This judgment clarifies the intersection between the Dubai Financial Services Authority’s (DFSA) investigative powers and the data protection rights of individuals under the DIFC Data Protection Law, specifically addressing the proportionality of Subject Access Requests (SARs) in the context of complex regulatory enforcement.
What was the specific dispute between the DFSA and Ms Anna Waterhouse regarding the Subject Access Request?
The dispute arose from a regulatory investigation conducted by the DFSA into Deutsche Bank and its employees, including Ms Anna Waterhouse, who served as Head of Legal & Compliance for the Middle East and North Africa. Following an investigation that spanned years and resulted in a Decision Notice imposing a US$100,000 penalty and a prohibition order against Ms Waterhouse, she sought to access the entirety of the underlying data held by the DFSA. The DFSA refused to comply with her Subject Access Request (SAR), arguing that it had already provided extensive disclosure during the enforcement proceedings and that the request was overly burdensome.
The Commissioner of Data Protection initially ruled against the DFSA, finding that the regulator had contravened Article 17 of the Data Protection Law (DPL) by failing to fulfill the request. The DFSA subsequently appealed this decision to the DIFC Court of First Instance, seeking to overturn the Commissioner’s direction. The core of the conflict was whether the DFSA, as a regulator, was required to produce vast quantities of investigative material—amounting to hundreds of lever arch files—when the data subject had already received the materials relevant to the specific enforcement action taken against her. As noted by the Court:
I agree with Mr Russell’s submission that the proceedings before the Commissioner were proceedings sanctioned by Article 33 and not Article 34, notwithstanding that the Commissioner appears to have thought the opposite to be the case.
[Source: https://www.difccourts.ae/rules-decisions/judgments-orders/court-first-instance/the-dubai-financial-services-authority-v-1-the-commissioner-of-data-protection-2-anna-waterhouse-2018-cfi-051-and-cfi-085]
Which judge presided over the DFSA v Commissioner of Data Protection appeal in the DIFC Court of First Instance?
The proceedings were heard before Justice Sir Richard Field in the DIFC Court of First Instance. The judgment, which replaced an earlier version, was handed down on 12 August 2020. The Court handled two related matters simultaneously: an appeal under Article 37(1) of the Data Protection Law (Law No. 1 of 2007) and an application for judicial review under Part 42 of the Rules of the DIFC Courts (RDC).
What were the respective legal positions of the DFSA and the Commissioner regarding the scope of Article 17 DPL?
The DFSA argued that its refusal to comply with the SAR was justified on the grounds of proportionality and the nature of its regulatory function. It contended that it had already provided Ms Waterhouse with all materials relevant to the findings of its investigation and the subsequent Decision Notice. The DFSA maintained that forcing the regulator to search through approximately 300 lever arch files of investigative data would impose an unreasonable and disproportionate burden, particularly when the data subject had already been granted access to the materials relied upon by the Decision Making Committee.
Conversely, the Commissioner of Data Protection argued that the DFSA had failed to meet its statutory obligations under Article 17 of the DPL. The Commissioner’s position was that the right of access is a fundamental right of the data subject, and that the DFSA’s internal investigative processes did not automatically exempt it from the requirements of the DPL. The Commissioner maintained that the direction issued to the DFSA was a correct application of the law, asserting that the DFSA’s refusal was a breach of the statutory duty to provide personal data upon request.
What was the precise doctrinal question the Court had to answer regarding the application of the Data Protection Law to regulatory bodies?
The Court was tasked with determining whether the DFSA’s refusal to comply with a SAR constituted a breach of Article 17 of the DPL, and specifically, whether the doctrine of proportionality applies to such requests. The Court had to decide if a regulator, acting in its capacity to investigate financial misconduct, is subject to the same SAR obligations as a commercial entity, or if the nature of the investigative files—compiled for the purpose of enforcement—allows for a broader exemption. Furthermore, the Court had to clarify the procedural nature of the Commissioner’s intervention, specifically whether the matter fell under Article 33 (investigation) or Article 34 (mediation) of the DPL.
How did Justice Sir Richard Field apply the doctrine of proportionality to the DFSA’s refusal?
Justice Sir Richard Field held that the right of access under Article 17 of the DPL is not absolute and is inherently subject to the doctrine of proportionality. He reasoned that where a data subject has already been provided with the materials relevant to the regulatory action taken against them, requiring the regulator to conduct a further, exhaustive search of all investigative files would be an abuse of the process. The judge emphasized that the burden on the DFSA to comply with the SAR was "very heavy" and outweighed the interest of the data subject in accessing the additional, non-relevant data.
