Data Protection Enforcement Action on the Rise

      Updates to the data protection laws and regulations in the region over recent years have brought the regimes closer in line with international best practices, following the likes of the California Consumer Protection Act ("CCPA") and the European Global Data Protection Regulation ("GDPR").

      The UAE’s data protection regimes, set out below,  are now setting standards for neighbouring jurisdictions.

      • Dubai International Financial Centre (“DIFC”) Data Protection Law No.5 of 2020
      • Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021
      • UAE Federal Decree-Law no.45 of 2021 on the Protection of Personal Data

      Locally, regulators have made great efforts to educate firms that fall within the scope of the regimes, including the use of outreach sessions, assessment tools, and an endless supply of guidance.

      Following a settling-in period, regulators are now beginning to take a strong stance against firms that have not taken advantage of the free education on offer and are now in contravention of the abovementioned regimes.

      Firms within the DIFC, ADGM and United Arab Emirates (“UAE”) onshore may find it useful to review recent enforcement action and assess the critical weaknesses within their existing data protection framework, in order to take a more proactive stance.

      Why are supervisory bodies taking enforcement action?Atoms / Icons / plusExpand

      The reasons for enforcement action are wide-ranging and we have summarised several case studies below. However, many fall within the data breach category because personal data is not adequately safeguarded. Generally, firms can expect to experience a data breach at some point. This is often due to human error, so it is essential to have measures in place to prevent these, mitigate the risks, and be prepared to respond appropriately.

      Financial institutions keep high-value data and the increase in digital transformations provides an increasing opportunity for cyber-attackers to acquire the data.

      These incidents highlight the importance of preserving the data subject’s right to privacy. It is becoming increasingly important to safeguard the personal information of your most important stakeholders against accidental or unlawful loss, disclosure, and access. Inadequate management of this could result in the theft or loss of personal data, which would have severe repercussions for a firm in the form of monetary loss, reputational harm, and legal penalties.

      Other reasons may include:

      • incorrect data processing notifications to the supervisory body in your jurisdiction
      • failing to inform data subjects of the required information upon the collection of their data, including data subject rights
      • data subject requests not being recognised and acted upon
      • failing to report data breaches to the supervisory body or data subject, where required
      • inadequate internal controls to safeguard data.

      Here, we look at some of the most significant financial penalties that financial institutions have been subject to recently and try to understand what we can learn from these.

      Read more
      Enforcement action in the USAtoms / Icons / plusExpand

      Flagstar Bank, June 2022

      Last year, a significant data breach at Flagstar Bank, one of the most prominent financial institutions in the US, allowed the social security numbers of approximately 1.5Mn clients to be released, forcing them to pay $5.9Mn in out-of-court settlements. As soon as they learned of the data breach, Flagstar Bank began incident response procedures and reported that their investigations concluded that there was no evidence of misuse. Despite this, customers were still urged to check their credit regularly and report any unusual activity.

      What can we learn from this? Although the precise attack vector was not disclosed, it emphasises the importance of covering every potential vulnerability, from internal threats to ransomware defence to third-party risk. Data Protection Officers should work with the IT function to ensure appropriate technical and organisational measures are in place to protect personal data.

      Capital One, December 2021

      A software engineer at Amazon Web Services accessed and exposed Capital One’s bank account details of over 100Mn individuals, which resulted in a class-action lawsuit brought by US consumers in December 2021, resulting in Capital One agreeing to pay $190Mn.

      What can we learn from this? This incident highlights the importance of regular penetration tests, ensuring incident response plans are in place, and conducting due diligence on third parties who may be processing personal data.


      Read more
      Enforcement action in EuropeAtoms / Icons / plusExpand

      CaixaBank, January 2021

      The largest fine ever levied by the Spanish Data Protection Agency (“AEPD”) of $6Mn was imposed on CaixaBank, S.A.

      According to the AEPD, CaixaBank relied on ‘legitimate interests’ without any reason. The applicable law requires a legitimate interests assessment to be conducted and recorded before relying on legitimate interests. Moreover, the business did not obtain customers’ consent in a manner compatible with the GDPR. Under the GDPR, the requirements for relying on consent are rigorous, including the requirement to opt-in for the consent to be relied upon.

      The Privacy Policy of CaixaBank was considered non-compliant by the AEPD for giving ambiguous and contradictory information regarding its data processing procedures.

      What can we learn from this? Explore whether other legal bases may be appropriate before relying on consent, as it can be onerous. If you must rely on consent, ensure it meets your jurisdiction’s regulatory requirements. Data protection policies and procedures should be regularly reviewed and updated where necessary.

      BBVA, December 2020

      The AEPD’s second-largest penalty was against Banco Bilbao Vizcaya Argentaria, S.A. (“BBVA”). BBVA received a €3Mn penalty for delivering short message service (“SMS”) communications to customers without their permission. In most cases, sending direct marketing messages requires consent that complies with GDPR.

      The remaining €2Mn of the fine was connected to BBVA’s Privacy Policy, which was inadequate in explaining how the bank gathered and used the personal information of its clients.

      What can we learn from this? Firms wishing to conduct direct marketing should adhere to the explicit marketing rules within their jurisdiction before issuing any marketing material. Privacy policies should accurately reflect each firm’s data processing operations.

