A recently-reported court case in the United Arab Emirates has highlighted the importance of establishing and implementing good privacy practices, even in the absence of specific data protection legislation.
In late 2014, the UAE public prosecutor charged three officials from a federal authority – the general director, a branch manager and an IT manager – with violating privacy laws and breaching public security by placing CCTV cameras in a female customer service centre. The men argued that they had installed the cameras for security purposes and that the female employees were aware of the cameras. The men were initially held in custody, but an Appeals Court judge ordered that they be released after the men spent more than two months in prison prior to the first court hearing.
In March 2015, the Misdemeanour Court of First Instance cleared the defendants of the public security violation but found them guilty of breaching the privacy of their female colleagues. The three men were each sentenced to six-month suspended jail sentences, and one of the defendants was sentenced to be deported.
The defendants appealed and were subsequently found not guilty by the Appeals Court.
The public prosecutor appealed their acquittal to the Court of Cassation on the basis that the verdict contradicted Article 21 of the UAE Cyber Crimes Law. The relevant article provides that any person who uses a computer network, electronic information system or any other IT means for the invasion of privacy of another person is guilty of a crime punishable by a fine and imprisonment unless the act is permitted by law. The Cyber Crimes Law also states that privacy can be invaded by the capture of audio visual recordings or photographs.
Upon further appeal, the Court of Cassation determined in November 2015 that there were “vague and contradictory elements” in the Appeal Court’s verdict and that it did not clarify the basis on which the defendants were acquitted. It referred the case back to the Appeals Court.
A second Court of Appeal decision again found the three defendants guilty of the privacy charge and upheld the first instance ruling. This verdict was also appealed.
A final ruling by the Court of Cassation cleared the men of all charges. The Court ruled that they were not guilty of breaching female employees’ privacy by setting the cameras at the federal authority’s women’s branch. It was sympathetic to the claims of the defendants, who had argued that the cameras had been introduced for lawful purposes and that the security reasons for installing the cameras overrode any privacy issues.
While the case ultimately established the innocence of the defendants, it highlights the risk of employees in the UAE committing potentially criminal offences by engaging in certain data processing activities. The Cyber Crimes Law, Penal Code and other legislation in the UAE contains offences based on the violation of personal privacy. All businesses operating in the country should be aware of the serious consequences of breaching privacy rights and adopt suitable processes to mitigate the risk of criminal actions.