Data Protection Regime in UAE:

Dubai & Abu Dhabi

Data Protection Regime in UAE: Dubai & Abu Dhabi

Learning objectives:
1. To understand and analyse the data protection regime in UAE;
2. Comprehend the criminal offences covered in the penal code relating to publishing or
unlawful disclosure of personal data;
3. Refer and understand the articles of federal laws penalising certain acts of data
breaches such as intercepting phone calls, illegally accessing websites;
4. To understand the federal law governing the collection, processing, and transfer of
healthcare data;
5. To understand the regulatory framework for the internet of things (IoT);
6. To learn about the laws applicable within the Dubai international financial centre:
data protection law DIFC law No. 5 of 2020;
7. To learn about laws applicable within the Abu Dhabi Global market: data protection
regulations 2021.

Introduction
The UAE Constitution provides citizens with a general right to privacy, and provisions of
Federal Law No. 5 of 1985: The Civil Code as amended by Federal Law No. 1 of 1987 and
Federal Law No. 3 of 1987: The Penal Code is also relevant when considering privacy issues.
Sector-specific regulation (such as telecommunications, consumer protection, and
cybercrime laws) also gives certain limited data protection rights in limited instances.

The UAE is home to a variety of special economic zones known as “free zones”, which
provide enterprises with tax, customs, and other advantages. The Dubai International
Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Dubai Healthcare
City (DHCC) have all passed distinct data privacy rules that apply to organizations operating
in their respective free zones.

What are the Criminal Offences covered in the Penal Code

relating to publishing or unlawful disclosure of data?
Article 31 of the UAE Constitution is regarded as the provision conferring a general right to
privacy for UAE citizens: it guarantees the freedom and confidentiality of communication by
post, telegraph, or other legal methods.

Both the Civil Code and the Penal Code are applicable. The Civil Code imposes certain
obligations on employers when dealing with employee information, particularly when
terminating an employee's employment (Article 913 of the Civil Code) and, separately,
provisions on the basis for non-compete agreements where employees have access to

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-2
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

confidential information and/or client information of their employer (Article 909 of the Civil
Code).

Publication of personal data relating to an individual's private or family life is a criminal

offense under Penal Code Article 378. According to Penal Code Article 380, anybody who
examines communication without the agreement of the intended recipient or overhears a
phone call commits an offense. Article 380 also expressly bans the unauthorized
publication of communications and other material obtained by a person during the course
of his or her employment.

Since social media is a strong instrument for connecting millions and communicating your
opinions, as well as sharing information from your day-to-day existence. However, it is not
without dangers. Whatever you upload on the internet becomes public knowledge at the
same time. You unintentionally share your life events with strangers, who may exploit such
knowledge. Here are some ground principles to follow:

● Uploading photos: Care should be taken while sharing photographs of people online,
especially on social networking platforms, because the Cyber Crimes Law (Federal Law
No. 5 of 2012) makes it an offense to use any IT means to violate someone else's
privacy, including capturing or publishing pictures of others.
● Confidentiality and privacy: Disclosing secrets about someone's private life without
that person's agreement might lead to legal consequences. Similarly, disclosing
sensitive information, such as that of an employer, might result in legal ramifications
in the UAE.
● Using emoticons and emojis: Additionally, when communicating online, one should
exercise caution when using specific sorts of emojis. For example,If an emoji with an
abusive expression is used in a chat and the recipient complains, the user may risk jail
time, fines, and deportation.
● Defamatory statements: It is illegal under the Penal Code to publish material that
exposes another person to public hate or contempt, or to make a false charge that
dishonours or discredits another person.
● It is an offense to use any IT means for activities that are inconsistent with public
morals and good behaviour, such as content that is un-Islamic, blasphemous,
obscene, encourages sinful behaviour, or is targeted at corrupting children, and so on.
● Online monitoring: The UAE TRA monitors accessible online material and forbids
content that contains hacking and harmful programs, as well as Internet content that
provides unlicensed VoIP services and other unlawful Internet content.
● Licensed service providers can also restrict online content if necessary, and
authorities can take legal action against people running the sites after verifying the
legitimacy and seriousness of the complaint.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-3
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

What are the most noteworthy provisions of the new UAE

cybercrime legislation in terms of fines and punishments?
The following are few elucidated explanations to provisions of the new UAE cybercrime
legislation:

1. Access to an online resource

Previously, Federal Law No. 2 of 2006 specified that anybody who conducts a willful
act by unlawfully accessing an internet site shall face imprisonment and/or a fine.
Article 2 of the New Cyber Crime Law eliminates the intent requirement and bans any
individual from accessing an electronic site unlawfully, without permission, or beyond
the limitations of said authorization, with a punishment of not less than AED 100 and
not more than AED 300.

