The United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will increase the maximum penalty payable by organisations for criminal acts committed by their representatives.
Specifically, a new Article 380(bis) of the Penal Code, contained in Federal Decree-Law No.7 of 2016, states as follows (unofficial English translation):
Any person who unlawfully reproduces, distributes or provides others with the contents of a telephone call, message, information, data or other issues which came to his knowledge by virtue of his work shall be punished by a jail sentence.
Under UAE law existing before the amendment, criminal offences existed for the unauthorised disclosure or publication of information about a person’s private or family life or “secrets” obtained in the course of a profession. The new provision of the Penal Code will enable more direct action to be taken against such offenders in the UAE.
However, it is also worth noting that the legislation is drafted widely enough to capture even single instances of data sharing or disclosure of recorded messages. The default period for a jail sentence under the Penal Code is a minimum of one month and a maximum of three years’ detention.
Recent High-Profile Incidents
Enactment of the amendment is timely, as a number of high-profile incidents have been reported this year in the United Kingdom and USA where valuable personal data has been sold to marketing companies or criminals by operatives in in call centres or outsourced service providers. An instance of fraud at a call centre was also blamed for the US$45 million cyber theft that affected several Middle East banks in 2013.
Another significant change to the Penal Code introduced by the same Decree will see companies facing higher penalties for offences committed by their employees. Article 65, as amended, states that “juristic persons” (excluding government entities, official departments, public authorities and institutions) will be liable for crimes committed by representatives, directors or agents acting on their behalf or in their name. If the law prescribes a penalty other than a fine (for example, a jail sentence) then the organisation may be subject to a fine of up to AED 500,000 (approximately US$136,000). This is a ten-fold increase from the previous AED 50,000 maximum corporate fine.
The new offence under Article 380(bis) will be relevant to all organisations operating or using service providers in the UAE, both from an internal policy perspective and in terms of enforcement options against rogue employees or service providers. In addition, companies should be mindful of the ten-fold increase in penalties for criminal offences committed by representatives when assessing risks associated with privacy and broader legal compliance.