DATA PROTECTION OFFICERS
There is no requirement in the UAE for organisations to appoint a data protection officer.
COLLECTION AND PROCESSING
If the collection and processing of any personal data pertains to an individual's private or family life then the consent of the individual is required. A failure to obtain such consent would constitute a breach of the Penal Code (Article 378) and could also be a breach of the:
- Cyber Crime Law if the personal data is obtained or processed through the internet or electronic devices in general (Articles 21 and 22); and
- Telecoms Law to the extent that data is obtained through any means of telecommunication, including through a telecommunications service provider, or any other electronic means (Clause 3 Privacy of Consumer Information Policy).
Additionally, unlawful access via the internet of electronic devices of financial information (e.g. Credit Cards and Bank Accounts) without permission is an offence under the Cyber Crime Law (Articles 12 and 13).
According to the Penal Code (Clause 379), personal data may be transferred to third parties inside and/or outside of the UAE if the data subjects have consented in writing to such transfer.
The requirement to obtain the written consent may be waived, pursuant to the Penal Code (Article 377) and Clause 3 of the Privacy of Consumer Information Policy, where:
- a UAE official/public authority has required the transfer of such data to it; and
- the transfer serves public interests or national security.
There are no specific provisions under UAE Federal Law relating to the type of measures to be taken or level of security to have in place against the unauthorised disclosure of personal data. Instead, the Cyber Crime Law focuses on offences related to accessing data without permission and/or illegally (Articles 2 and 3 of the Cyber Crime Law), including financial information (e.g. credit card information or bank account information) (Articles 12 and 13).
The Policies require telecommunications service providers to "take measures to prevent the unauthorised use or disclosure of consumer information", "strive to protect the privacy of consumer personal data that they maintain in their files whether in electronic or paper form" and "limit access to consumer information to trained and authorised staff" (Clause 3 of the Privacy of Consumer Information Policy).
Based on the above, best practice from a UAE law perspective would be to take appropriate technical security measures against unauthorised or unlawful processing of, and against accidental disclosure of, personal data. The measures taken must ensure a level of security adequate enough to minimise the risk of liability arising out of a claim for breach of privacy made by a data subject.
In principle, there is no mandatory requirement under UAE Federal Law to report data security breaches.
Data subjects based in the UAE, however, may be entitled to hold the entities in possession of their data, liable under the principles of the UAE Civil Code for their negligence in taking proper security measures to prevent the breach, if such breach has resulted in actual losses being suffered by the data subjects.
In relation to telecommunication services, the Telecoms Law and most Policies do not include an explicit requirement on service providers to take the initiative in notifying the TRA of a breach or alleged breach, unless a subscriber complains to a service provider about the unauthorised disclosure of his or her personal data (Clause 3.2.2 of the Consumer Complaint and Dispute Resolution Policy).
Subscribers are also able to complain direct to the TRA about the unauthorised disclosure of their personal data (Clause 3.3 of the Consumer Complaint and Dispute Resolution Procedures and Clause 4.1 of the Consumer Complaint and Dispute Resolution Policy).
There are three possible methods of enforcement from a UAE law perspective:
1. Where the unauthorised disclosure of personal data results in a breach of the Penal Code:
The Public Prosecutor in either the Emirate:
- where the party suspected of the breach ("Offender") resides; or
- where the disclosure occurred
will have jurisdiction over a data subject's complaint.
If after concluding investigations with the police, the Public Prosecutor is satisfied with the evidence compiled, charges may be brought against the suspect.
The case would then be transferred to the Criminal Courts of First Instance. The data subject may attach a civil claim to the criminal proceedings before the Courts have ruled on the case.
Pursuant to the Penal Code (Article 379), if the Courts find a suspect guilty of disclosing secrets that were entrusted to him "by reason of his profession, craft, situation or art" the penalties to be imposed under the Penal Code may include a fine of up to UAE Dirhams 20,000 (the fine is determined by the Courts) and an imprisonment for at least one year (Article 379). More generally, pursuant to the Penal Code (Article 378), "a punishment of confinement and fine shall be inflicted on any person who attacks the sanctity of individuals' private or family life" by committing any of the acts described under Article 378 "other than the legally permitted cases or without the victim's consent."
