Data Protection in UAE - General

Enforcement in UAE - General

The PDPL does not specify penalties, but notes that the Cabinet shall, based on the proposal of the Office General Manager, issue a decision specifying the acts that constitute a violation of the provisions of this Decree Law and the Executive Regulations thereof and the administrative penalties to be imposed.

Despite this there remain possible methods of enforcement of other UAE privacy laws:

Where the unauthorised disclosure of personal data results in a breach of the Penal Code

The Public Prosecutor in the Emirate where:

  • the party suspected of the breach (‘Offender’) resides; or
  • the disclosure occurred,

will have jurisdiction over a Data Subject’s complaint.

If after concluding investigations with the police, the Public Prosecutor is satisfied with the evidence compiled, charges may be brought against the suspect.

The case would then be transferred to the Criminal Courts of First Instance. The Data Subject may attach a civil claim to the criminal proceedings before the Courts have ruled on the case.

Pursuant to Article 432 of the Criminal Law, if the Courts find a suspect who by virtue of his profession, occupation, status, or specialisation has access to a secret but discloses such secret in other than the cases permitted by Law, or who uses such secret for his own benefit or the benefit of another person, unless such disclosure or use is authorised by the concerned person,  may be penalized by a fine of at least UAE Dirhams 20,000 (the fine is determined by the Courts) and / or an imprisonment for at least one year. 

Similarly, pursuant to Article 431 of the Criminal Law a punishment of “a jail sentence and a fine” shall be inflicted on any person who interferes with the right to privacy and family life of individual by: 

  • eavesdropping, or recording, or transmitting, through a device of any type, conversations done privately or by phone or any other device;
  • taking or transmitting, through a device of any type, pictures of any person in private,

unless legally permitted or with the individual’s consent. 

When ruling on the criminal case, the Criminal Courts would usually transfer a civil claim made by the Data Subject to the Civil Courts of First Instance for further consideration. The Data Subject would need to prove the losses he / she has suffered as a direct result of the disclosure of his / her personal data before the Civil Courts in order for damages to be awarded. 

Where the unauthorised disclosure of personal data results in a breach of the Cyber Crime Law

The police in each Emirate have developed specialised cybercrime units to handle complaints that relate to breaches of the Cyber Crime Law.

As above, the cybercrime unit in the Emirate where:

  • the Offender resides; or
  • where the disclosure occurred,

will have jurisdiction over a Data Subject’s complaint.

The cybercrime unit would investigate the case and decide whether or not to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect. The same procedure identified above is then followed before the Courts.

If found guilty of an offence under the Cyber Crime Law, the punishment an Offender can receive varies depending on the nature of the crime. Punishments range from temporary detention, a minimum prison sentence of between six months or one year and / or a fine between AED 150,000 and 5,000,000 (Articles 2, 3, 4, 6, 7, 8 and 45 of the Cyber Crime Law). Notably, Article 13 of the Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes provides that “Everyone employs information technology or an information technology method to collect, keep or process personal data and information of the nationals or the residents in the state in violation of the legislations in force in the state shall be sentenced to detention and / or to pay fine of not less than (50,000) fifty thousand Dirhams and not more than (500,000) five hundred thousand Dirhams.” As such, it is likely that this penalty may apply for breaches of the PDPL. If found guilty of an attempt to commit any of the relevant offences under the Cyber Crime Law, the punishment is half the penalty prescribed for the full crime (Article 57).

Where the unauthorised disclosure or transfer of personal data results in a breach of the Central Bank’s Consumer Protection Regulation, Retail Services Regulation or SVF Regulation

The Central Bank may issue administrative and / or financial penalties against Licensed Financial Institutions, SVF Licensees and Payment Service Providers at their discretion.  In the case of the Consumer Protection Regulation they may include fines, replacing or restricting the powers of Senior Management or Members of the Board.

Where the unauthorised disclosure of personal data results in a breach of the UAE Telecommunications Law and Policies

Where a licensed telecommunications service provider has breached the law, the subscriber / Data Subject may raise a dispute with the TDRA directly (Article 1.1 of Annex to the TDRA Consumer Protection Regulations 2.0) 

At any time during, or at the conclusion of, the TDRA's handling of a complaint, the TDRA may direct the service provider 'to undertake any remedy deemed reasonable and appropriate' (Article 26.16.3 of the TDRA Consumer Protection Regulations v2.0).

Continue reading

  • no results

Previous topic
Back to top