It expressly states that changing, copying, deleting, disclosing, and publishing any data
or information obtained by entering an electronic site illegally and without permission
is punishable by imprisonment for at least six months and/or a fine of not less than
AED 150,000 and not more than AED 750,000.

If the data or information is personal, the New Cyber Crime Law increases the penalty
to one year in jail and/or a fine of not less than AED 250,000 and not more than AED
1,000,000.

According to Article 4 of the New Cyber Crime Law, any person who enters any
electronic site without permission for the purpose of obtaining government data or
confidential information of a financial trade or economic establishment shall be
punished by temporary imprisonment and/or a fine of not less than AED 250,000 and
not more than AED 1,500,000.

If such data is altered, copied, deleted, revealed, or published, the punishment

increases to a fine of not less than AED 250,000 and not more than AED 1,500,000,
and/or imprisonment for not less than five years.

2. Data pertaining to medicine

Article 7 of the New Cyber Crime Law now broadens the definition of conduct in
relation to medical data and information by stating that anyone who obtains, amends,
damages, or discloses information obtained online related to medical records,

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-4
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

examinations, diagnoses, treatment, or care without permission will face a temporary

prison sentence.

3. Numbers from credit cards and bank accounts; secret codes;

forgery
Article 12 broadens the definition of private information and punishes anybody who
illegally obtains credit card numbers, electronic card numbers, bank account
statements, or data of electronic payment methods with jail and/or a fine.

It sanctions the purpose to use and use of such information to gain funds belonging
to third parties with a six-month jail sentence and/or a fine of not less than AED
200,000 and not more than AED 1,000,000.

Article 14 of the New Cyber Crime Law additionally makes it a crime to get a
confidential number, code, or password used to access any electronic site without
authorization, punishable by imprisonment and/or a fine of not less than AED 200,000
and not more than AED 500,000.

Article 13 also forbids the forgery, imitation, and copying of a credit card, debit card,
or any other electronic payment method, and punishes those who use and knowingly
accept such credit cards, debit cards, or other electronic payment methods with
imprisonment and/or a fine of not less than AED 500,000 and not more than AED
2,000,000.

4. Communication via electronic means

Article 10 bans the interruption of electronic communication by spamming electronic
mail in order to protect the privacy and integrity of electronic communications. Article
15 of the New Cyber Crime Law additionally makes it a crime to purposefully and
without authorization collect and/or intercept online communications.

The offense carries a fine of not less than AED 150,000 and not more than AED
500,000. Furthermore, anyone who divulges information gained in this manner faces
a one-year prison sentence.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-5
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

5. Activities involving gambling and items that are detrimental

to public morality
Article 17 of the New Cyber Crime Law now punishes anybody who creates, transmits,
publishes, or exploits gambling and/or pornographic content or any other material
that may damage public morals using an electronic site.

Any person who builds, runs, or supervises an electronic site and/or transmits, sends,
or publishes gambling and/or pornographic materials using an electronic site will be
penalized by imprisonment and a fine of not less than AED 250,000 and not more
than AED 500,000.

Furthermore, if the subject of the pornographic content is a juvenile under the age of
eighteen, or if the content was intended to entice minors, the criminal will face
imprisonment for a period not less than one year and a fine not less than AED
500,000 and not exceeding AED 150,000.

According to Article 19, anybody who incites or tempts another to commit prostitution
through the use of an electronic site faces imprisonment and a fine of not less than
AED 250,000 and not more than AED 1,000,000. If the victim is a juvenile, the
punishment is enhanced for a period of not less than five years and a fine of not more
than AED 1,000,000.

6. Defamation
According to Article 20, anybody who insults others or attributes to another an
occurrence that may expose him to punishment or scorn by others by using an
electronic site faces imprisonment or a fine of not less than AED 250,000 and not
more than AED 500,000. Insult or slander directed against public personnel is
considered an aggravating factor in the offence.

7. Articles for disparagement towards religion

Article 35 imposes imprisonment and a fine of not less than AED 250,000 and not
more than AED 1,000,000 on anyone who uses electronic sites to show contempt for
any holy symbols, characters, figures, and rituals of Islam, including the Divinity (Allah,
God) and the Prophets, as well as any other faiths or religions or any of their symbols,
characters, figures, and rituals.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-6
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

8. Human smuggling
Article 23 of the New Cyber Crime Law makes it a crime to construct, operate, or
supervise an electronic site for the purpose of organ or human trafficking, and it is
punishable by up to a year in jail and a fine of up to AED 1,000,000.