When ruling on the criminal case, the Criminal Courts would usually transfer a civil claim made by the data subject to the Civil Courts of First Instance for further consideration. The data subject would need to prove the losses he/she has suffered as a direct result of the disclosure of his/her personal data before the Civil Courts in order for damages to be awarded.
2. Where the unauthorised disclosure of personal data results in a breach of the Cyber Crime Law:
The police in each Emirate have developed specialised cybercrime units to handle complaints that relate to breaches of the Cyber Crime Law.
As above, the cybercrime unit in the Emirate where:
- the Offender resides; or
- where the disclosure occurred
will have jurisdiction over a data subject's complaint.
The cybercrime unit would investigate the case and decide whether or not to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect. The same procedure identified above is then followed before the Courts.
If found guilty of an offence under the Cyber Crime Law, the punishment an Offender can receive under the Cyber Crime Law varies depending on the nature of the crime. Punishments range from temporary detention, a minimum prison sentence of between six months or one year and/or a fine between AED 150,000 and 1,000,000 (Articles 2, 3, 7, 21 and 22 of the Cyber Crime Law). If found guilty of an attempt to commit any of the relevant offences under the Cyber Crime Law, the punishment is half the penalty prescribed for the full crime (Article 40).
3. Where the unauthorised disclosure of personal data results in a breach of the Telecoms Law and Policies:
The TRA is responsible for overseeing the enforcement of the Telecoms Law and in this regard may rely on the Police and Public Prosecutor in the Emirate where, either;
- the breach has occurred; or
- where the suspect resides.
Where a licensed telecommunications service provider has breached the law, the subscriber/data subject generally needs to complain first to the service provider about the breach (Clause 3.1 Consumer Complaint and Dispute Procedure), though a direct approach to the TRA may be possible (Clause 4.1 of the Consumer Complaint and Dispute Resolution Policy). The subscriber may complain to the TRA if the breach is not satisfactorily resolved within:
- thirty days as of the date of the complaint (Clause 2.2.1 Consumer Complaint and Dispute Procedure); or
- a longer period if the service provider notifies the subscriber of this extended period (Clause 2.2.1 Consumer Complaint and Dispute Procedure).
The subscriber's complaint needs to be submitted to the TRA within three months of the date when the service provider last took action (Clause 3.2 Consumer Complaint and Dispute Procedure). This three months requirement may be waived subject to the discretion of the TRA (Clause 3.3 Consumer Complaint and Dispute Procedure).
After examining the complaint the TRA may direct the service provider "to undertake any remedy deemed appropriate" to the subscriber/data subject (Clause 4.3 Consumer Complaint and Dispute Policy).
No express laws are outlined under UAE law covering electronic marketing. However, Articles 21 and 22 of the Cyber Crime Law and Clause 3 of the Privacy of Consumer Information Policy, as described in the 'Collection and Processing' section above, are worded widely enough to potentially apply to electronic marketing. Article 22 of the Cyber Crime Law, for example, prohibits the use of various electronic devices in order to disclose, without permission, confidential information that has been obtained through the course of a person's duties.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
Although the UAE Penal Code does not contain provisions directly relating to the internet, its provisions related privacy are broadly drafted and therefore could apply to online matters (such as Article 378 as described above).
Additionally, as described in the 'Collection and Processing' section above, under certain circumstances, online privacy is protected through Articles 21 and 22 of the Cyber Crime Law and Clause 3 of the Privacy of Consumer Information Policy. Unlawful access via the internet, by electronic devices, of financial information (e.g. Credit Cards and Bank Accounts) without permission is also an offence under the Cyber Crime Law (Articles 12 and 13).
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com