The Introduction of the New Data Protection and Cybercrime Laws in the UAE11 January 2022

These landmark new laws bring significant changes not only to how business is conducted in the UAE, but also to how businesses will manage and regulate themselves. Non-compliance with these laws carries both financial and criminal sanctions, the extent of which are to be determined by forthcoming implementing regulations.

Data Protection Law

Similar to the EU’s General Data Protection Regulation (“GDPR”), the Data Protection Law has extraterritorial reach such that it applies to (i) any UAE domiciled organisations which process personal data of subjects whether located inside or outside of the UAE and (ii) any foreign organisations that process personal data of subjects physically located in the UAE. In the latter case, the law does not appear to restrict its application to UAE residents but rather extends its reach to anyone physically located in the UAE, which in principle might include tourists.

Notwithstanding the similarities between the GDPR and its UAE equivalent, the Data Protection Law does contain a certain level of ambiguity. It remains to be seen whether the implementing regulations, which are yet to be released, will clarify those ambiguities and bring the law in line with the GDPR or diverge from international standards by making certain obligations more or less stringent. For example:

1. The extent and nature of sanctions (whether financial, administrative, or criminal) are yet to be disclosed;
2. Although the Data Protection Law does impose an obligation of transparency on controllers, it does not – in its current form – require controllers to notify, from the outset, data subjects of the reason their data is being collected, unlike the GDPR;
3. As under the GDPR, data transfers outside of UAE territory are permitted if the recipient overseas territory has adequate protections in place and subject to the UAE Data Office’s approval. It remains unclear however, whether the duty to carry out an assessment of the overseas territory’s measure falls on the controller or whether it is up to the UAE Data Office to determine the adequacy of measures implemented in the overseas territory; and
4. In the event of a data breach, the Data Protection Law requires the controller to notify data subjects if the breach is likely to be “high risk” to the relevant individuals’ rights and freedoms. However, unlike the GDPR, it does not specify what constitutes high risk nor does it set out the relevant threshold. If addressed in the implementing regulations, the obligation may become more in line with the GDPR.

While strictly speaking the Data Protection Law came into effect on 2 January 2022, it will only practically be enforced once the implementing regulations are issued at which point UAE domiciled organisations will have six months to ensure compliance.

Given the overall similarities between the Data Protection Law and the GDPR, we can expect that a very similar if not identical level of compliance will be necessary and we therefore advise UAE domiciled businesses as well as foreign businesses processing UAE related data to begin taking the necessary measures to ensure compliance with this legislation.

Cybercrime Law

Another major change to the UAE’s legal system is the repeal of Federal Decree Law No. 5 from 2012 on combatting cybercrime and its replacement with a more sophisticated and developed new Cybercrime Law, which not only tackles cybercrime but also addresses the spreading of false information.

Doubtless inspired by the Covid-19 pandemic, the Cybercrime Law prohibits the sharing of fake news and rumours including specifically as relating to pandemics and similar crises. It subjects offenders to a hefty fine and potential imprisonment for up to one year.

With regards to spreading false rumours, interestingly, the new law penalises both the publisher and those who contribute to the further spreading of said rumours, such that it places a burden on the latter of ensuring any information they share is accurate, failing which they will be held equally liable as the original publisher.

We have seen media giants such as Facebook subjected to substantial fines during the 2016 US presidential election for failing to filter misleading campaigns and advertisements which negatively influenced voters. Under the new law, at least in the UAE, it would no longer solely be Facebook’s responsibility to filter fact from fiction with users now also accountable for what they post.

The Cybercrime Law also deals with issues not addressed in previous laws, such as hacking (which was formerly described as unauthorised access), impersonation, electronic robots and cryptocurrency, as well as enhancing penalties (both criminal and financial) for breaches of the law.

The introduction of these new provisions is a direct reflection of the development of new technology and the rather abrupt shift towards a borderless online personal and working environment. As discussed in our previous article on The Rise of Data Protection, a significant amount of personal data is transmitted online – including financial information, personal identification documents, addresses and indeed data as simple as photos – all of which constitute personal data and are now subject to the new Data Protection Law.

Given how readily available such information is, fraud, impersonation and blackmail are becoming increasingly common. The old cybercrime law simply could not address this more sophisticated cybercriminal world. While various UAE laws did contain provisions that prohibited (i) individuals from taking pictures of others without their consent, (ii) fraud and, of course, (iii) misrepresentation, the new Cybercrime law explicitly sanctions those who impersonate others (regardless of whether they are individuals or entities) on the internet. This includes creating fake profiles, websites, domains, emails etc.

For further advice on how to comply with the new Data Protection Law or how to deal with cyberattacks, please contact our team.