This is an increase from the interim detention punishment provided in the 2006
CyberCrime Law, which previously criminalized people trafficking.

9. Sedition, sectarianism, and undermining national unity are

all unacceptable.
Article 24 punishes anybody who creates or operates an electronic site and publishes,
online or by any information technology means, any programs or ideas that
encourage disorder, hatred, racism, or sectarianism and harm national unity, social
peace, public order, or public decency

10. Terrorist activity and the trafficking of weapons

Article 25 punishes anyone who runs an electronic site with the aim of promoting or
dealing with firearms, ammunition, or explosives. Article 26 makes it a crime to build,
manage, or oversee an electronic site for a terrorist group or any unlawful group,
association, organization, or body, or to publish information online for a terrorist
group or any illegal group, association, organization, or body.

11. Donation collection without a permit

Article 27 makes it illegal for anybody to create or operate an electronic contribution
site without first getting a license from the appropriate government.

12. State protection

Article 29 of the New Cyber Crime Law also stipulates penalties of imprisonment and
a fine not exceeding AED 1,000,000 for any person who creates or runs an electronic
site or any information technology means to disparage or damage the reputation or
stature of the state or any of its institutions, its President, Vice President, any of the
Rulers of the emirates, their Crown Princes, the Crown Princesses, the Crown
Princesses, the Crown Princesses, the Crown Princesses, the Crown Princesses,

Article 28 forbids anybody from publishing any information, news, caricatures, or

other images that may endanger the state's security or disturb public order.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-7
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

Article 30 punishes anyone who creates or operates an electronic site with the intent
of overthrowing or seizing the state's system of government, or attempting to disrupt
or obstruct the state's Constitution or effective laws, or opposing the fundamental
principles that form the foundations of the state's system of government.

13. Organizing demonstrations without a permit

Persons who run or oversee an electronic site for the purpose of planning, organizing,
preparing, promoting, or summoning demonstrations or protests or the like without a
license from the relevant authorities face penalties under Article 32 of the New Cyber
Crime Law. Offenders will face imprisonment or a fine of not less than AED 500,000
and not more than AED 1,000,000.

14. Antiquities trade without a permit

Article 33 imposes imprisonment and a fine of not less than AED 500,000 and not
more than AED 1,000,000 on anybody who engages in the unlawful trading of
antiquities and works of art using electronic means.

Furthermore, Article 34 imposes prison time and a fine of not less than AED 250,000
and not more than AED 1,000,000 on anybody who uses an electronic site to engage
in the illegal use of or offer unauthorized facilities to others to use, communication
services or audio and video channels.

15. Online communication services

Article 34 makes it a crime for anybody to benefit or unlawfully enable the use of
internet communication services or audio or video transmission channels for the
advantage of others. This clause does not permit the "usage" of internet
communications services or audio or video transmission channels. In other words, the
clause establishes punishment for illegally accessing or acquiring communications
services online on behalf of oneself or a third party.

Article 34 imposes a punishment ranging from AED 250,000 to AED 1,000,000 and/or
imprisonment for a term of not less than one year on anybody who benefits or
unlawfully enables the use of online communication services or audio or visual
transmission channels for others.

According to the Ministry of Justice's official translation, anyone who uses

communication services, audio, or video broadcasting channels without legal right, or
facilitates such use by others online, will be punished by imprisonment for at least

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-8
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

one year and/or a fine of not less than AED 250,000 and not more than AED
1,000,000.

16. Money laundering and narcotics

The New Cyber Crime Law forbids anybody from creating, maintaining, or overseeing
an electronic site or publishing material online for the purpose of promoting narcotics
and psychotropic substances. It specifies a punishment of temporary imprisonment
and a fine of not less than AED 500,000 and not more than AED 1,000,000, an increase
over the penalty specified in the Cyber Crime Law, which criminalized the same by
temporary detention.

Article 37 also provides for imprisonment and a fine of not less than AED 500,000 and
not more than AED 2,000,000 for anyone who uses electronic sites to transfer or
deposit illegal funds with the intent of concealing or concealing their source, or, for
that matter, concealing or concealing the facts about illegal funds, their source,
movement, ownership, and the rights attached to them, as we have seen.

