Laws related to protection of personal data, all over the globe, intend to protect the privacy of individuals (natural persons). Such laws tend to allow use of personal data of individuals subject to a defined set of rules which primarily aim to protect the personal data of individuals for any unauthorized use, access and sharing etc. These laws, further, maintains a balance between the business continuity and individuals’ right as to privacy. Thereby, use, disclosure and processing of personal data is undertaken under the prescribed legal framework.
One of much debated area, concerning personal data protection legal framework, is transfer of personal data from one country to another. The cross-border transfer of personal data is not absolutely prohibited but is allowed subject to certain parameters stemming out of the relevant laws.
The United Arab Emirates (UAE) has three specific laws enforced with respect to protection of personal data, these laws are applicable and operate in their respective jurisdictions. The Federal Decree Law No. 45 of 2021 (the UAE Law) has a general applicability except for those free zones which have their own specific law on personal data protection. The Dubai International Financial Centre (DIFC), being a free zone, has its own law (the Data Protection Law 2020/ the DIFC Law). The Abu Dhabi Global Market (ADGM) is also a free zone having its own specific law on personal data protection called the Data Protection Regulations, 2021 (the ADGM Regulations).
The principles embodied, enabling transfer of personal data outside UAE, under the aforementioned three laws are discussed here.
The UAE Law
According to the UAE Law, personal data may only be transferred outside the UAE to a jurisdiction which has a law in place covering various aspects as to the protection of personal data (adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.
In the absence of an adequate protection, under the UAE Law, personal data may be transferred outside the UAE in following cases (subject to the controls to be specified by the executive regulations):
· In jurisdictions where data protection law does not exist, on the basis of a contract or agreement binding the establishment (to whom personal data is being transferred) to follow the provisions, measures, controls and conditions of the UAE Law. The said contract or agreement must also specify a supervisory or judicial entity in that foreign country for imposition of appropriate measures against the controller or processor in that foreign country
· Expressed consent of the individual, in such a manner that does not conflict with the public and security interest of the UAE
· Necessity for performing obligations and establishing rights before judicial entities
· Necessity for entering or performance of a contract between the user of personal data and the individual, or between the user of personal data and a third party for the interests of the individual
· Necessity for the performance of an act relating to international judicial cooperation
· Necessity for the protection of public interest.
The DIFC Law
Under the DIFC Law, personal data may be transferred abroad on the basis of adequate level of protection as determined by the Commissioner (the regulator entrusted for the enforcement and implementation of the DIFC Law). A list of adequate jurisdictions is issued through DIFC Data Protection Regulations. The adequate level of protection means that the receiving jurisdiction has a legal and institutional framework that ensures the protection of personal data at least on the similar basis as in the home country.
The ADGM Regulations
The ADGM Regulations allows to transfer personal data abroad where the Commissioner of Data Protection (the regulator entrusted for the enforcement and implementation of the ADGM Regulations) has decided that the receiving jurisdiction ensures an adequate level of protection.
Transfer on the Basis of Appropriate Safeguards – The DIFC Law and the ADGM Regulations
In the absence of an adequate level of protection, personal data may be transferred abroad (from DIFC and ADGM) on the basis of “appropriate safeguards”. The “appropriate safeguards” include:
· A legally binding instrument between the public authorities
· Binding corporate rules
· Standard data protection clauses
· Approved code of conduct
· Approved certification mechanism
Specific Derogations – The DIFC Law and the ADGM Regulations
In the absence of both adequate level of protection and appropriate safeguards, the data may be transferred outside (from the DIFC and the DAGM) in following derogations:
· Explicit consent of the individual
· Necessity for the performance of a contract between individual and user of personal data
· Necessity for the conclusion or performance of contract between user of personal data and a third party which is in the interest of subject individual
· Necessity for reasons of public interest
· Necessity in accordance with an applicable law
· Necessity for establishment, exercise or defence of a legal claim
· Necessity to protect vital interests of individuals or of other persons where an individual is physically or legally incapable of giving consent
· In compliance with applicable law and data minimization principles to provide information to the public and open for viewing by the public in general or by a person who can demonstrate a legitimate interest (under DIFC Law only)
· Necessity for compliance with any obligation under applicable law to which user of personal data is subject to or transfer is made at the reasonable request of a regulator, police or other government agency or competent authority (under DIFC Law only)
· Necessity to uphold the legitimate interests of user of personal data (in international financial markets), subject to international financial standards, except where such interests are overridden by the legitimate interests of the individual (under DIFC Law only)
· Necessity to comply with applicable anti-money laundering or counter terrorist financing obligations applicable to a controller or a processer (under DIFC Law only)
The above permissions (or admissibility) reflect and second the postulate of “business continuity” while ensuring the privacy rights of the individuals. It follows that users of personal data (businesses & organizations) are able to transfer the personal data outside home jurisdiction by following the parameters provided for in the relevant law.
Follow LexTalk World for more news and updated from International Legal Industry.