Cyber Crimes Law and Penal Code
The police in each Emirate have developed specialised cybercrime units to handle complaints that relate to breaches of the cybercrime law and related offences. The cybercrime unit in the Emirate where the offender resides or where the disclosure occurred will have jurisdiction over a data subject's complaint.
The cybercrime unit would investigate the case and decide whether to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect and heard in the courts.
Punishments under the Cyber Crime Law range from temporary detention, a minimum prison sentence of between six months or one year and/or a fine between AED 150,000 and AED 1m (Articles 2, 3, 7, 21 and 22 of the Cyber Crime Law). If found guilty of an attempt to commit any of the relevant offences under the Cyber Crime Law, the punishment is half the penalty prescribed for the full crime (Article 40).
The Penal Code would also be enforced in the same manner described above and, depending on the nature of the complaint, a specialist police unit may be involved in investigating the alleged offence.
The TRA is responsible for overseeing the enforcement of the PCIP (and all telecommunications regulation in the UAE). Where a licensed telecommunications service provider has breached the Law, the subscriber/data subject generally needs to complain first to the service provider about the breach (Clause 3.1 Consumer Complaint and Dispute Procedure), though a direct approach to the TRA may be possible (Clause 4.1 of the Consumer Complaint and Dispute Resolution Policy). The subscriber may complain to the TRA if the breach is not satisfactorily resolved within thirty days as of the date of the complaint (Clause 2.2.1 Consumer Complaint and Dispute Procedure) or a longer period if the service provider notifies the subscriber of this extended period (Clause 2.2.1 Consumer Complaint and Dispute Procedure).
The subscriber's complaint needs to be submitted to the TRA within three months of the date when the service provider last took action (Clause 3.2 Consumer Complaint and Dispute Procedure). This three-month requirement may be waived subject to the discretion of the TRA (Clause 3.3 Consumer Complaint and Dispute Procedure).
After examining the complaint, the TRA may direct the service provider "to undertake any remedy deemed appropriate".
Federal Law No 2 of 2019 – Healthcare
Sanctions for failing to handle patient medical data in accordance with the law include a fine of up to AED 1m and the possible blocking of access to the central healthcare information system. Loss of such access could render it virtually impossible for a healthcare provider to carry on their business lawfully, so is a very serious sanction.