There are no federal data protection laws in the UAE, nor is there any national data protection regulator. However, there are a number of national and sectoral laws that relate to data protection and privacy in some capacity.
Organisations in the UAE that process EU residents’ personal information must also abide by the EU GDPR (General Data Protection Regulation).
National provisions for data protection and privacy include the following:
- Article 31 of the UAE’s constitution guarantees the secrecy and freedom of communication by post, telegraph or “other means of communication”.
- Article 378 of the 1987 Penal Code states that the publication of personal data relating to individuals’ private or family life is an offence punishable by detention and a fine.
Moreover, the UAE’s 2012 cybercrimes law (Federal Decree-Law no. (5) of 2012 on Combating Cybercrimes) sets out punishments for a number of specific activities relating to hacking and data protection, including:
- A fine of 100,000-300,000 dirhams for unauthorised access to websites, information systems and networks (Article 2).
- Imprisonment for at least six months and a fine of 150,000-750,000 dirhams for actions that result in the “deletion, omission, destruction, disclosure, deterioration, alteration, copying, publication or re-publishing of any data or information”, with the punishment increasing to imprisonment for at least one year and a fine of 250,000-1 million dirhams if personal information is affected (Article 2).
- Imprisonment for at least six months and a fine of 150,000-500,000 dirhams for invading the privacy of another person via technological means by:
- “Eavesdropping, interception, recording, transferring, transmitting or disclosure of conversations or communications, or audio or visual materials.
- “Photographing others or creating, transferring, disclosing, copying or saving electronic photos.
- “Publishing news, electronic photos or photographs, scenes, comments, statements or information even if true and correct” (Article 21).
- Imprisonment for at least one year and a fine of 250,000-500,000 dirhams for amending or processing records, photos or scenes via technological means for the purpose of defaming or offending another person or for attacking or invading their privacy (Article 21).
The TRA (Telecommunications Regulatory Authority) regulates electronic transactions and commerce. There are a number of TRA laws that relate to data protection, including the Electronic Transactions and Commerce Law and the Consumer Protection Regulations:
- The 2006 Electronic Transactions and Commerce Law applies to electronic records, documents and signatures that relate to electronic transactions and commerce, but not to transactions and issues related to personal issues such as marriage, divorce and wills. The law aims to protect the rights of people who conduct electronic transactions, encouraging and facilitating electronic transactions and correspondence through reliable electronic records, reducing falsification in electronic correspondence, and establishing unified rules, regulations and standards for authentication and safety of electronic correspondence.
- The 2017 Consumer Protection Regulations v1.3 sets out provisions to protect the personal information of telecommunications subscribers in the UAE. Licensees must protect subscribers’ personal information and obtain their consent before disclosing it.
Subscriber information is defined as any personal data relating to a specific subscriber, including their “name, address, bank account details, credit card details, service usage details, call records, message records, any information derived from a Subscriber’s use of telecommunications services, account status, payment history, and credit rating”.
The DHC and DIFC
The two free zones in Dubai – the DHC (Dubai Healthcare City) and the DIFC (Dubai International Financial Centre) – also have their own data protection laws.
The DHC is regulated by the Health Data Protection Regulation (Regulation No. 7 of 2013), and data protection in the DIFC is regulated by DIFC Data Protection Law – Law No. 1 of 2007 as amended by DIFC Law No. 5 of 2012 and the DPR (Data Protection Regulations – Consolidated Version No.2 In force on 23.12.2012).
Both the DHC and DIFC’s data protection laws are modelled on, and generally consistent with, the EU’s 1995 Data Protection Directive and the UK’s Data Protection Act 1998.
Organisations in the Gulf that process EU residents’ personal data are also subject to the GDPR. The GDPR’s provisions are more stringent than all equivalent GCC laws, so if your organisation process EU residents’ data, you will undoubtedly have to make changes to your approach to data protection.