Let us now understand the Federal Law governing

collection, processing, and transfer of healthcare data
The UAE adopted Federal Law No. 2 of 2019, which would govern the collecting, processing,
and transfer of electronic health data and may have a substantial influence on healthcare
service providers and life sciences firms operating locally, on February 6, 2019.

Cloud-based health solutions that gather, store, and process health data may be especially
vulnerable. While the entire scope of the new rules is still unknown, firms engaged in the
area must closely follow developments.

Federal Law No. 2 of 2019:

● Aims to raise the minimum bar for health data protection and introduce concepts that
are on par with international best practice in information technology and privacy law;
● Continues the legislative trend toward localization of sensitive categories of data; and
● Paves the way for centralized health data capture and analysis to support public
health.

The Law applies to any businesses operating in the UAE, whether onshore or from one of
its free zones (including Dubai Healthcare City), that provide the following services:

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P-9
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

● Healthcare services;
● Health insurance services (including insurance brokers or suppliers of associated
administrative services);
● Healthcare services; or
● Any other services, directly or indirectly, connected to the healthcare sector or
engaged in activities involving electronic health data processing.

These parties are referred to collectively as healthcare service providers in this warning.

New requirements of the Law

1. Health data regulation

The Law's scope is broad: it governs the processing of all electronic health data,
regardless of form, including patient names, information gathered during
consultation, diagnosis, and treatment, alpha-numerical patient identifiers, common
procedural technology codes, images produced by medical imaging technology, and
lab results, among other types of data.

2. Interdiction on storing health data outside of the UAE

Subject to specific exclusions, the Law states that health data may not be transmitted
beyond the UAE. The Law also forbids the compilation of health data relating to health
services delivered in the UAE outside of the UAE.

As a result, cloud solutions hosted outside of the UAE, outsourcing of IT services to

overseas locations, remote IT support from other departments within multinational
Healthcare Service Providers, and remote collection and monitoring of patient
information within the UAE, such as heart rate, sleep patterns, or steps, from outside
the UAE via applications and wearables, may be negatively impacted.

The Law provides for several exceptions to the default data localization obligations,
which will be outlined in later ministerial decisions or implementing regulations.

3. Minimum health data processing standards

The Law includes a variety of principles comparable to international data protection
systems, in addition to strengthening Healthcare Service Providers' obligation to
safeguard the confidentiality of health data. As an example:

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 10
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

Purpose limitation: Patient information shall not be used for any purpose other than
the provision of health services, unless the patient gives prior agreement.

Accuracy: Healthcare Service Providers must guarantee that the health data
processed is accurate and reliable.

Security measures: Healthcare Service Providers must implement security measures

to protect health data and prevent unauthorized processing, damage, modification,
deletion, or revision.

Non-disclosure/patient consent: The Law reaffirms current requirements not to reveal

patient data to any third party without the patient's prior agreement.

4. Retention time
Health data must be kept for a minimum of 25 years from the date of the last
procedure performed on the patient, or for as long as is necessary, if longer.

5. Data management system that is centralized

The UAE Ministry of Health will build and run a new centralized data management
system (DMS) to ease access to, storage of, and interchange of health data.
Healthcare Service Providers must register in order to have access to the DMS and
identify all individuals who are allowed to do so.

6. Website banning due to ad or license breaches

The UAE Ministry of Health has the authority to direct the relevant local or federal
health authorities to block any website, whether within or outside the UAE, that does
not comply with the regulations governing healthcare advertising or provides
healthcare information without a license or permission from the UAE Ministry of
Health.

Exceptions to the general rule

Only in the following circumstances may a patient's information be used or shared without
the patient's consent:

● To allow insurance companies and other bodies paying medical care to verify financial
entitlement.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 11
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

● For scientific investigation (provided that the identity of the patient is not disclosed and
applicable scientific research standards and guidelines are complied with).
● For public health preventative and treatment measures, such as during a public health
crisis. or
● Upon the request of a competent judicial authority.
● For public health objectives, including inspections, at the request of the competent
health authority.

