Artificial Intelligence (AI) has transformed the cyber threat arena, enabling cyber criminals to conduct more sophisticated, scalable, and convincing attacks than before. From AI-generated phishing campaigns and deepfake fraud to automated vulnerability exploitation, businesses in the UAE face evolving threats that present not only cybersecurity concerns but also significant legal challenges.

As organisations rely more on digital infrastructure in this global age, understanding the legal implications of AI-powered cyberattacks has become essential for risk management, regulatory compliance, and corporate governance.

The Growing Threat of AI-Enabled Crime

AI technologies are being leveraged by malicious actors to automate attacks, impersonate individuals through deepfake technologies, and generate highly personalised phishing communications. These capabilities significantly increase the likelihood of successful cyber intrusions, financial fraud, and unauthorized access to sensitive information.

For businesses in the UAE, the consequences of such attacks extend beyond operational disruption. Cyber incidents may trigger legal obligations relating to data protection, contractual liability, regulatory approval, and potential civil claims.

Data Protection Obligations Under UAE Law

Beyond the immediate operational and financial consequences of an AI-powered cyberattacks, UAE businesses must also consider their obligations under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL).

Article 8 of PDPL requires processors to implement appropriate technical and organisational measures to protect personal data and secure the systems used to process such data. Where an AI-powered cyberattack results in the compromise of personal data, Article 9 of PDPL requires the controller to notify the competent authority and, where the breach may affect the privacy, confidentiality or security of personal data, the affected data subjects. Businesses should therefore ensure that incident response measures are capable of identifying and reporting data breaches within the applicable regulatory framework.

Under Article 10 of PDPL organisations engaged in high-risk processing activities, including those involving large volumes of sensitive data or new technologies, may be required to appoint a Data protection Officer (DPO). Subsequently, Article 11 of PDPL the DPO is responsible for monitoring compliance, assessing personal data protection systems and intrusion prevention measures, and advising on risk management procedures.

Where an AI-powered cyberattack results in unauthorized access to personal data, affected individuals may seek to exercise their rights under Articles 13 to 18 of PDPL. These rights include the right to obtain information regarding the processing of personal data, request correction of inaccurate information, request erasure of personal data in certain circumstances, and object to particular forms of processing. Businesses experiencing a cyber incident should therefore consider not only their cyber security response but also their ability to comply with data subject rights requests arising from the breach.

Legal Implications of the UAE Cybercrime Law

AI-powered cyberattacks often involve conduct criminalised under Federal Decree-Law No. 34 of 2021 on Countering Rumors and Cybercrimes, including unauthorized access to information systems, identity theft, electronic fraud, unlawful interception of communications, and unauthorized disclosure of data. AI-assisted hacking and unauthorized access to corporate systems may fall within the scope of Article 2, while AI-generated phishing schemes, fraudulent electronic accounts, and digital impersonation falls under Article 11. Article 12 addresses the unlawful interception of communications, Article 13 prohibits the unlawful collection and processing of personal data, and Article 44 criminalises certain violations of privacy.

Corporate Governance Considerations

Cybersecurity is increasingly viewed as a governance issue rather than a solely technical problem. Article 22 of Federal Decree-Law No. 32 of 2021 on Commercial Companies requires company management to exercise due care and protect the interests of the company. Article 23 provides that companies may be bound by acts carried out by authorized employees in the ordinary course of business.

AI-powered cyber threats become more sophisticated, businesses are expected to implement appropriate cybersecurity controls, employee awareness programmes, especially where employees are deceived by AI-generated phishing communications or deepfake impersonation schemes, resulting in unauthorized payments or disclosure of confidential information.

Civil and Criminal Liability

Civil liability may arise where a cyberattack results in a personal data breach, financial loss, or breach of contractual obligations. Businesses may face compensation claims from affected customers, employees, or business partners if adequate cybersecurity measures were not in place.

Criminal liability generally arises from unlawful conduct associated with the attack. Unauthorized access to systems, AI-generated phishing attacks, deepfake impersonation, unlawful interception of communications, misuse of personal data, fraud, forgery, and identity theft may constitute criminal offences under Federal Decree-Law No. 34 of 2021 Countering Rumors and Cybercrimes.

Key Compliance Considerations for Businesses

Businesses should:

  1. Implement appropriate cybersecurity controls and monitoring systems
  2. Conduct regular cybersecurity risk assessments
  3. Establish incident response and breach notification procedures
  4. Train employees to identify phishing attacks and deepfake fraud
  5. Review contracts with vendors and third-party service providers
  6. Ensure compliance with data protection obligations under the PDPL

Conclusion

AI-powered cyberattacks create significant legal and operational risks for businesses. Organisations should implement robust security measures, comply with data protection obligations, and maintain effective governance frameworks to reduce exposure to regulatory action, civil claims, and financial losses.

We at Ayesha Aldhaheri Advocates & Legal Consultants assist businesses with cybersecurity compliance, data protection matters, cyber incident response, regulatory investigations, and disputes arising from data breaches and technology-related risks. Our team provides practical legal guidance to help organisations to manage cyber risks and meet their regulatory obligations in UAE.