DIFC court rules on subject access request to DFSA

Out-Law News | 27 Oct 2020 | 10:04 am | 3 min. read

Organisations operating in the Dubai International Financial Centre (DIFC) have been urged to review the processes they have in place for handling subject access requests (SARs) to avoid challenge by data subjects following a recent ruling of the DIFC courts.

Dubai-based Marie Chowdhry, data protection expert at Pinsent Masons, the law firm behind Out-Law, made the recommendation after the publication of the appeal hearing of the commissioner of data protection's initial finding of fault with the way the Dubai Financial Services Authority (DFSA) dealt with a SAR submitted by a person it had investigated in its role as regulator.

Chowdhry Marie August_2019

Marie Chowdhry

Senior Associate

Organisations should not rely on a blanket non-disclosure policy and instead seek to understand the obligations they have to respond to data subjects under the new DIFC Data Protection Law 2020

The appeal case in question concerned two sets of related proceedings. First, an appeal by the DFSA from the decision of the commissioner that the DFSA contravened the DIFC Data Protection Law 2007 by refusing to comply with a SAR; and second, an application by the DFSA for judicial review of the direction made in the decision as to the steps the DFSA were ordered to take in response to the SAR.

The SAR made to the DFSA came from a former senior employee at Deutsche Bank who the regulator claimed had failed to comply with its rulebook and who was found reckless of giving false or misleading information to the regulator.

Under the SAR, the individual requested that all emails, notes of meetings, letters and other documents held by the DFSA that referred to her by name, which identified her or which was passed between parties, dating back to 2011, be shared with her.

The DFSA initially declined this request, claiming that disclosure would prejudice its powers and functions, therefore severely impacting their role as regulator. However, the DIFC commissioner of data protection rejected this argument and found that the DFSA failed to prove prejudice and had not met its obligations around disclosure of information under the now-superseded DIFC data protection laws introduced in 2007. The DFSA raised an appeal against the commissioner's decision before the DIFC courts.

In assessing the case, the DIFC court placed the information requested under the SAR into three broad categories: information sought and received from third parties; information contained in documents concerning investigation; information that was neither here nor there.

To win its appeal, the DFSA had to establish that it was entitled to be exempt from providing information under the SAR and that the disclosure of information under each category would likely prejudice its role and duties.

The court reached different conclusions in relation to the different categories of information it assessed.

The court accepted the DFSA's claims that it was likely that disclosure of the information sought and received from third parties, and of information contained in documents concerning investigation, would likely prejudice the DFSA powers and cause a chilling effect including driving back third parties from sharing confidential information with the regulator.

However, in contrast, the court saw a lack of a burden, harassment, distraction or prejudice in disclosing the information categorised as information that was neither here nor there.

In addition to claiming prejudice, the DFSA argued that to comply with the SAR would require substantial manpower and financial resources which would seriously impede the efficient discharge of its power and functions. Yet the court found that the DFSA could have hired an external agency and the funds could be found from within the regulator's budget or met by the Dubai government.

However, the court also had to assess the proportionality of the SAR submitted to the DFSA before reaching a final conclusion. It weighed up the rights of the requester, and the practical impact on her if the DFSA was relieved of the obligation of doing the work and spending the money to comply with the SAR, with the burden falling on the DFSA to meet the SAR. The court concluded that it would be grossly disproportionate to order the DFSA to comply with the request.

The DIFC Data Protection Law of 2007 was closely modelled on the UK's Data Protection Act 1998, and sets out clear obligations on data controllers and the rights of access to data subjects. Common law developed in the courts of England and Wales provide guiding proportional provisions to those interpreting DIFC law and were considered by the DIFC court when applying the facts of this case.

As a result of its findings, the DIFC court accepted DFSA’s appeal and the commissioner’s initial finding of fault was set aside. Given the DFSA’s judicial review case was predicated on the dismissal of its appeal, on the basis the appeal was permitted, the court found that it unnecessary to determine the judicial review application.

The right to access personal data was recently enhanced in the new DIFC Data Protection Law 2020. Broadly, the right gives individuals a right to receive, within one month and without charge, a copy of their personal data held by 'data controllers' – those being organisations that determine the purpose for which personal data is processed.

Chowdhry said: "It is crucial that there are systems in place to respond to SARs, and that any subsequent disclosure is considered and measured. Organisations should not rely on a blanket non-disclosure policy and instead seek to understand the obligations they have to respond to data subjects under the new DIFC Data Protection Law 2020. These provisions are largely modelled on the EU's GDPR, so firms can, and indeed should, look to Europe for guidance on how to respond."

Co-written by Alexandra Bertz of Pinsent Masons.