Data Protection & Privacy 2025 Comparisons

The Constitution of the United Arab Emirates (UAE) provides that safety and security for all citizens shall be the pillars of society. The Constitution further provides that freedom of corresponding through post, telegraph or other means of communication, and the secrecy thereof, is guaranteed in accordance with the law, and that dwellings are inviolable. These constitutional provisions serve as the foundational guidelines for respecting privacy.

The statutory regime concerning data protection is chiefly found in the following laws/regulations.

• Federal Decree Law No 45 of 2021 on personal data protection (the “UAE Law”). The UAE Law is a federal-level law applicable across the UAE, except for the following:
1. governmental data;
2. government authorities that control and process personal data;
3. security and judicial authorities;
4. health-related personal data;
5. banking and credit personal data; and
6. companies and organisations incorporated in free zones.
• Dubai International Financial Centre (DIFC) Law No 5 of 2020 (the “DIFC Law”). The DIFC is a free zone, and the DIFC Law applies in the jurisdiction of the DIFC.
• The Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021 (the “ADGM Regulations”). The ADGM is a free zone, and the ADGM Regulations apply in the context of the establishment of a controller or a processer in the ADGM.

Apart from the above, sector-specific regulations govern data protection in their respective sectors, as follows:

• Federal Law No 14 of 2018 (concerning the Central Bank of the UAE) governing data protection of customers of banks;
• Federal Law No 3 of 2003 (concerning telecommunications) governing data protection of telecoms consumers; and
• Federal Law No 2 of 2019 (concerning use of information and communication technology in health fields) governing confidentiality of patients’ information.

The above-mentioned laws/regulations provide for matters related to offences, penalties and enforcement in their respective sphere.

The UAE Data Office is the regulator for the purposes of the UAE Law.

The Commissioner of Data Protection administers the DIFC Law. The Commissioner is also responsible for the monitoring and enforcement of the ADGM Regulations.

The Central Bank of the UAE and the Telecommunications and Digital Government Regulatory Authority (TDRA) are the regulators concerning the banking and telecommunications sectors, responsible for (among others) the protection of their respective consumers’ data.

Health authorities (federal or local government) are entrusted with the protection of patients’ data.

The above-mentioned authorities have the powers of investigations and complaint-handling in their respective spheres.

The Data Office (concerning the UAE Law) is competent to receive complaints by data subjects regarding contravention of provisions of the UAE Law. The Data Office is also competent to impose administrative sanctions on contravention of provisions of the UAE Law. A person aggrieved by any decision, administrative sanction or any action of the Data Office may file a grievance with the Director General of the Data Office. The grievance is to be filed within 30 days of the date of decision, administrative sanction or action of the Data Office. The Director General of the Data Office is to determine such grievance within 30 days of its filing. The executive regulations to be issued pursuant to the UAE Law will specify the procedural aspects for filing and deciding on such grievances.

The Commissioner of Data Protection (under the DIFC Law) is competent to receive complaints from data subjects concerning contravention of the DIFC Law or any breach of the rights of data subjects. The Commissioner is empowered to investigate the complaints and to issue a direction or declaration. The Commissioner is empowered to impose fines in the event of non-compliance with a direction issued by them. Concerning a complaint lodged with them, the Commissioner may follow such practices and procedures that will, in the Commissioner’s view, lead to a most timely, fair and effective resolution of the claim in the complaint. The controller, processer or data subject aggrieved by the Commissioner’s decision may appeal to the DIFC Court within 30 days.

On contravention of the ADGM Regulations, a data subject may lodge a complaint with the Commissioner of Data Protection under the ADGM Regulations. After an assessment, the Commissioner may:

• dismiss the complaint;
• uphold the complaint;
• uphold the complaint but with no further action; or
• take any further action.

The aggrieved controller, processer or data subject may refer the matter to the court for review. The court may make any orders that it thinks just and appropriate in the circumstances, within three months of the penalty notice, direction or date of complaint.

Under the UAE Federal Decree Law, the administrative sanctions to be imposed are issued by the cabinet upon proposal of the Director General of the Data Office.

As per the DIFC Law, when the Commissioner considers that a controller or processor is liable for contravention of law, they may issue an administrative fine to the controller or processor. The Commissioner should issue a notice to the controller or processor of imposition of a fine. Administrative fines are set out in Schedule 2 of DIFC Data Protection Law No 5 of 2020; fines corresponding to the contraventions mentioned in Schedule 2 range from USD10,000 to USD100,000.

Under the ADGM Regulations, if a controller or processor performs an act or abstains from performing an act in contravention of a direction issued by the Commissioner of Data Protection or the ADGM Regulations (or subsequent rules made thereunder), they shall be subject to imposition of an administrative fine by the Commissioner. The Commissioner shall send a written “penalty notice” to the controller or processor. The penalty imposed by the Commissioner must not exceed USD28 million.

