What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Under the UAE Penal Code (Art. 431) individuals who violate the private or familial life of individuals without the individual’s consent can be subject to detention and a fine (public servants may be subject to a fine and detention of seven years).
Those who are entrusted to a secret based on their profession, and divulge it without authorization from the confiding person (except where allowed by law) may be sentenced to one year detention (up to five years for public servants) and/or a minimum of 20,000 dirham (Art. 432). Penalties for privacy-related crimes under the Law Combatting Cybercrimes may involve imprisonment for 6 months or a year and fines of up to 500,000 dirham.
Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) will include penalties for violations of the law. These will be determined by the Executive Regulations, which have not been published as of August 2022.
Free trade zone protection laws include civil penalties rather than criminal penalties (i.e., there are no prison terms for violations). Sanctions may include fines, public admonishments and the regulator requiring that certain actions are taken. Fines for administrative breaches in the free trade zones are usually in US dollars. In the Dubai International Financial Center (DIFC), fines generally do not exceed 100,00 USD. Note that the Dubai International Financial Centre (DIFC) Commissioner of Data Protection has no upper limit on the potential fine that can be issued for serious non-administrative breaches of the law. The Abu Dhabi Global Market (ADGM) Commissioner of Data Protection may issue fines of up to 28 million USD (ADGM Data Protection Regulations 2021, Section 55).