Selling private data comes with a risk in the UAE

While receiving a spam text or email seems the norm in the UAE, companies that share your private data without your permission risk being heavily penalised.

Companies in the UAE are only allowed to sell data if they have permission to share it or if it’s non-identifiable. Prashanth Vishwanathan / Bloomberg
Powered by automated translation

When Anne Nielsen received an unsolicited email from a pri­mary school in Dubai advertising its services, she was alarmed.

Pregnant at the time with her first child, the Dane, a UAE resident for over seven years, hadn’t started inquiring into education options for her unborn child and had never received a communication of this sort before.

Her assumption was that one of her healthcare providers had sold her information to the business in question.

“I wasn’t surprised but I was annoyed. It seems too much of a coincidence that I’m pregnant and all of a sudden I’m contacted by a school,” says the former corporate executive, now mum to a five-month-old daughter. “They shouldn’t be able to pass on personal details.”

Ms Nielsen is not alone. Many UAE residents consider spam email and SMS messages a part of UAE life, therefore are unlikely to make a complaint to the police. While there is no specific data protection law in the UAE, experts say there are several other articles and statutes that cover such actions and companies often do not realise they are taking a risk by sharing private data.

“There is a big problem regarding the lack of awareness exhibited by companies and individuals around what is acceptable in terms of an individual’s private data use,” says Nader Henein, regional director for BlackBerry’s advanced cyber assurance programme. “Selling or passing on an individual’s details such as phone numbers, email addresses or credit card information is definitely not acceptable in the eyes of the law, but because so few people make a complaint this issue goes largely unreported and continues to a high degree.”

Under current rules, companies can sell data if they have permission to share it or if it’s non-identifiable, says Anthony Murray, country manager for the Middle East at Shred-it, a document and hard drive secure disposal company.

Mr Murray says many organisations sell “big data”, for example the number of people registered with a certain medical complaint or aggregated mobile phone data. To sell, a company can contact a data exchange house or data buyer. Sellers need only search online for a buyer, there are hundreds available.

While data can be shared with an individual’s permission, it’s the lack of permission that creates an issue.

“The unauthorised use of personal data is likely to lead to prosecution under the 1987 Penal Code, with the risk of the cyber crimes law also being applied,” says Brendan Walsh, a solicitor at James Berry & Associates. “Our advice to businesses that come into possession of personal data is they should first obtain the client’s consent if they intend using such data, exercise due care and attention in how they utilise that data, even in circumstances where they have consent and finally demonstrate that they have a rob­ust privacy policy in place and a safe means of storage of data, particularly if it’s personal.”

For those who do complain about having their data misused, Mr Henein says the outcome is usually favourable, provided the complainant has proof.

“The authorities take a dim view of those found to be transgressing an individual’s right to privacy and the courts can hand down heavy penalties to those convicted of such an offence,” he says.

According to Mr Walsh, penalties issued under the cyber crimes law, include fines ranging from Dh100,000 to Dh1 million and imprisonment.

Companies should also be aware of the far-reaching implications of the General Data Protection Regulation, which applies to the processing of data for all EU residents – even those based here – which comes with its own punishments.

Privacy and stringent data protection policies are often overlooked by UAE firms too busy with the day-to-day operations. However, experts say such policies are critical to business success.

The Ponemon Institute’s 2015 report, Cost of a Data Breach Study: Arabian Region, found that reputation and the loss of customer loyalty does the most damage to a company’s bottom line. About half of the total Dh13.9 million average cost of a breach is accounted for by lost business.

Mr Murray says managers and business owners have a responsibility to ensure the company protects business, customer and employee data.

“Nearly all multinational companies will have a stringent internal data protection policy in place, but we’ve found through our daily contact with potential clients that even then, the pol­icy often isn’t adhered to in the UAE,” he says.

To protect against this, Mr Murray recommends introducing a business data security policy or hiring a compliance officer to identify risks.

“Businesses tend to align on the cyber side of security and most reputable companies have some focus on controlling data collected through electronic means,” he adds. “However, often this electronic data is later printed off and sold to recyclers or paper traders. This leaves the company and the consumer open to a huge risk of fraud.”

Follow The National's Business section on Twitter