The Court concluded that the Commissioner had erred in failing to account for the proportionality of the request in light of the previous disclosure process. As the Court stated:
In my judgment, when, in light of the process of disclosure to which the DFSA was subject under the supervision of the FMT, one weighs the real interest that Ms Waterhouse had in seeking to enforce her prima facie right under Article 17 against the very heavy burden that would have fallen on the DFSA if it had to comply with the SAR, it would be grossly disproportionate to order the DFSA to comply with the SAR.
Which specific statutes and rules did the Court apply to resolve the appeal?
The Court primarily applied Article 37(1) of the DIFC Data Protection Law (Law No. 1 of 2007), which governs appeals from the Commissioner’s decisions. It also examined Article 17 of the DPL, which establishes the data subject’s right of access, and Article 39(2), which deals with exemptions. Additionally, the Court referenced Article 7 of the Regulatory Law, which establishes the DFSA and defines its major functions, including the prevention and detection of financial misconduct. Procedurally, the Court utilized Part 42 of the Rules of the DIFC Courts (RDC) to address the application for judicial review.
How did the Court utilize English case law to interpret the DIFC Data Protection Law?
The Court relied on several English authorities to interpret the scope of SARs and the doctrine of proportionality. It cited Durant v Financial Services Authority [2003] EWCA Civ 1746 to illustrate that a data subject’s request for disclosure from a regulator is not an unfettered right. The Court also referenced R (On the Application of Alan Lord) v The Secretary of State for the Home Department [2003] EWHC 2073 (Admin) and Campbell v MGN Ltd [2002] EWCA Civ 1373 to support the application of proportionality in data access contexts. These cases were used to establish that the court has the discretion to refuse a SAR if compliance would be disproportionate or if the request is not a genuine attempt to access personal data but rather a fishing expedition for investigative materials.
What was the final outcome of the appeal and the judicial review application?
The Court allowed the DFSA’s appeal against the Commissioner’s decision and granted the application for judicial review. Justice Sir Richard Field set aside the Commissioner’s direction, finding that the DFSA was not required to comply with the SAR in the manner requested by Ms Waterhouse. The Court held that the DFSA had already fulfilled its obligations in a manner that respected the data subject's rights while acknowledging the regulatory burden. No further disclosure was ordered, and the Commissioner’s decision was effectively overturned.
What are the wider implications for DIFC practitioners regarding Subject Access Requests in regulatory investigations?
This judgment establishes that the DIFC Courts will apply the doctrine of proportionality to SARs, even when the request is made against a public or regulatory body. Practitioners should anticipate that regulators will not be required to produce entire investigative files if the data subject has already received sufficient disclosure through the enforcement or disciplinary process. This ruling provides a significant shield for regulators against "fishing expeditions" disguised as SARs, emphasizing that the right to access personal data does not override the practical necessity of protecting the integrity and efficiency of regulatory investigations. Litigants must now be prepared to demonstrate a specific, legitimate interest in the requested data that outweighs the administrative burden of production.
Where can I read the full judgment in The Dubai Financial Services Authority v (1) The Commissioner Of Data Protection (2) Anna Waterhouse [2018] DIFC CFI 051 and CFI 085?
https://www.difccourts.ae/rules-decisions/judgments-orders/court-first-instance/the-dubai-financial-services-authority-v-1-the-commissioner-of-data-protection-2-anna-waterhouse-2018-cfi-051-and-cfi-085
Cases referred to in this judgment:
| Case | Citation | How used |
|---|---|---|
| R (On the Application of Alan Lord) v The Secretary of State for the Home Department | [2003] EWHC 2073 (Admin) | Proportionality in SARs |
| Campbell v MGN Ltd | [2002] EWCA Civ 1373 | Proportionality test |
| Durant v Financial Services Authority | [2003] EWCA Civ 1746 | Regulatory SAR scope |
| Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis | [2015] EWHC 2484 (QB) | SAR principles |
Legislation referenced:
- DIFC Law No. 1 of 2007 (The Data Protection Law), Articles 17, 33, 34, 37(1), 39(2)
- Regulatory Law, Article 7, 78, 90
- Rules of the DIFC Courts (RDC), Part 42