adequacy decision agreed in 2016 is invalid. Personal data transfers based on this mechanism must cease.  EU citizens have no real judicial remedy or equivalent protections in the US under Privacy Shield. The Swiss/US Privacy Shield remains in force but the Swiss Data Protection Authority is reviewing its position. Privacy Shield continues to operate internally in the USA based on federal enforcement mechanisms, US laws and the role of domestic regulators.

Standard Contractual Clauses (SCCs)

The European Commission’s Data Protection Standard Contractual Clauses remain lawful and enforceable. However, the court has insisted that Data Exporters (in the EU) and Data Importers (in foreign countries) must carry out more detailed checks to ensure that foreign laws and data governance rules are compatible with GDPR. Data Importers must inform Data Exporters if they are unable to comply with EU data protection law. Data Exporters must refuse to transfer personal data where specific personal data transfers are incompatible. EU Data Protection Authorities are also encouraged to intervene and review Standard Contractual Clauses and be prepared to withhold or withdraw authorisations for international personal data transfers. On 4 June 2021, the European Commission published its final updated Standard Contractual Clauses that comply with GDPR and the Schrems 2 case. On 21 March 2022, the UK published its new international data transfer regime.

Responses and Actions

  1. Companies and organisations should assess their exposure to Privacy Shield, work towards stopping these personal data transfers and investigate substitute arrangements. There is no grace period for compliance.
  2. Wait for and act on concrete guidance from each relevant EU Member State’s Data Protection Authority, the European Data Protection Board (EDPB) and the European Commission.
  3. Wait for the European Commission’s new GDPR-approved Standard Contractual Clauses (June 2021) and implement these by December 2022.
  4. Begin to review high value and high risk contracts that contain Standard Contractual Clauses (SCCs) that allow transfers to the USA.
  5. Review Binding Corporate Rules (BCRs) to see if personal data transfer protections from the EU to the USA need to be strengthened or varied.

Resources

EU / US and Swiss / US Privacy Shield Home Page

Schrems II Case Press Release

Schrems II Case Full Judgment

Schrems II European Data Protection Board (EDPB) Frequently Asked Questions

Schrems II US Federal Trade Commission (FTC) Statement

Schrems II US Secretary of Commerce Statement

Schrems II Joint Statement from European Commission and US Department of Commerce

Schrems II Ireland Data Protection Commission (DPC) First Statement

Schrems II UK Data Protection Commissioner’s Office (ICO) First Statement and Updated Statement

Schrems II European Data Protection Board (EDPB) Taskforce on Post-Schrems II Complaints

Schrems II US Department of Commerce, US Justice Department & US Office of the Director of National Intelligence White Paper on US Privacy Safeguards for SCCs and other Legal Bases

Schrems II European Data Protection Supervisor (EDPS) Strategy for EU Institutions to comply with Schrems 2 Ruling

Schrems II European Data Protection Board (EDPB) Supplementary Measures for data transfer tools to ensure GDPR compliance – Consultation

Schrems II European Commission Standard Contractual Clauses (SCCs) 2020 – Consultation  

Schrems II European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries

European Commission Final Standard Contractual Clauses (SCCs) for Data Controllers and Data Processors and also International Data Transfers – June 2021

UK Information Commissioner’s Office (ICO) Consultation on UK International Data Transfers and UK Standard Contractual Clauses – August 2021

UK Information Commissioner’s Office (ICO) Response to DCMS Consultation “Data: A New Direction” – October 2021

UK GDPR Final International Personal Data Transfers Scheme and Documents – March 2022

European Commission announcement of an EU/US Trans-Atlantic Data Privacy Framework Agreement in Principle – March 2022

White House Briefing Room announcement of an EU/US Trans-Atlantic Data Privacy Framework Agreement in Principle and FactSheet – March 2022

European Commission Questions and Answers (Q&As) for the two sets of EU 2021 Data Protection Standard Contractual Clauses – May 2022

For Further Assistance, contact PrivacySolved:

Telephone (London): +44 207 175 9771

Telephone (Dublin): +353 1 960 9370

Email: contact@privacysolved.com

Five Key Steps to Take ahead of CCPA Enforcement

The California Consumer Privacy Act 2018, or CCPA, took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement beings on 1 July 2020. California is the world’s fifth largest economy and is home to some of the world’s most innovative companies and discerning consumers.