Okadoc Technologies Limited (21 May 2024)

The ADGM Commissioner of Data Protection imposed a monetary penalty of USD20,000 on Okadoc Technologies Limited (“Okadoc”) for violating the ADGM Regulations. The penalty pertained to a breach of individual rights, specifically to Okadoc’s failure to comply with a data subject’s access request. The Office of Data Protection’s investigation revealed that Okadoc lacked adequate measures to identify, facilitate and fulfil the request.

The Commissioner of Data Protection issued a penalty notice under Section 55(1) for breaches related to Articles 10(1) to (5), 22(1) and (2) concerning “implementation of technical and organisational measures to process the personal data”, as well as Article 29 of the ADGM Regulations, which pertains to the rights of data subjects.

Venture Rock Global Limited (23 June 2023)

The ADGM Commissioner of Data Protection issued a direction under Section 54(1) for breaches related to Articles 4(1)(f), 22(1), 22(2), 29, 30(1) and 30(2) of the ADGM Regulations, which encompass obligations regarding data security and processing.

In its assessment, the Commissioner found that Venture Rock was involved in contravention of the ADGM Regulations in terms of lack of security, lack of policy and procedures, and inappropriate technical and organisational measures; the report attributed “human error from poor cybersecurity practices” as a root cause of the incident. The lack of proper training, awareness and appropriate policies/procedures were key factors leading to the violation of the ADGM Regulations.

Through its Regulation 10, the DIFC has enacted amendments to its data protection regulations, aimed at overseeing the use of autonomous and semi-autonomous systems, particularly those driven by artificial intelligence (AI) and machines. The regulations apply to AI-driven systems and processes used within the DIFC’s jurisdiction – either autonomous systems or semi- autonomous systems. These regulations emphasise:

• the ethical use of systems;
• risk assessment and mitigation;
• accountability and oversight;
• that the processing must be transparent; and
• that users and data subjects must be informed about the role of AI in decisions that affect them.

Although neither the ADGM nor the DIFC has enacted laws specifically dedicated to AI, both have incorporated AI-related considerations into their existing data protection and governance frameworks. These provisions ensure that AI applications in financial services are used responsibly, ethically and in accordance with data protection standards.

AI regulation in the UAE has a significant impact on data protection, with the introduction of guidelines and safeguards that ensure the ethical and secure use of personal data. The interplay between AI-specific initiatives and general data protection laws creates a robust framework for addressing the challenges posed by AI technologies.

AI technologies often involve automated decisions and profiling, which can significantly impact on individuals. The UAE’s Federal Decree Law No 45 of 2021 on personal data protection requires explicit consent for such processing.

Individuals have the right to contest decisions made solely through automated means, enhancing data subjects’ rights.

As discussed in 4. Sectoral Issues, the ADGM Commissioner of Data Protection has issued a direction in two different cases with respect to contravention of the ADGM Regulations, though in this regard no active litigation occurred with respect to privacy.

Okadoc Technologies Limited (21 May 2024)

The violation involved failure to comply with a data subject’s access request, breaching individual rights. The penalty was a USD20,000 fine under the ADGM Regulations. Adequate processes were lacking for identifying, facilitating and fulfilling the access request.

VentureRock Global Limited (23 June 2023)

The violation involved deficiencies in data security, policies and procedures. The ADGM Commissioner of Data Protection found that poor cybersecurity practices due to human error,

inadequate training, and lack of proper policies and procedures contributed to the violation.

Collective redress, as defined and practised in the EU and other jurisdictions, is not as clearly outlined or widely implemented in the UAE with respect to personal data privacy.

The TDRA has issued a regulatory policy on the Internet of Things (IOT). This policy shall be applicable to all persons connected with IOT within the UAE, including but not limited to:

• licensees;
• IOT service providers; and
• IOT service users, including individuals, businesses and the government.

Objective/Scope

The IOT policy encompasses the following objectives:

• ensuring secure IOT services;
• addressing reasonable demands for IOT services;
• promoting continuous innovation in IOT;
• efficiently managing limited resources;
• safeguarding the rights and interests of IOT users; and
• offering transparency to facilitate IOT market growth.

Obligations

Any service provider providing IOT is under an obligation to follow UAE telecommunications laws, regulations and the IOT policy. The IOT service provider has to register with the TDRA and obtain an IOT service provider registration certificate.

IOT service providers need to have a local presence or must appoint a representative to have a point of contact with the TDRA.

Service providers must ensure that the service they provide is adequate and reliable.

For personal data processing and storage, the IOT service provider must follow the principles of purpose limitation, data minimisation and storage limitation.

Secret, sensitive and confidential data of individuals and businesses must be stored within the UAE. However, it can be stored outside the country when such data offers adequate or exceeded security.

