Last review date: 18 December 2024
The Emirates Data Office ("Data Office") was established under Federal Decree-Law No. 44 of 2021 as the new data regulator in the UAE. Among other responsibilities, the Data Office will be responsible for enforcing the PDPL and for issuing supporting legislation and guidance. As of the end of 2024, the Data Office was not publicly operational.
In relation to the Dubai Data Law (which regulates data relating to the Emirate and applies to federal and local government entities, as well as private sector companies designated to be in-scope), Digital Dubai is the entity that develops and oversees the implementation of policies and strategies relating to Dubai’s information technology, data, digital transformation, and cybersecurity.
In November 2020, the UAE established the UAE Cybersecurity Council with the aim of developing a comprehensive cybersecurity strategy and creating a safe and strong cyber infrastructure in the UAE. The council is chaired by the Head of Cyber Security for the UAE Government and contribute to creating a legal and regulatory framework that covers all types of cybercrimes, securing existing and emerging technologies and establishing a robust ‘National Cyber Incident Response Plan’ to enable swift and coordinated response to cyber incidents in the country.
Last review date: 18 December 2024
Data Office
☒ Not very
Digital Dubai
☒ Moderately active
National Cybersecurity Council
☒ Moderately active
Last review date: 18 December 2024
Prior to the PDPL being enacted, the main privacy-related legislation in the UAE comprised a number of offences in the Penal Code and Cybercrimes Law relating to the disclosure of personal information or secrets. This required law enforcement authorities to investigate complaints and to refer any offenses that they identified to the public prosecutor to raise charges where they deemed appropriate. In our experience, the majority of cases brought by the public prosecutor under those provisions related to data theft by employees or financial crimes, as well as complaints in the context of broader disputes between the concerned parties.
While the PDPL was issued in September 2021 and came into force on 2 January 2022 according to its terms, the implementing regulations required to supplement various aspects of the PDPL had not been issued and the regulatory authority was not publicly operational by the end of 2024. Controllers and processors will be granted a grace period of six months from the issuance of the implementing regulations to become compliant with the PDPL. We anticipate that the regulator (once established) is likely to focus initially on outreach and education before taking substantive enforcement action.
Other governmental bodies and regulators (such as the Telecommunications & Digital Government Regulatory Authority (“TDRA”), Cybersecurity Council, UAE Council for Artificial Intelligence, and Digital Dubai) will continue their mandates to develop strategy and policy relating to data and cybersecurity within their relevant fields.
Last review date: 18 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Rare
Class actions/group actions under data or cyber regulation are:
☒ Not available in the jurisdiction
Last review date: 18 December 2024
N/A. The PDPL does not currently detail the sanctions imposed for violations. These are to be clarified by a Cabinet decision stating the acts that constitute a violation of the PDPL and its implementing regulations and the administrative penalties to be imposed.