Onshore – the DPL does not contain details of the administrative sanctions that will apply but anticipates that the implementing regulations of the law will define the sanctions. There is no mention of any criminal sanctions in the DPL (but please note the potential overlap with the Cybercrime Law noted above). The DPL provides that data subjects may file a complaint with the UAE Data Office and that the UAE Data Office may subsequently impose an administrative penalty on offenders, but the DPL does not provide for an express right of compensation or redress in favour of the data subject. This may be clarified further in the executive regulations or data subjects may otherwise seek to have to bring claims based around tortious principles, rather than under clear statutory rights of redress.
Most of the other relevant laws are criminal laws but under Federal Law No 2 of 2019, violation can lead to a fine and/or suspension of access to the central health database. Violation of the TRA IoT Regulatory Policy is treated as a violation of the UAE’s Telecommunications Law and could lead to administrative fines or the suspension of licences to carry on commercial activity.
DIFC – the maximum administrative fine that can be issued by the Commissioner of Data Protection for breach of the DPL or for breach of a direction issued by the Commissioner is USD 100,000. In addition, public reprimands may be issued. The Commissioner of Data Protection has the right to issue higher fines, without a specified limit for breaches of a serious non-administrative nature. Any person who receives an administrative penalty or direction has the right to seek judicial review in the courts of the DIFC.
ADGM – the maximum fine that can be issued by the Commissioner of Data Protection (the head of the Office of Data Protection) for breach of the DPR or for breach of a direction issued by the Commissioner is USD 28m. Any person who receives a fine or direction has the right to seek judicial review in the courts of the ADGM.
Dubai Healthcare City – the DHCR is not specific on the sanctions for breach but provides the authority with the ability to publish a list of penalties. This list does not seem to be readily publicly available and may have been issued privately to licensees as a circular.
Violation of the Penal Code and the Cybercrimes Law can result in imprisonment for significant periods (for example, a prison sentence of at least six months for violating Articles 6 and 45 of the Cybercrimes Law) or significant fines. The revised Cybercrimes Law has only recently been published and come into effect, and there is no guidance or established practice as to how it will be enforced. The UAE Onshore legal system does not operate a binding system of court precedent, so there are no binding authorities which can be referred to, in order to determine how the Cybercrime Law would be applied. In practice, anecdotal reports tend to suggest that such provisions are invoked where the issue at hand is more concerned with invasion of privacy (betraying confidence, taking intrusive pictures/videos without permission, publicising private information) than with administrative or highly technical breaches of business-focused data laws, however there is no comprehensive public record to refer to in order to verify this.
The Consumer Protection Law provides for criminal sanctions in relation to certain breaches but is silent on the sanction for infringement of the provisions relating to use of customer data. The impending implementing regulations may clarify the position on such sanctions.
Under the DIFC and ADGM data protection laws, individuals have the right to seek damages if they suffer material or non-material harm as a result of an infringement.
Under the Onshore legal regime, an individual may have a tortious right to seek damages for harm suffered, in addition to filing a criminal complaint if applicable. The DHCR does not provide individuals with an express right to seek damages but does provide a right to raise a complaint and an individual may also be able to bring a tortious claim.