UAE data protection regime: Building trust in a digital economy

The development of the digital world has led to personal data being knowingly or unknowingly shared. Data is important for development and innovation, and hence trust that the data will be protected is also important for the continued willingness to share data. The protection of personal data is a fundamental right of every person. Personal data refers to any information that relates to an identified individual or someone who can be identified, either directly or indirectly. This identification may occur through linking different data points or by using identifiers such as a name, voice, image, ID number, online identifier, or location data, as well as physical, physiological, economic, cultural, or social characteristics.

The Federal Decree-Law No. 45 of 2021 (PDPL) was introduced as a cornerstone law for data protection in the UAE. It is the first law that was drafted in partnership with major technological companies in the UAE. It ensures the confidentiality of information and protects the privacy of individuals in the UAE. It lays down proper governance for data management and protection, along with defining the rights of all the parties. This law applies to the processing of personal data, fully or partially, through electronic systems, inside or outside the UAE. The law ensures that personal data is processed by organisations in a manner that maintains data security, confidentiality, and privacy.

Consent of the data subject is a very important principle and legal basis for data processing under this law. Whereas there are few circumstances where processing data is possible without consent of the subject:

1. Contracts — If you’re entering, changing, or ending a contract (like signing up for a service), the company can process the data necessary to fulfil that agreement.
2. Publicly available data — If you made the information public (posted it online, shared it openly), others can process it without additional consent.
3. Protecting your interests — In emergencies where you can’t give consent (unconscious, unreachable) but processing your data would help you—like sharing medical info with a hospital.
4. Legal proceedings and security — When data is needed to defend legal rights, comply with court orders, or meet security requirements.
5. Medical and public health purposes — For treatment, diagnosis, or managing public health threats (like disease outbreaks).

Other laws relating to data protection

1. Constitution: The UAE constitution recognizes general concept of privacy for under Article 31.
2. Federal Decree Law No. 34 of 2021 on Combatting Rumours and Cybercrimes – This legal framework addresses concerns relating to misuse and abuse of online technologies. Article 13 establishes that it is a criminal offence to use information technology or related systems to collect, store, or process the personal data of UAE nationals or residents in violation of applicable laws, including the Data Protection Law. In addition, Article 6 criminalises unauthorised access to personal electronic data.
3. Federal Law No. 15 of 2020 on Consumer Protection – It ensure the consumers the right to privacy and security of their data. It prohibits suppliers for misusing consumer data for marketing purposes.
4. Federal Law No. 31 of 2021 Promulgating the Crimes and Penalties Law (the Penal Code) – In this federal law article 432 states that disclosing secret information relating to another person for personal gains is a criminal offense. Further it is also an offense to intercept or eavesdrop a private conversation or capture image of a person in a private place without consent is also a crime under Article 431.
5. Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology (ICT) in Health Fields – This law ensures that patient data relating to medical procedures are protected. The law also prohibits the transfer of any patient data outside UAE without special permission.
6. Telecommunications and Digital Government Regulatory Authority (TDRA) implements the Internet Access Management (IAM) policy – This policy is in coordination with National Media Council and Etisalat and Du and under this policy online content that is used for impersonation fraud and phishing and/or invasion of privacy can be reported to Du or Etisalat to be taken down.
7. Electronic Transactions and Trust Services law – This law regulates the validity of electronic documents and increases the value of digital signatures and its level of security.
8. Dubai Data law – One of the aims of this law is data protection and privacy.

Regulatory Authority

The federal data regulatory authority in the UAE is the UAE Data Office. It is responsible for preparing policies and legislations for data protection along with issuing guidelines for enforcing them. It also proposes and approves the standards for monitoring data protection along and preparing grievance redressal systems.

Administrative and criminal sanctions

The UAE Data Office has the authority to receive complaints and impose administrative penalties, but the law does not expressly provide data subjects with a right to compensation or redress, which may instead be pursued under general tort principles. DLP does not mention any criminal penalties violations may overlap with the Cybercrime Law and Penal Code, which can impose serious consequences including imprisonment and substantial fines. In practice, enforcement of criminal provisions appears more focused on privacy violations rather than technical data breaches, though there is limited formal guidance. Additionally, the Consumer Protection Law introduces criminal sanctions for certain violations, with fines reaching up to AED 1 million.

Data Protection Laws in Free Zones (DIFC, ADGM, DHCC)

The freezones have enacted their own data protection laws. DIFC and ADGM data protection laws are like the GDPR. DIFC issued the Data Protection Law No. 5 of 2020 and Data Protection Regulations 2020.Whereas ADGM enacted the Data Protection Regulations 2021. Dubai Healthcare City is a Free Zone focussed on healthcare services issues its own regulations which was DHA Health Data Protection Regulation, 2013.These regulations are strongly aligned to international data protections principles.

The regulating authority for DIFC is Commissioner of Data Protection, ADGM is Data Protection Office. The Dubai Healthcare City (DHCC) is governed by Dubai Healthcare City Authority.

Administrative sanctions and compensations – In the DIFC the standard fines are up to USD 100,000, fines might go higher for serious breaches. Public reprimands could also be included. In the ADGM fines could go up to 218 million. In the DIFC and ADGM individuals can claim compensation for material and non-material damage.

H.E. Omar Bin Sultan Al Olama, Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications, remarked “data protection laws are among the laws with the lowest compliance costs.” UAE has established a comprehensive and multi-layered data protection framework that reflects the growing importance of privacy in a rapidly evolving digital landscape. The Federal Decree-Law No. 45 of 2021, the regime emphasises consent, accountability, and the secure handling of personal data, while being supported by a range of complementary laws addressing cybercrime, consumer protection, healthcare data, and digital transactions. The presence of the UAE Data Office as a central regulatory authority further reinforces the country’s commitment to effective governance and oversight. At the same time, the free zones DIFC, ADGM, and Dubai Healthcare City demonstrates a sophisticated and internationally aligned approach, particularly through the adoption of GDPR-like principles and stronger enforcement mechanisms, including higher penalties and clearer rights to compensation.

Our team at Ayesha Al Dhaheri Advocates and Legal Consultants provides specialised legal services in UAE data protection and privacy law, advising on Federal Decree-Law No. 45 of 2021 (PDPL) and the broader regulatory framework governing personal data, including lawful processing, consent, data security, and cross-border transfers. We also assist with related laws on cybercrime, consumer protection, healthcare data, and electronic transactions, as well as DIFC, ADGM, and Dubai Healthcare City data protection regimes aligned with international standards. Our firm supports clients in achieving compliance, managing regulatory risk, and addressing data privacy matters through advisory services, representation, and dispute resolution across the UAE’s evolving digital landscape.