What businesses should do

● While the Law establishes the fundamental foundation for establishing DMS and officially
regulating the processing of health data, there are a number of critical issues that must
be addressed by implementing regulations and/or subsequent ministerial directives.
● These include, most significantly, the regulations and process for registering to use the
DMS, as well as exemptions from the data localization requirements. We recommend
that companies affected by the Law take the following precautions:
● Conduct a data mapping exercise to identify what type of health data is held, where it is
processed, and with whom it is shared;
● If any of these third parties are based overseas, take steps to stop transferring health
data to them or anonymize / deanonymize the health data transferred;
● If any health data cannot be anonymized or deanonymized owing to the nature of the
processing operations, find alternate third-party service providers to handle such data
inside the UAE's boundaries.
● Contracts with third-party service providers that process personal data should be
reviewed to verify that the contractual responsibilities for data processing and
information security are sufficient to satisfy the new legal standards.
● Consider placing extra duties on service providers to promote legal compliance, such as
yearly audit rights.
● To guarantee that no health data leaves the UAE and that the minimum statutory
compliance criteria are satisfied, add a step to the existing compliance sign-off
procedure prior to the adoption of new operational processes and business lines.
● Healthcare Service Providers will almost certainly be given a grace period to comply with
the law. We will continue to closely watch events and will provide additional notifications
when new regulations and resolutions are issued.

Regulatory Framework for Internet of Things (IoT)

The Communications and Information Technology Commission (CITC) is required by the
Telecommunications Act, Telecom Act Bylaw, and CITC Ordinance to oversee the

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 12
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

telecommunications and information technology sectors in the Kingdom, including the

provision of Internet of Things (IoT) services.

The CITC released this paper to govern all IoT services and use cases based on its role in
supporting ICT technologies and enabling IoT implementations in the Kingdom on a broad
scale, with the goal of making the Kingdom a leading country in creating IoT services.

The Internet of Things (IoT) refers to the ability of virtual and physical objects to share data
with one another over the internet in order to complete specified activities. IoT applications
include a wide range of applications, including smart homes, smart cities, tracking, smart
metering, and linked automobiles, among others.

IoT may be utilized in a variety of industries, including health care, agriculture, utilities, and
transportation. Machine-to-machine (M2M) applications enable communication between
two or more machines without the need for human intervention. They may communicate
via public mobile networks, public fixed networks, and satellites. Point-of-sale and ATM
machines are two examples of M2M. In addition, for the purposes of this paper, IoT shall be
used to refer to M2M.

IoT Service Provisioning Requirements

1. IoT services can be delivered across both wired and wireless networks. They may be
categorized into the following networks based on the networks used:

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 13
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

● IoT services delivered via mobile networks;

● IoT services delivered via fixed networks;
● IoT services delivered via license-free frequencies.

The following are the primary criteria for offering IoT services:

▪ IoT services delivered over mobile networks can be delivered by CITC- licensed service
providers such as Facilities Based Unified Licensees, MVNOs, IoT-VNOs, or any other
licenses established by the CITC. The terms and commitments for the licenses can be
found on the CITC website (www.citc.gov.sa ). IoT services through fixed networks can
be provided by Fixed Facilities Based Licensees provided that the offered services
comply with the licenses scope.

▪ Service providers with a Facilities Based Unified License and a Fixed Facility Based
license from the CITC can provide this type of service without the need for a
“providing IoT services using license-exempt frequencies” license from the CITC, as
long as they meet the technical security requirements.

2. If the following conditions are satisfied, IoT networks that use license- exempt
frequencies can be developed and operated inside for non-commercial purposes
without the need for a CITC license for “providing IoT services using license- exempt
frequencies”.

I. Adhere to data security, privacy, and protection requirements;

II. Comply with the Technical Specification (RI114), which can be found on the CITC
website (www.citc.gov.sa);
III. The owners of those buildings and properties are in charge of importing equipment
and deploying IoT networks.

3. Only licensees with a CITC license for "offering IoT services using license- exempt
frequencies," service providers with a CITC Facilities Based Unified License, or licensed
fixed facility-based service providers can build IoT networks that utilize license- exempt
frequencies outside.

4. Spectrum IoT may be provided by licensed facility-based operators who use their
assigned frequency bands to provide fixed and mobile services via mobile networks or
fixed networks.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 14
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

The CITC Technical Specifications describe all the frequency bands that can be used for
license-exempt LPWANs (RI114). It is important to note that because license-exempt
LPWANs share spectrum with other users, no frequency license from the CITC is
required; nonetheless, the following conditions must be satisfied.

▪ Because the frequency bands can only be used for secondary purposes, networks
operating in them must not interfere with current or future primary users. Users of
these networks may not request any protection from interference caused by current
or potential primary users.

▪ The users of these bands must stop using them at the request of the CITC and within
the time limit established by the CITC.

▪ Keep an eye out for any future changes to the frequency national plan and the related
technical requirements.

