The DIFC data protection law does not set a maximum limit for fines, similar to the GDPR, but gives the commissioner the discretion to impose a general fine in addition to the fines, said a leading lawyer.
Violations of the GDPR can result in significant fines of up to EUR 10 million or EUR 20 million or 2% or 4% of an organization’s worldwide annual turnover in the previous financial year, depending on the provisions of the law that was violated.
Kellie Blyth, consultant and data and technology director at Baker McKenzie Habib Al Mulla, however said that the commissioner can also impose fines for violations of certain DIFC obligations listed in Appendix 2, ranging from 20,000 up to $ 1
She said the fines apply to certain violations, but in many circumstances there will be several violations that could give the Commissioner the discretion to impose a general fine at a level that the Commissioner will take into account the seriousness of the violation and the risk considers appropriate and proportionate to the actual damage suffered by data subjects.
“If the Commissioner believes that this is justified, he can impose a fine in addition to the fines set out in the law. It is very unlikely that this fine will be imposed on a particular error, but rather on the errors as a whole. We have seen this in other countries where it is evident that the shortcomings were systemic and that a company is generally violating the law and privacy rights, ”she said.
Article 62 of the law, she said, gives the board of directors of the DIFC authority the right to impose rules on the imposition and recovery of fines and, accordingly, further rules could be introduced in this area in the future.
The new law came into force on July 1, 2020. However, the organizations were tasked until October 1, 2020 to ensure compliance to reflect the business impact of the Covid 19 pandemic, giving the organizations a few months to make any changes that were required to bring their compliance framework into line with the new law.
Blyth said, however, that the Commissioner would be expected to set fines by applying these criteria in a manner similar to EU regulators such as the CNIL (Commission nationale de l’informatique et des libertés) in France.
The CNIL fined Google EUR 57 million in January 2019 for various breaches of the GDPR. The fine was assessed based on the following five factors: the nature of the violation, the extent of the violation, the fact that it was ongoing, the fact that it affected many people, and the size of the Google / Alphabet group.
Google appealed the fine, but the appeal was dismissed by the French Supreme Administrative Court in June 2019.
“Under the DIFC Act, the Commissioner would likely be subject to a general fine and a relevant administrative penalty if the offenses committed are uncountable or if there is an obvious violation of the privacy of data subjects (ie those to whom the personal data relate) reflects fines.” said Blyth.
However, she said that the law does not contain provisions similar to Article 3 of the GDPR, which gives the EU regulation its expanded extraterritorial effect.
“If one or more of the alternative criteria set out in Article 3 are met, the company concerned is subject to the requirements of the GDPR. However, the limited scope of the DIFC law does not mean that the law has no extraterritorial effect. There are some scenarios in which a company that is registered outside of DIFC could be subject to legal requirements, ”she said.
On the one hand, a company not registered in DIFC appoints a service provider registered in DIFC who processes personal data on its behalf.
An example would be when a UAE-based company hires a third-party administrator at DIFC to manage its employee benefit plan. The other example is when a company not registered in DIFC is commissioned by a company registered in DIFC to provide services.
A step in the right direction
According to the law, according to Blyth, data processors are directly subject to certain legal obligations, including the obligation to implement an adequate level of security and appropriate organizational and technical measures to demonstrate that processing takes place in accordance with the law.
“The scope and detail of these measures should reflect the scope and resources of the data processor as well as the type of data processed and the risk that the processing poses to the data subjects.
“According to the law, such processing must also be carried out within the framework of a legally binding agreement that reflects several legal requirements (corresponds to the requirements of Article 28 of the GDPR). It should be noted that these requirements apply equally to subprocessors (ie processors that the primary processor instructs to perform certain data processing activities), ”she said.
A violation of personal data is defined in the law as a security breach that leads to accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data.
In practice, she said that data breach could occur outside the DIFC, for example through the compromise of servers or a document storage facility in the United Arab Emirates or elsewhere, which triggers a legal obligation to notify about data breaches.
If a violation of personal data occurs, a data processor is obliged to immediately notify the responsible controller (ie the body that has instructed the processing) as soon as he becomes aware of the violation.
“If an infringement affects the confidentiality, security or data protection of a data subject, the controller (ie the body that determines the purpose and means of the processing) is obliged to notify the DIFC data protection officer as soon as this occurs under the given the circumstances. In particular, there is no 72-hour notification period to make this notification, as is the case under the GDPR, ”she said.
Although the processing of personal data for personal, non-commercial purposes is not within the scope of the law, there are de minimis thresholds for certain requirements.
“It is best to see the law as a gradual change that requires companies to embed data protection compliance in their business and to align the legal framework of the DIFC with international best practices,” she added.