March 14, 2019

DIFC confirms adequacy of United Kingdom data protection regime post-Brexit

The data protection law of the Dubai International Financial Centre restricts the transfer of personal data to countries that are not deemed to have an adequate level of protection for that personal data. While all EU member states are currently considered to offer an adequate level of protection based on the guarantees offered by the GDPR, the DIFC Commissioner of Data Protection has clarified the position that will apply following the United Kingdom's exit from the EU.

No changes to existing processes or procedures should be necessary from a data protection compliance perspective as a result of Brexit.

In a circular issued by the Commissioner of Data Protection for the Dubai International Financial Centre (DIFC) on 14 March 2019, it was confirmed that the United Kingdom will continue to be recognised as a jurisdiction offering an adequate level of protection for personal data transferred outside DIFC after the UK exits the European Union.

Basis of the decision

Article 11 of the Data Protection Law, DIFC Law No. 1 of 2007 prohibits any transfer of personal data to recipients located outside the DIFC unless the destination is a jurisdiction approved by the Commissioner as offering an adequate level of protection for personal data or one of the conditions in Article 12 applies. The DIFC's list of adequate regimes currently includes all member states of the European Union.

In advance of the final outcome of Brexit negotiations between the United Kingdom and the European Union, the Commissioner has confirmed that the adequacy status of the United Kingdom will continue following the country's departure from the EU. The UK's post-Brexit regime has been deemed adequate on the basis that the UK will retain its own version of the EU General Data Protection Regulation (GDPR) in addition to the UK Data Protection Act 2018.

The Commissioner also noted that the UK government has announced bridging amendments known as the Exit Regulations to ensure that the data protection regime remains largely consistent post-Brexit.

What does it mean?

The advance notice of the continued recognition of the UK's data protection regime for data transfer purposes will be helpful for entities in the DIFC that currently transfer personal data to the UK. No changes to existing processes or procedures should be necessary from a data protection compliance perspective as a result of Brexit.

The circular is also a timely reminder of the need for companies to continually monitor data protection laws to ensure the lawful cross-border flow of data. Last year, Abu Dhabi Global Market's Office of Data Protection updated its list of adequate jurisdictions to include the DIFC (although that recognition is not currently reciprocated for transfers from DIFC to ADGM) and Bahrain issued a new Personal Data Protection Law that is scheduled to take effect from August 2019.