UAE Law and Practice Contributed by: Saifullah Khan and Saeed Hasan Khan, Bizilance Legal Consultants
As per the DIFC Law, when the Commissioner considers that a controller or processor is lia - ble for contravention of law, they may issue an administrative fine to the controller or proces - sor. The Commissioner should issue a notice to the controller or processor of imposition of a fine. Administrative fines are set out in Schedule 2 of DIFC Data Protection Law No 5 of 2020; fines corresponding to the contraventions men - tioned in Schedule 2 range from USD10,000 to USD100,000. Under the ADGM Regulations, if a controller or processor performs an act or abstains from per - forming an act in contravention of a direction issued by the Commissioner of Data Protection or the ADGM Regulations (or subsequent rules made thereunder), they shall be subject to impo - sition of an administrative fine by the Commis - sioner. The Commissioner shall send a written “penalty notice” to the controller or processor. The penalty imposed by the Commissioner must not exceed USD28 million. 1.4 Data Protection Fines in Practice Okadoc Technologies Limited (21 May 2024) The ADGM Commissioner of Data Protection imposed a monetary penalty of USD20,000 on Okadoc Technologies Limited (“Okadoc”) for violating the ADGM Regulations. The penalty pertained to a breach of individual rights, spe - cifically to Okadoc’s failure to comply with a data subject’s access request. The Office of Data Protection’s investigation revealed that Okadoc lacked adequate measures to identify, facilitate and fulfil the request. The Commissioner of Data Protection issued a penalty notice under Section 55(1) for breaches related to Articles 10(1) to (5), 22(1) and (2) con - cerning “implementation of technical and organi - sational measures to process the personal data”,
as well as Article 29 of the ADGM Regulations, which pertains to the rights of data subjects. Venture Rock Global Limited (23 June 2023) The ADGM Commissioner of Data Protec - tion issued a direction under Section 54(1) for breaches related to Articles 4(1)(f), 22(1), 22(2), 29, 30(1) and 30(2) of the ADGM Regulations, which encompass obligations regarding data security and processing. In its assessment, the Commissioner found that Venture Rock was involved in contravention of the ADGM Regulations in terms of lack of secu - rity, lack of policy and procedures, and inappro - priate technical and organisational measures; the report attributed “human error from poor cybersecurity practices” as a root cause of the incident. The lack of proper training, awareness and appropriate policies/procedures were key factors leading to the violation of the ADGM Regulations. 1.5 AI Regulation Through its Regulation 10, the DIFC has enacted amendments to its data protection regulations, aimed at overseeing the use of autonomous and semi-autonomous systems, particularly those driven by artificial intelligence (AI) and machines. The regulations apply to AI-driven systems and processes used within the DIFC’s jurisdiction – either autonomous systems or semi- autono - mous systems. These regulations emphasise: • the ethical use of systems; • risk assessment and mitigation; • accountability and oversight; • that the processing must be transparent; and • that users and data subjects must be informed about the role of AI in decisions that affect them.
498 CHAMBERS.COM
Powered by FlippingBook