Last review date: 23 December 2024
The DIFC Commissioner of Data Protection oversees the enforcement of the DIFC Data Protection Law. They are appointed by the President of the DIFC in consultation with the Board of Directors of the DIFC Authority.
There are no regulators with specific responsibility for cybersecurity and non-personal data enforcement in the DIFC.
Last review date: 23 December 2024
While details of fines issued for breaches of the DIFC Data Protection Law are not routinely published, inspection statistics are posted on a regular basis.
The DIFC’s reports indicate that the total number of administrative fines issued in 2023 was 323, compared to 41 in 2022. Such fines generally arise as a result of basic compliance contraventions, such as non-renewal of processing notifications or failure to reply to an investigation request.
In furtherance of the objectives referred to above and to support the DIFC Authority's broader aim to make the DIFC an attractive jurisdiction for conducting business, the Commissioner has confirmed that (i) he is in favor of adopting a balanced and objective approach to enforcement of the law; (ii) that he does not envisage imposing significant fines for minor breaches; (iii) that the imposition of general fines, which are not subject to a statutory maximum, will only be applied in exceptional cases; and that (iv) where businesses are proactive in their efforts to achieve compliance with the Law, the Commissioner's Office is likely to look upon them more favorably in the event of a branch in comparison to a business that has made little effort to reflect the requirements of the Law in its processes and procedures.
Given the introduction in the Regulations supplementing the DIFC Data Protection Law of specific regulation on the processing of personal data using autonomous and semi-autonomous systems, the DIFC Commissioner may start to place an increased level of scrutiny on the use of such systems, particularly in light of the nascent but growing international regulatory landscape with respect to the use and deployment of artificial intelligence.
Last review date: 23 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
- Rare
- Increasing
Class actions/group actions under data or cyber regulation are:
- Not available in the jurisdiction
Last review date: 23 December 2024
There are:
- administrative remedies from regulators and law enforcement
Breaches of the DIFC Data Protection Law may result in statutory fines. The list of fines is set out in Schedule 2 of the DIFC Data Protection Law. Multiple fines may be levied where more than one of the law’s requirements have been breached. The Commissioner also has the power to impose overarching fines, for example in response to flagrant or multiple breaches of the law. These discretionary fines are currently uncapped but the Commissioner has the power to implement further specific guidance on this issue.
- criminal penalties from regulators and law enforcement
The onshore criminal law also applies in the DIFC and privacy breaches could, in some circumstances, amount to a criminal offence punishable by a custodial sentence and/or a fine. All offences will be investigated by the Dubai police and referred to the public prosecutor if the police deem it necessary. In practice, the police are unlikely to interfere in data protection compliance matters, which are regulated by the DIFC Data Protection Law.
- private remedies
It is possible for a data subject to apply to the DIFC Courts for damages for a breach of the DIFC Data Protection Law. The calculation of damages would be determined with reference to the DIFC Law of Damages and Remedies (DIFC Law No. 7 of 2005) and, where not addressed in the law, the principles of English common law.