Data Protection Enforcement Action on the Rise
In recent years, updates to the data protection laws and regulations in the UAE have brought the regimes more in line with international best practices, following examples such as the California Consumer Protection Act (“CCPA”) and the European Global Data Protection Regulation (“GDPR”).
How the UAE’s data protection regimes set a new standard
The UAE’s data protection regimes, set out below, are now setting the bar for neighbouring jurisdictions:
- Dubai International Financial Centre (“DIFC”) Data Protection Law No.5 of 2020
- Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021
- UAE Federal Decree-Law no.45 of 2021 on the Protection of Personal Data
Locally, regulators have made a great effort to educate those firms that fall within the scope of the regimes, including the use of outreach sessions, assessment tools, and an endless supply of guidance.
How supervisory firms are responding
Following a settling-in period, regulators are now beginning to take a firm stance against businesses that have not taken advantage of the free education available and are now in contravention of the abovementioned regimes.
Firms within the DIFC, ADGM and United Arab Emirates (“UAE”) onshore may find it useful to review recent enforcement action and assess the critical weaknesses within their existing data protection framework, to take a more proactive stance.
The reasons for enforcement action are wide-ranging and we have summarised several case studies below. However, many fall within the data breach category because personal data is not adequately safeguarded.
Data breaches
Generally, firms can expect to experience a data breach at some point. This is often due to human error, so it is essential to have measures in place to prevent these, mitigate the risks, and be prepared to respond appropriately.
Financial institutions keep high-value data and the increase in digital transformations provides an increasing opportunity for cyber-attackers to acquire the data.
These incidents highlight the importance of preserving the data subject’s right to privacy. It is becoming increasingly important to safeguard the personal information of your most important stakeholders against accidental or unlawful loss, disclosure, and access. Inadequate management of this could result in the theft or loss of personal data, which would have severe repercussions for a firm in the form of monetary loss, reputational harm, and legal penalties.
Additional factors driving regulatory intervention
Other reasons why supervisory bodies are responding may include:
- incorrect data processing notifications to the supervisory body in your jurisdiction
- failing to inform data subjects of the required information upon the collection of their data, including data subject rights
- data subject requests not being recognised and acted upon
- failing to report data breaches to the supervisory body or data subject, where required
- inadequate internal controls to safeguard data.
Here, we look at some of the most significant financial penalties that financial institutions have been subject to recently and try to understand what we can learn from these.
Google, LLC, September 2023
The California Attorney General reached a $93 million settlement with Google LLC. Google was deceiving users by collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent.
What can we learn from this?
Google misled customers by incorrectly informing them that if they turned off their location settings that their data would not be tracked. This case highlights the importance of ensuring that the purpose for processing personal data is legitimate, explicit, and specified at the time of collection. Informed consent should be obtained when necessary.
Flagstar Bank, June 2022
Flagstar Bank experienced a significant data breach in June 2022. The bank, one of the most prominent financial institutions in the US, allowed the social security numbers of approximately 1.5Mn clients to be released, forcing the bank to pay $5.9Mn in out-of-court settlements. As soon as they learned of the data breach, Flagstar Bank began incident response procedures and reported that their investigations concluded that there was no evidence of misuse. Despite this, customers were still urged to check their credit regularly and report any unusual activity.
What can we learn from this?
Although the precise attack vector was not disclosed, it emphasises the importance of covering every potential vulnerability, from internal threats to ransomware defence to third-party risk. Data Protection Officers should work with the IT function to ensure appropriate technical and organisational measures are in place to protect personal data.
TikTok, September 2023
The Irish Data Protection Commission fined TikTok Technology Limited (“TikTok”) €345Mn for GDPR violations. In addition, TikTok received a public reprimand and an order to comply within three months.
During 31 July 2020 – 31 December 2020, the DPC found that TikTok failed to:
- protect children’s personal data by setting default public settings
- verify users age prior to access
- implement suitable transparency with the use of notifications.
What can we learn from this?
Privacy by design should be considered in the creation of any platform that is hosting personal data. Security settings should also be proportionate to the type of data, volume of data and data subjects involved.
Vodafone, April 2023
The Spanish data protection authority (“AEPD”) imposed a fine of €140,000 on Vodafone Espana S.A.U (“Vodafone”) for violations of GDPR following a submission of a complaint by an individual. The AEPD found that Vodafone España had failed to verify the identity of a third party who duplicated the sim card of the complainant and allowed the third party to gain access to the affected person’s bank account and conduct unauthorised transitions. Vodafone failed to obtain the consent of the data subject to share their data. Following its investigation, the AEPD noted that Vodafone, in failing to rely on an appropriate legal basis for processing the complainant’s personal data, had violated Article 6(1) of the GDPR.
What can we learn from this?
The appropriate policies and procedures should always be followed. Employees involved in data processing operations should be trained sufficiently to verify the identity of third parties, and to obtain consent of the data subject to share their legal data.