5. IoT Devices Regarding IoT devices, the following conditions must be met:

▪ All radio, EMC, and safety equipment must adhere to the Technical Specifications
published on the CITC website (www.citc.gov.sa).

▪ Before asking for Customs Clearance, the IoT equipment must be authorized by CITC
and receive a Certificate of Conformity. The requirements and processes for
Equipment Approval and Customs Clearance are outlined in the "Regulations for
Importation and Licensing of Telecommunications and Information Technology
Equipment" paper, which is available on the CITC website (www.citc.gov.sa).

▪ Because there are various IoT technologies and standards, the user and service
provider must consider interoperability between IoT networks and equipment so that
any user, if necessary, can transfer and use his equipment among service providers
using the same type of technologies and frequency bands.

▪ The user must be able to alter the credentials and reset the IoT equipment to factory
settings.

▪ All SIM cards used with IoT devices imported into the Kingdom must be supplied by a
local licensed operator.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 15
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

6. Internet of Things (IoT) Identifiers

An identifier is a set of numbers or symbols that uniquely identify an item in order to

facilitate communication with it. End points are identified using communication IDs
(source, destination). Numbers and IP addresses are now the most popular
communication identifiers used in IoT. The Digital Object Architecture is one of the
potential identifiers in this field (DOA).

In terms of numbers, IoT will be allocated numbers from the National Numbering Plan's
machine-to-machine (M2M) numbering range. IPv4 and IPv6 can be used for IP
addresses, however IPv6 is strongly recommended since it provides numerous technical
benefits in addition to greater addressing capacity.

7. Data Management IoT service licensed providers and Indoor IoT network implementers
must follow the following guidelines:

▪ Host all servers used in providing IoT services and store all data within KSA;
▪ Comply with all existing or future published laws, regulations, and requirements
issued by CITC or other authorities in the Kingdom concerning data management,
including security, privacy, and data protection for IoT users.

Furthermore, IoT service providers must provide technological capabilities in IoT devices
and equipment to save and retain data so that it may be examined for a period of at
least 12 months or any other period defined by CITC.

What are the general regulations?

In addition to the criteria listed above, IoT service providers must also comply with the
following:

▪ IoT service providers must inform end-users of:

○ The significance of network and data security, as well as recommendations for data
protection;
○ How to use IoT networks and solutions efficiently, describing the characteristics and
service quality of each technology;
○ The potential of interference from other users of shared bands, which might have a
negative impact on service quality;
○ All IoT network components, devices, and data hosts must be kept within the country.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 16
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

▪ Must Comply with the Wireless Local Area Networks Regulations (WLAN/WIFI).

▪ IoT service providers must provide CITC with reports on a regular basis including any
information and data related to the services provided by them once requested. CITC will
define the nature of those reports and the data required and the timeline to provide
these reports.

▪ Service providers must adhere to all CITC regulations. For further information, reference
should be made to the CITC website (www.citc.gov.sa)

Let’s understand the Laws which are applicable within the

Dubai International Financial Centre: Data Protection Law
DIFC Law No. 5 of 2020
The Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020 (the
“New DP Law”) went into force on July 1, 2020. Due to the present epidemic, a three-month
grace period has been granted until October 1, 2020, for firms to comply. DIFC Law No. 1 of
2007 is repealed by the New DP Law.

The New DP Law is part of an effort to ensure that the DIFC, a financial hub for the Middle
East, Africa, and South Asia, meets the data protection standard required to receive a
“adequacy” finding from the European Commission and the United Kingdom, which means
that companies may transfer EU/UK personal data to the DIFC without putting in place a
transfer mechanism such as Standard Contractual Clauses.

The New DP Law will apply to firms formed in the DIFC, regardless of where processing
occurs, as well as companies incorporated elsewhere that process personal data in the
DIFC as part of stable agreements (other than occasional processing). In this situation, the
New DP Law solely applies to processing operations conducted within the DIFC. Many
features of the EU's General Data Protection Regulation (the "GDPR") are reflected in the
New DP Law, including:

Accountability Obligations: Controllers must implement procedures to demonstrate

compliance with the New DP Law, comparable to the GDPR's accountability requirements.

Data Protection Principles: The New DP Law establishes processing standards that are
essentially comparable to the GDPR's data protection principles.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 17
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

Lawful Basis for Processing: The New DP Law generally offers the same legal basis for
personal data processing as the GDPR. Concerning consent, the New DP Law incorporates
parts of the GDPR's norm, namely, that consent be freely provided and shown by a clear
affirmative act displaying an unequivocal signal of permission.

