On 26 October 2015 the DIFC Data Commissioner issued a guidance to DIFC registered entities regarding the adequacy status of US Safe Harbor recipients.
The guidance was issued as a result of a decision by the European Court of Justice (ECJ) on 6 October 2015 which invalidated the European Commission's Decision 200/520/EC. That EC Decision had provided "adequate protection status" for personal data transfers from European Member States to US Safe Harbor recipients.
Article 11 of the DIFC Data Protection Law allows a transfer of personal data out of the DIFC if:
- an adequate level of protection for that personal data is ensured by the laws and regulations that are applicable to the recipient; or
- in accordance with article 12 of the DIFC Data Protection Law.
Like the European Commission, the DIFC Data Commissioner had previously listed the US Safe Harbor scheme as a jurisdiction with an "adequate level of protection" on its website. The US Safe Harbor scheme has however now been removed from that list.
The DIFC Data Commissioner's guidance observes that, as the DIFC Data Protection Laws are largely modelled on relevant EU Directives, the ECJ decision has caused the DIFC Data Commissioner to reconsider the adequacy status previously provided to US Safe Harbor rules. It has noted however that there are currently ongoing negotiations between EU and US authorities regarding the framework.
In light of the above, the DIFC Data Commissioner warns that DIFC organisations should continue to protect individuals' personal data when transferred to the US and consider potential risks by implementing appropriate legal and technical solutions in a timely manner. DIFC entities transferring personal data to the US should rely upon the conditions referred to in Article 12 of the DIFC Data Protection Law until further clarity is provided.