Meta Platforms Ireland Limited, April 2023
Following the European Data Protections Board binding dispute resolution decision of 13 April 2023, Meta IE was issued a €1.2Bn fine following an inquiry into its Facebook service, by the Irish Data Protection Authority. This fine, which is the largest GDPR fine ever, was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (“SCCs”) since 16 July 2020. The SCCs contain safeguards to ensure personal data continues to be protected when transferred outside of the jurisdiction. However, Meta’s use of SCCs was considered inadequate, as it was considered that the data flows still exposed Europeans to the US’s weaker privacy laws.
What can we learn from this?
Although SCCs are considered to be a safeguard, firms should conduct a holistic review of the data transfer proposed and introduce additional mitigating measures where necessary. Firms may also consider looking at providers locally instead of transferring data to other possibly inadequate jurisdictions.
The data protection regimes in the UAE are similar to the GDPR in many ways, including the requirements concerning businesses needing to implement effective systems to safeguard the data they hold. It also highlights the importance of allocating responsibility for compliance with the data protection legislation.
Regulators in the region have started to take enforcement action against firms within their jurisdiction that are not taking their data protection obligations seriously.
In 2022, the DIFC Commissioner’s Office conducted 105 inspections of entities in the centre, on target with their aim to conduct at least 100 supervisory actions, including inspections, per year. Forty-one fines were issued during 2022. By the end of Q2 2023, 54 inspections had been completed.
The DIFC Commissioner’s Office released two decision notices in 2022, and the ADGM released a Direction in June 2023, as summarised below.
VentureRock Global Limited, June 2023
The Commissioner of Data Protection of ADGM served VentureRock Global Limited (“VentureRock”) with a Direction for failure to comply with the ADGM Data Protection Regulations 2021. The ADGM Office of Data protection was informed by the ADGM Information Security of a malicious phishing email originating from a VentureRock employees email address. The Data Protection Office requested VentureRock to file a breach notification form, which they did, and it was subsequently found to lack sufficient information as did the follow up assessment. The Direction was issued due to the firm’s failure, under a number of items of the Directive, such as failing to cooperate with the Commissioner, not implementing appropriate or effective technical and organisational measures and failure to implement appropriate security of personal data.
What can we learn from this?
Firms should have appropriate polices and procedures as well as technical measures in place to protect data and to ensure they are regularly tested to be fit for purpose. Firms should be transparent and cooperative with the Commissioner in all dealings.
Quilter, December 2022
In December 2022, a Decision Notice was published by the DIFC Commissioner, which confirmed that Quilter had failed to provide the required information concerning the transfer of personal data to a third country, resulting in the firm being fined $2,000 for incorrect notification to the Commissioner.
What can we learn from this?
Firms should consider the adequacy of any jurisdictions they wish to transfer data to and whether a notification to the Commissioner regarding any jurisdictional transfers is needed. Firms should ensure that the information provided in the notification to the Commissioner is accurate.
FTI Consulting, September 2022
In September 2022, the DIFC Commissioner found that FTI Consulting was in contravention of the DIFC Data Protection Law in relation to the following matters:
- not providing valid notice to data subjects that contacts of new or existing employees would be collected and used for marketing purposes.
- not responding to the valid 5 December 2021 subject access request within the period prescribed by the DIFC DP Law.
The firm was subsequently fined $15,000.
What can we learn from this?
A Privacy Notice should be provided to all data subjects, including employees, to inform them of the purpose of collection and how it will be used, amongst other things. Firms should have in place subject access request procedures in addition to training to ensure that employees can identify any SARs and ensure that they are dealt with in accordance with the regulations.
The data protection frameworks in the UAE and around the world continue to evolve rapidly, contributing to the confidence and ease of firms and investors doing business around the globe.
In the UAE, protecting one’s privacy and personal information is a basic right, and businesses are expected to abide by the necessary data protection laws and regulations.
It is essential to understand the importance of data protection for the reasons such as protecting your employees’ and clients’ personal information, complying with regulations, protecting privacy, and staying informed of the current trends in order to make informed decisions. There is also a reputational element which is a priority for well-regarded firms.
Firms can ensure that they are compliant by adopting a proactive strategy that involves being aware of the pertinent laws, implementing suitable security measures and keeping staff informed. This may include conducting staff training, conducting routine audits and responding to data breaches and subject access requests. Organisations can secure personal data and adhere to requirements by adopting these actions.
How Waystone Compliance Solutions can help you
We have assisted more than 80 clients in the ADGM, DIFC, and the UAE onshore with their data protection requirements, including implementing complex, multi-jurisdictional data protection frameworks, advising on cross-border transfers, incorporating data protection principles, and drafting suitable documentation in accordance with the relevant data protection regulations and laws.
Waystone Compliance Solutions is well-positioned to support you in maintaining a compliance data protection framework, providing an experienced outsourced Data Protection Officer, or educating and training your in-house Data Protection Officer on the regulatory requirements.
For further details, please contact: Kate Brookstein, Head of Data Protection, UAE.