Last review date: 18 December 2024

☒ omnibus – all personal data

The UAE has enacted its own standalone data protection law, Federal Decree-Law No. 45 of 2021 regarding Personal Data Protection ("PDPL"). The PDPL borrows heavily, in terms of its concepts and content, from the EU General Data Protection Regulation but excludes government entities and government data from its scope. It also does not apply to financial or health data where that is subject to separate regulation or to any free zones that have their own data protection regime (see below).

☒ sector-specific

The UAE has introduced sector specific laws that regulate different categories of data, most notably in the healthcare, telecoms and financial services sectors. Certain economic zones are also subject to their own data protection laws, notably the financial free zones of Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market (“ADGM”). There is also a patient health data regulation in the Dubai Health Care City free zone and, in the Emirate of Dubai, the Dubai Data Law mandates the sharing, use and reuse of data relating to the Emirate. Please refer to the separate chapters on DIFC and ADGM for analysis of those regimes.

☒ constitutional

Last review date: 18 December 2024

The main UAE federal laws are:

• Federal Decree-Law No. 45 of 2021 on Personal Data Protection ("PDPL")
• Federal Decree-Law No. 44 of 2021 establishing the Emirates Data Office
• Federal Decree-Law No. 31 of 2021 on Crimes and Penalties ("Penal Code")
• Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes ("Cybercrimes Law")
• Federal Law. No 2 of 2019 on the Use of Information and Communications Technology in Healthcare ("Healthcare ICT Law")
• Federal Decree-Law No. 33 of 2021 on the Regulation of the Employment Relationship ("The Labour Law")

Further laws and regulatory requirements apply in particular contexts and to specific types of technology.

Last review date: 18 December 2024

There is no federal law on cybersecurity. Instead, cybersecurity issues are regulated at a sector level and by a range of policies, standards and guidelines. Not all of these requirements are routinely made publicly available.

Last review date: 18 December 2024

There is no general regulation of non-personal data.

Sectoral rules, such as those in telecoms, healthcare or financial services, may regulate categories of data that could include personal and non-personal data. The PDPL excludes from its scope government data and (to the extent that they are covered by separate legislation) financial and healthcare data.

In the Emirate of Dubai, the Dubai Data Law mandates the sharing, use and reuse of data relating to the Emirate.

Separate regulation on government data is anticipated, while the Central Bank of the UAE has issued various rules and standards imposing requirements on financial institutions regarding the protection of banking information and the Healthcare ICT Law includes provisions relating to the protection of health information. 

Last review date: 18 December 2024

Yes.

The PDPL came into force on 2 January 2022. It is the first omnibus personal data protection law in the UAE and enshrines many of the core principles and concepts found in the EU General Data Protection Regulation ("GDPR").

The implementing regulations to the PDPL, which will expand on key topics including the penalties for breach, were set to be published within six months of the date the PDPL was published in the official gazette (i.e. by 28 May 2022). However, the regulations had not been published as at the end of 2024.

Controllers and processors will have six months from the date that the implementing regulations are issued to achieve compliance with the PDPL, although the data protection regulator has the ability to extend this period if necessary.