DIFC brings its new data protection law in accordance with international best practice

Kellie Blyth, Counsel and Head of Data and Technology at Baker McKenzie Habib Al Mulla
(Image credit: Baker McKenzie Habib Al Mulla)

The DIFC Data Protection Law does not stipulate a maximum cap on fines, similar to GDPR, but gives the Commissioner discretion to impose a general fine on top of administrative fines, a leading lawyer said.

Breaches of the GDPR can give rise to significant administrative fines of up to €10m or €20m or 2% or 4% of an organisations' total annual worldwide turnover for the preceding financial year, depending on the provision of the law that has been breached.

However, Kellie Blyth, Counsel and Head of Data and Technology at Baker McKenzie Habib Al Mulla, said that the Commissioner can also impose administrate fines in relation to contraventions of particular obligations under the DIFC Law which are set out in Schedule 2 and which range from $20,000 to $100,000.

She said that the administrative fines are for specific breaches but in many circumstances, there will be multiple breaches which might give the Commissioner discretion to impose a general fine in an amount the Commissioner considers appropriate and proportionate taking into account the seriousness of the breach and risk of actual harm to data subjects.

“If the Commissioner considers that it is warranted, he may impose a fine in addition to those specified in the law. This fine is highly unlikely to be imposed in respect of one specific failure but rather when looking at the failures as a whole. We have seen this in other countries where it is evident that the failings were systemic and showed a company’s general disregard for the law and rights of privacy,” she said.

Article 62 of the law, she said grants the DIFC Authority Board of Directors the right to introduce regulations relating to the imposition and recovery of fines and, accordingly, further regulation may be introduced in this area in future.

The new law came into force on July 1, 2020. However, organisations were given until October 1, 2020, to achieve compliance to allow for the impact of the Covid-19 pandemic on business operations and thus giving organisations a few more months to make any changes required to bring their compliance frameworks into line with the new law. 

However, Blyth said that it is reasonable to expect that the Commissioner will determine fines by applying these criteria in a similar way to EU regulators, such as the CNIL (Commission nationale de l'informatique et des libertés) in France.

The CNIL fined Google € 57m in January 2019 for committing various breaches of the GDPR. The fine was assessed by reference to the following five factors: the type of violation, the scale of the breach, the fact it was continuous, the fact it affected lots of people and the size of the Google/Alphabet group.

Google appealed the fine but the appeal was rejected by France's top administrative court in June 2019. 

“Under the DIFC law, when the breaches committed are innumerous or reflect a blatant disregard for the privacy of data subjects (i.e., the people that the personal data relates to), the Commissioner would likely impose a general fine as well as any relevant administrative fines,” Blyth said.

However, she said the law does not contain provisions similar to Article 3 of the GDPR, which gives the EU regulation its extended extra-territorial effect.

“When one or more of the alternative criteria under Article 3 are satisfied, the company in question will be subject to the GDPR's requirements. The more limited scope of the DIFC law does not, however, mean that the law has no extra-territorial effect. There are a couple of scenarios in which a company, incorporated outside the DIFC, could be subject to the law's requirements,” she said.

The first is where a non-DIFC incorporated company appoints a DIFC incorporated service provider to process personal data on its behalf.

An example would be where a UAE-based company appoints a third-party administrator in the DIFC to administer its employee benefits scheme. The other example is where a non-DIFC incorporated, company is appointed by a DIFC incorporated company to perform services.

A step in the right direction

Under the law, Blyth said that Data Processors are directly subject to certain legal obligations, including a duty to implement an appropriate level of security and suitable organisational and technical measures to demonstrate that processing is being carried out in compliance with the law.

“The level and detail of those measures should reflect the scale and resources of the Data Processor as well as the nature of the data being processed and the risk that the processing poses to data subjects. 

“Under the law, such processing also needs to be carried out under a legally binding agreement which reflects several requirements under the law (equivalent to Article 28 requirements under the GDPR). It is worth noting that these requirements will apply equally to sub-processors (i.e., processors appointed by the primary processor to carry out certain of the data processing activities),” she said.

A personal data breach is defined in the law as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In practice, she said that a data breach could occur outside of the DIFC, for example through the compromise of servers or a document storage facility located onshore UAE or elsewhere, which triggers a data breach notification obligation under the law. 

When a personal data breach occurs, she said that a Data Processor is obliged to notify the relevant Controller (i.e., the entity that instructed the processing) without delay on becoming aware of the breach.

“If a breach compromises a data subject's confidentiality, security or privacy, then the Controller (i.e., the entity which determinates the purpose and means of the processing) is obliged to notify the DIFC Commissioner of Data Protection as soon as is practicable in the circumstances. Notably, there is no 72-hour notification deadline to make this notification as is the case under the GDPR,” she said.

Even though personal data processing for personal, non-commercial purposes does not fall within the scope of the law, she said that there are also de-minimis thresholds applicable to certain requirements.

“It is best to think of the law as a step-change designed to require organisations to embed data protection compliance in their operations and to bring the DIFC legal framework in line with international best practice,” she added.