Secret, sensitive and confidential data of the government will remain in the UAE.

The service provider has to use encryption standards. Data processors/service providers must establish technical measures towards enabling inspection of stored data.

IOT services in the UAE are also regulated by Federal Decree Law No 3/20023 (the “Telecommunications Law”), under which different penalties apply for contravention of the law.

Defiance of or non-compliance with the IOT policy by IOT service providers or users shall be taken as a breach of the UAE Telecommunications Law, and may be penalised by the TDRA.

The UAE has a set of data privacy laws that are applicable in the federal domain and special economic zones (the ADGM and DIFC).

Federal Decree Law No 45 of 2021 is applicable in the mainland and derives from general data protection law.

The DIFC free zone includes DIFC Data Protection Law No 5 of 2020, which is also in alignment with the General Data Protection Regulation (GDPR).

The ADGM free zone includes the ADGM Regulations.

These data privacy laws are largely in line with global data privacy laws (such as the GDPR) but are also custom-made in accordance with local requirements and traditions.

Apart from these dedicated data privacy laws, certain sectoral laws provide protection to consumers with respect to data privacy.

Financial Sector

The Central Bank has issued the following regulations:

• consumer protection standards, which govern the disclosure of consumers’ data, transparency with respect to consumer’s data collection, and protection of consumer’s data and assets; and
• Federal Decree Law No 14 of 2018, concerning the Central Bank and the regulation of financial institutions and activities (regulates the protection of customers of licensed financial institutions).

Telecommunications Sector

The TDRA has issued the Consumer Protection Regulation, which gives protection to the privacy of subscribers’ information.

Healthcare Sector

In the realm of data privacy, the healthcare sector is governed by Federal Law No 2 of 2019 on the use of information and communications technology (ICT) in health fields. The law ensures the security and safety of health data and information.

Cybersecurity

Federal Decree Law No 34 of 2021 on combating rumours and cybercrime integrates data protection measures into cybersecurity frameworks.

All these sectoral laws have as a common element the safeguarding of consumers’ personal data, health data, financial data and subscriber information.

Please see 3.1 Objectives and Scope of Data Regulation.

Please see 1.2 Regulators.

While no specific law regulates the use of cookies in the processing of personal data, existing personal data protection laws apply to their collection and use. Consent must be explicitly obtained from data subjects before cookies are utilised, and they must be provided with clear and accessible options to opt out of cookie usage.

The UAE Law confers on the data subject a “right to stop processing” where personal data is processed for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.

The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and that the data subject be expressly offered the right to object to direct marketing. The data subject has the right to object to personal data processing for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.

The ADGM Regulations carry the same provisions as in the DIFC Law regarding direct marketing. The ADGM Regulations also provide that, when a data subject objects to direct marketing, personal data must not be processed for direct marketing purposes.

Federal Decree Law No 33 of 2021, regarding the regulation of employment relationships, provides that a worker should maintain the confidentiality of information and data to which they have access by virtue of their work.

The UAE Law, the DIFC Law and the ADGM Regulations do not contain any provision concerning the role of labour organisations, whistle-blowing or e-discovery.

In the UAE, data processing in the context of asset deals must comply with both federal and sector-specific data protection regulations. Data processors must abide by the principles and obligations laid down by Federal Decree Law No 45 of 2021 on personal data protection, the DIFC Law of 2020 and the ADGM Data Protection Regulations 2021.

In addition, Article 120 of Federal Decree Law No 14 of 2018, concerning the Central Bank and the regulation of financial institutions and activities, states that all customer data and information related to accounts, deposits, safe deposit boxes, trusts and associated transactions with licensed financial institutions are strictly confidential. Disclosure to third parties is prohibited without the account owner’s written consent or that of their legal attorney or authorised agent, except in cases permitted by law. This confidentiality obligation remains binding even after the termination of the customer’s relationship with the institution.

The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction with a law in place covering various aspects as to the protection of personal data (ie, an adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.

The DIFC Law provides that personal data may be transferred to a third country or to an international organisation on the basis of an adequate level of protection, as determined by the Commissioner of Data Protection. A list of adequate jurisdictions is issued through the DIFC Data Protection Regulations.

The ADGM Regulations allow the transfer of personal data outside the ADGM or to an international organisation, where the Commissioner has decided that the receiving jurisdiction or the international organisation ensures an adequate level of protection.

There is no requirement for any government notifications or approvals in order to transfer data internationally, except as discussed in 5.3 Data Localisation Requirements related to health data.

There is no requirement of data localisation, except for health information and data, which – under Federal Law No 2 of 2019 – may not be stored, processed, generated or transferred outside the UAE, except upon a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention. 

There are no blocking statutes in the UAE.

No information is available on this topic.