Data Subject Rights: Data subjects have specific rights in relation to their personal data,
and data controllers are also obligated to provide data subjects with information on
processing and an individual's data rights.

DPOs and DPIAs (Data Protection Impact Assessments): A DPO must be appointed to
monitor and advise on compliance with the New DP Law where a controller or processor
engages in “high risk processing activities” on a systematic or regular basis, the definition of
which includes criteria similar to, but not identical to, the criteria for appointing a DPO
under the GDPR. Furthermore, high-risk processing operations necessitate the conduct of a
DPIA by a controller.

Data Transfers: The New DP Law bans transfers outside of the DIFC unless the
Commissioner of Data Protection has certified that the destination jurisdiction, or a
designated sector within the recipient jurisdiction, offers an acceptable degree of data
protection (a departure from the GDPR). Standard Contractual Clauses and Binding
Corporate Rules are two of the available protections that will allow such transfers.

Notification of Data Breach: Controllers must inform the Commissioner of Data

Protection of any personal data breach that jeopardizes a data subject's confidentiality,
security, or privacy. Data subjects must also be notified if the breach poses a substantial
risk to their security or rights.

Special Category Data: Unless a derogation exists, there is a general ban on the
processing of special category data.

Controller-Processor Agreements: According to Article 28 of the GDPR, controllers must

enter into legally binding written agreements with processors to whom they disclose
personal data, and processors are obliged to do the same with sub-processors.

Certain parts of the California Consumer Privacy Act of 2018 (“CCPA”) and its planned rules
are also incorporated into the New DP Law. The New DP Law, in particular, follows the
CCPA in banning companies from discriminating against customers who use their CCPA
rights, including by giving a financial inducement or a pricing or service differential (subject
to certain exemptions).

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 18
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

On 5 July 2021, The Dubai International Financial Centre (DIFC), the leading international
financial hub in the Middle East, Africa, and South Asia (MEASA) region, announced that the
DIFC Authority's Board of Directors approved the issuance of the Intellectual Property
Regulations (IP Regulations), which went into effect on 5 July 2021.

The Intellectual Property Regulations are issued under the Intellectual Property Law, DIFC
Law No. 4 of 2019 (IP Law), and aid in the administration and enforcement of the DIFC IP
Law. The DIFC's Intellectual Property Law and Regulations supplement and enhance the
UAE's existing intellectual property laws by cooperating with the federal regime while
adhering to the DIFC legal framework, common law principles, and the certainty provided
by binding legal precedent established by the DIFC courts.

The new IP Regulations reflect the Centre's ongoing commitment to maintaining a

transparent and robust legal and regulatory framework that is aligned with global best
practice. They also support the DIFC's focus on fostering innovation by identifying and
protecting intellectual property rights, which is critical for technology and start-up
companies.

DIFC's one-of-a-kind structure provides it with a strong regulatory and legal framework,
allowing the Centre's clients to conduct business with confidence. All businesses registered
in the DIFC are subject to the Centre's laws, which have been adopted to govern the
day-to-day activities of the enterprises and persons in the DIFC.

Henceforth, in order to get access to laws and regulations administered by the DIFC
authority we may refer their official website viz-a-viz;
https://www.difc.ae/business/laws-regulations/legal-database/

Laws applicable within the Abu Dhabi Global Market: Data

Protection Regulations 2021
The Abu Dhabi Global Market (ADGM) implemented its new Data Protection Regulations
2021 on February 14, 2021. The Regulations will replace the present Data Protection
Regulations and will go into effect after a 12-month transition period for current
establishments (i.e., firms that were established in the ADGM before 14 February, 2021) and
a six-month transition period for new establishments (i.e., those companies that were
incorporated in the ADGM on or after 14 February 2021).

Following a period of public debate, the Regulations were adopted to better align the
ADGM's personal data processing standards with the European Union's General Data

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 19
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

Protection Regulations. Notably, the Regulations make modifications to recognize the value
of personal data and to defend the rights of data subjects.
We've listed some of the main changes brought about by the Regulations that you should
be aware of whether you or your company is headquartered in ADGM or does business
with a company situated there.

On 26 June 2021, the Abu Dhabi Global Market (ADGM) Financial Services Regulatory
Authority (FSRA) released a consultation document proposing regulatory framework
modifications to help promote the use of non-face-to-face digital verification of identity
(eKYC) in ADGM and reduce any associated risks.

