The DIFC recently announced that it had enacted an amendment to the Data Protection Law, following an earlier consultation in March.
Summary
The right for data subjects to claim compensation for damage they have suffered by reason of a contravention of their rights under data protection law is established in GDPR based countries, upon which the DIFC Data Protection Law is modelled. Claims of this nature have become increasingly common over the past five or six years in those jurisdictions.
- The introduction of a private right of action through the DIFC courts for data subjects whose rights under the law have been contravened; and
- A widening and clarification of the scope of the application and extraterritorial scope of the law, which applies to:
- A Controller or Processor who processes personal data and is incorporated in the DIFC, regardless of whether or not the processing takes place in the DIFC; and
- A Controller, Processor or Sub-processor, processing personal data in the DIFC regardless of their place of incorporation as part of stable arrangements.
Important points to note
Data subjects can claim for mere distress
They do not need to prove that they have suffered a recognised psychiatric injury as a result of the infringement. This reduces the barrier to entry as expert medical evidence is not required in order to issue a claim.
The data subject can claim compensation from both the Controller or the Processor
This is important for Processors to bear in mind as whilst the bulk of the responsibility generally sits with the Controller e.g. notifying the Commissioner and affected data subjects of a personal data breach, this amendment makes clear that Processors will be held liable in circumstances where their unlawful actions, or inappropriate security measures result in harm to data subjects.
A Controller or Processor is not liable if they can prove that they are in no way responsible for the event giving rise to the damage
The burden lies with the Controller or Processor to demonstrate this when seeking an exemption from liability.
For example, if an organisation utilises the services of a third party payment provider, and as a result of a compromise of that payment provider’s systems, the organisation’s customer data is exposed, they may have a defence under Article 64A(4) if they had performed appropriate due diligence before selecting the payment provider (the Processor) and had a valid data processing agreement in place.
In these circumstances the Controller may be able to evidence that the event giving rise to the damage sits squarely with the Processor (albeit the Processor may have their own defence under this Article, for example if this incident was caused by the exploitation of a zero-day vulnerability for which there was no patch yet) and thereby escape liability.
We expect to see a gradual increase in data subject claims as individuals become more informed about their rights and how to exercise them.