DIFC Issues First-of-its-Kind Adequacy Decision on The California Consumer Privacy Act

DIFC Issues First-of-its-Kind Adequacy Decision on The California Consumer Privacy Act

The Commissioner of Data Protection of the Dubai International Financial Centre (DIFC), has issued a first-of-its-kind adequacy decision regarding the California Consumer Privacy Act of 2018, a standalone data protection law (CCPA). The CCPA was amended by the California Privacy Rights Act of 2020 (CPRA) which took effect on 1 January 2023 (together ‘Amended CCPA’). The decision establishes a determination of the Amended CCPA’s equivalence with the Data Protection Law, DIFC Law No. 5 of 2020 (DP Law 2020).

The decision, which is in line with DIFC’s commitment to drive privacy and data protection by continuously strengthening its knowledge of cross-border enforcement best practices, facilitates personal data transfers between DIFC and California-based entities in accordance with the DP Law 2020, without having to apply additional contractual measures. It also sees DIFC setting a first-time precedent for building similar relationships with various US states.

The DIFC Commissioner’s Office recognises the Amended CCPA and the California Privacy Protection Agency (CPPA) as an international organisation ensuring adequate data protection for purposes of personal data processed and transferred by the entities that it supervises.

Jacques Visser, DIFC Commissioner of Data Protection, commented, “The importance of additional safeguards for imported personal data is evidenced by the factors set