      Square, April 2022

      Unauthorised downloads of client information reports were made by a Square (now known as ‘Block’) employee. The data is thought to have covered 8.2Mn current and past clients and included data such as names, brokerage account numbers, portfolio values, and holdings.

      The breach was brought about by an internal threat that employees were managing as part of their regular duties, something which would have been impossible to identify using traditional insider threat monitoring techniques.

      What can we learn from this? This highlights the importance of adequately training all employees involved in data processing operations and introducing access controls where possible.


      Read more
      Enforcement action in the UAEAtoms / Icons / plusExpand

      The data protection regimes in the UAE are similar to the GDPR in many ways, including the requirements for businesses to implement effective systems to safeguard the data they hold. It also highlights the importance of allocating responsibility for compliance with the data protection legislation.

      Regulators in the region have started to take enforcement action against firms within their jurisdiction who are not taking their data protection obligations seriously. In 2022, the DIFC Commissioner of Data Protection introduced a supervision and enforcement section to the DIFC website. It is also expected that the ADGM Commissioner of Data Protection will release supervision and enforcement information to the public in the coming months.

      In 2022, the DIFC Commissioner’s Office conducted 105 inspections, on target with their aim to conduct at least 100 supervisory actions, including inspections, per year. Forty-one fines were issued during 2022, a reduction from the 146 issued in 2021. While there are definitive improvements in compliance, there is still room for improvement.

      The DIFC Commissioner’s Office released two decision notices in 2022, in brief:

      FTI Consulting, September 2022

      In September 2022, the DIFC Commissioner found that FTI Consulting was in contravention of the DIFC Data Protection Law in relation to the following matters:

      • not providing valid notice to data subjects that contacts of new or existing employees would be collected and used for marketing purposes
      • not responding to the valid 5 December 2021 subject access request within the period prescribed by the DIFC DP Law.

      The firm was subsequently fined $15,000.

      What can we learn from this? A Privacy Notice should be provided to all data subjects, including employees, to inform them of the purpose of collection and how it will be used, amongst other things. Firms should have in place subject access request procedures and also training to ensure that employees can identify any SARs and ensure that they are treated as per the regulations.

      Quilter, December 2022

      In December 2022, a Decision Notice was published by the DIFC Commissioner, which confirmed that Quilter failed to provide the required information concerning the transfer of personal data to a third country, resulting in the firm being fined $2,000 for incorrect notification to the Commissioner.

      What can we learn from this? Firms should consider the adequacy of any jurisdictions they wish to transfer data to and whether notification to the Commissioner regarding any jurisdictional transfers is needed.

      Read more
      Why do we need to implement a data protection framework?Atoms / Icons / plusExpand

      The data protection frameworks in the UAE and around the world continue to evolve rapidly, thus, contributing to the confidence and ease of firms and investors doing business around the globe.

      In the UAE, protecting one’s privacy and personal information is a basic right, and businesses are expected to abide by the necessary data protection laws and regulations. The data protection regimes are generally set against the global standard for data protection.

      It is essential to understand the importance of data protection for the reasons such as protecting your employees’ and clients’ personal information, complying with regulations, protecting privacy, and staying informed of the current trends in order to make informed decisions. There is also a reputational element which is of importance to well-regarded firms.

      Firms can ensure they are compliant by adopting a proactive strategy that involves being aware of the pertinent laws, implementing suitable security measures, and informing staff, including conducting training, conducting routine audits, responding to data breaches, and subject access requests. Organisations can secure personal data and adhere to requirements by adopting these actions.

      Read more

      How Waystone Compliance Solutions can help you

      We have assisted more than 80 clients in the ADGM, DIFC, and the UAE onshore with their data protection requirements, including implementing complex, multi-jurisdictional data protection frameworks, advising on cross-border transfers, incorporating data protection principles, and drafting suitable documentation in accordance with the relevant data protection regulations and laws.

      Waystone is well-positioned to support you in maintaining a compliance data protection framework, providing an experienced outsourced Data Protection Officer, or educating and training your in-house Data Protection Officer on the regulatory requirements.

      For further details contact: Kate Brookstein, Head of Data Protection, UAE.

      Previous post Next post

      More like this

      Regulatory Update: Middle East Edition – August 2023

      This edition includes – ‌FSRA announces changes to its regulatory framework on client classification, client assets and conduct requirements regarding…
      Read more

      Suitability- is your firm complying with the DFSA Rules?

      In 2020, the DFSA completed a programme of thematic reviews designed to assess the suitability-related systems and controls implemented by…
      Read more

      Regulatory Update: Middle East Edition – July 2023

      This edition includes – ‌ADGM Announce Sustainable Finance Regulatory Framework, DFSA Host Cyber Security Awareness Session, SCA Opens Virtual Asset…
      Read more

      Regulatory Update: Middle East Edition – June 2023

      This edition includes – ‌DFSA Publishes Consultation Paper on AML Rule Changes, ADGM Announce Abu Dhabi Finance Week, SCA Issues…
      Read more

      Regulatory Update: Middle East Edition – May 2023

      This edition includes – ‌DFSA Hosts Annual Outreach Session 2023, FSRA Enhances Framework for Private Credit Funds, MENA FATF upgrades…
      Read more

      Regulatory Update: Middle East Edition – April 2023

      This edition includes - ‌DFSA release CP150 on Money Services, Crypto Tokens and Crowdfunding, ADGM RA publishes CP on Distributed…
      Read more