  1. How can we plan for CCPA enforcement, during Covid-19?

The regulator, the California Attorney General can enforce the CCPA after 1 July 2020 but can look back to January 1, 2020 when making enforcement decisions. The coronavirus covid-19 pandemic period is included. Companies and organisations need to document their pre Covid-19 CCPA compliance steps as well as the changes made to these compliance programmes by the impact of Covid-19.

  1. How important are data flow mapping and personal information inventories?

Data flow mapping and the creation of personal information inventories are key to CCPA compliance. There are many ways to create these and work from General Data Protection Regulation (GDPR) compliance activities can help. As part of this process, the approach taken by key suppliers, such as making CCPA rights available to all citizens across the USA or worldwide, will impact your company’s or organisation’s risk profile.

  1. What are the key areas we should spend time on at this stage?

The CCPA, like similar laws, places consumers and users personal information at the centre of data governance. Companies and organisations should focus on consumer touch points including privacy policies, consumer notices, consumer opt-out mechanisms, terms of service and data subject rights processes. It is very important that companies and organisations put in place and test their identity verification processes. For App-only companies and organisations or those with a lot of App-based customers, developing just-in-time consent notification solutions is a CCPA requirement that can lead to real and lasting consumer innovations.

  1. What should be our approach to CCPA and cybersecurity?

Where there is change, uncertainty or fear, cybercrime and cybersecurity incidents rise. CCPA requires substantial changes to data governance and data flows, which is significantly affected by the impact of coronavirus covid-19. Companies and organisations should strengthen their information security defences to reduce the impact of phishing attacks, impersonation, fraudulent CCPA applications and social engineering that uses the CCPA as a trigger.

  1. What are the steps to take to prepare for the next stages of privacy changes in California?

The California Attorney General will publish the finalised CCPA enforcement regulations in the coming weeks for agreement. Federal and California state-level coronavirus covid-19 rules will impact consumers across a range of sectors affected by CCPA. There are plans to submit a new California Privacy Rights Act (CPRA) into the November 2020 ballot to extend the scope of CCPA. Companies and organisations should avoid CCPA programme mission creep, especially as the global economy cools. Speculative or draft privacy changes should be monitored and assessed, but not confuse or detract from core CCPA compliance.

Further Information:

PrivacySolved Briefing: Five Key Things to Know about California Consumer Privacy Act (CCPA)

California Attorney General CCPA Resources

Californians for Consumer Privacy CPRA Resources

For Enquiries:

contact@privacysolved.com

Five Key Things to Know about California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act 2018, or CCPA, is a US state privacy law that took effect on 1 January 2020. The CCPA protects the rights of California consumers and gives them new data privacy and online rights. These new privacy rights include the right to know what information is held and used, the right to delete personal information, the right to opt-out of the sale of personal information (called “Do Not Sell”) and the protection from discrimination for individuals who exercise their CCPA rights. The California Attorney General is the CCPA regulator. Regulator enforcement begins on 1 July 2020.

1. What types or organisations are covered by CCPA?

The law applies to businesses that operate for profit and that fall into any one of the following categories:

  • Annual gross revenue in excess of $25 Million (US Dollars); or
  • Buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or
  • Earns 50% or more of annual revenues from selling consumer personal information

2. What types of data or information are covered by CCPA?

The CCPA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.

3. What are the main CCPA obligations for businesses?

Businesses must:

  • Provide notices to consumers at or before data collection
  • Create procedures to respond to consumer requests to opt-out, know and delete information, including putting “Do Not Sell My Information” notices on websites and mobile applications.
  • Respond to consumer requests to know, delete and opt-out within specific timeframes
  • Verify the identity of consumers who make requests to know and to delete, whether or not the consumer has a password-protected account with the business

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with CCPA?

No. GDPR and CCPA have different scopes, definitions and compliance requirements. However, there are important similarities. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. GDPR Privacy Notices, Policies and GDPR processes used to respond to GDPR rights can assist CCPA compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Do Not Sell notices and their underlying systems are unique to CCPA and present several practical, technical and technological challenges.

 5. Does the CCPA apply to businesses in other US states or to foreign companies?

Yes, it can. If a business falls within the CCPA qualifying criteria and holds personal information about California consumers, then CCPA applies. Businesses that are based in other US states and companies from outside of the United States may have to comply with the CCPA.  All organisations should seek specialist advice, monitor the development of the CCPA enforcement regulations, examine official guidance and watch the Regulator.

1 5 6 7