The proposed enhancements are in reaction to the significant increase in the use of eKYC to
onboard clients in ADGM, and they are consistent with a wider trend toward digitalisation
of the customer experience across a variety of sectors, which has only been accelerated by
the global pandemic.

In May 2020, a number of UAE regulatory bodies, including the FSRA, issued the “Joint
Guidance on the Treatment of Financial Crime Risks and Obligations in the UAE in the
Context of the Covid-19 Crisis” (the Joint Guidance), which encouraged the use of eKYC
while emphasizing the importance of putting appropriate measures in place to mitigate any
inherent risk.

The proposed changes in the consultation paper build on and expand on the ideas stated in
the Joint Recommendations, as well as comparable guidance released by the Financial
Action Task Force (FATF).

The proposed changes would apply to all businesses obliged to conduct customer due
diligence (CDD) in ADGM, including financial services firms authorized and regulated by the
FSRA, Designated Non-Financial Businesses and Professions (DNFBPs), and Non-Profit
Organizations (NPOs). As a result, all entities engaged in CDD are invited to evaluate the
issues presented in the consultation. The suggested changes would also have a broader
impact beyond the usage of eKYC, such as when onboarding clients with multiple
nationalities.

About Abu Dhabi Global Market (ADGM)

The Abu Dhabi Global Market (ADGM) Free Zone provides a high-quality regulated
environment for individuals in the financial industry, as well as non-financial service
providers.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 20
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

ADGM, which spans much of Al Maryah Island in Abu Dhabi, is well-connected by road, air,
and water — it is just 15 minutes from the Zayed Port and 30 minutes from Abu Dhabi
International Airport.

What is the territorial scope?

The Regulations have broadened the net to include any personal data processing
associated with the operations of a data controller or data processor based in or operating
from the ADGM. This is true regardless of whether the processing takes place in the ADGM
or through an institution outside of the ADGM.

The appointment of a Data Protection Officer

The Regulations compel your company to designate a Data Protection Officer in the
following situations:

● Data processing is done out by a public authority (except for courts acting in their
judicial capacity);
● Your company's primary activities include personal data processing procedures that
necessitate regular and systematic monitoring of data subjects on a wide scale, or;
● Core activities of your business consist of processing special categories of personal
data on a large scale (i.e data that reveals the racial or ethnic origin, political opinions,
religious or philosophical beliefs, genetic or biometric information, health
information, sexual orientation, or criminal convictions).

Though, it's important to note that the obligation to appoint a Data Protection Officer will
not apply to your company if it employs fewer than five people, unless it carries out
high-risk processing activities. This includes (but isn't limited to) scenarios where:

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 21
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

● A high volume of personal data is processed;

● The processing is likely to result in high risk to the relevant data subjects;
● The processing includes special categories of personal data (set out above).

Furthermore, the Data Protection Officer does not need to be present in the ADGM or be
an employee of a data controller; in fact, he may occupy several responsibilities in a firm
and/or manage multiple enterprises.

Nonetheless, a significant need is that the Data Protection Officer be selected based on
their professional skills, including (in particular) expert knowledge of data protection
legislation and procedures, as well as their capacity to carry out the responsibilities outlined
in the Regulations. As a result, if your company is required to designate a Data Protection
Officer, you must ensure that the individual in question can meet these criteria.

Having to pay the new data protection charge

If your company serves as a data controller, it must now pay a data protection charge to the
Commissioner of Data Protection for a period of 12 months from the day your company
began processing personal data, as well as an annual renewal cost. The precise amount of
the fees owed to the Commissioner, however, has yet to be established.

Completing relevant policy documents

The Regulations also include a one-of-a-kind obligation for all firms subject to the
Regulations to have "appropriate policy papers" in place if they process specific categories
of personal data. In reality, this means that your firm will most likely need to amend or
develop policies and contractual instruments in order to achieve complete compliance with
the Regulations. Your company's privacy policies, employment rules, and anti-money
laundering policies, in particular, may need to be reviewed to address how and why
personal data will be gathered and how long it will be stored.

Personal data breaches must be reported to the Commissioner.

If your company suffers a personal data breach or operates as a data controller for
personal data when such a breach has happened, you must inform the Commissioner
within 72 hours of becoming aware of the breach, unless it is unlikely to endanger the data
subjects' rights. If you fail to notify the affected parties within 72 hours of the data breach,
you must explain why. However, if the personal data breach is likely to result in a serious
danger to the data subjects' rights, the data controller must notify the affected parties as
soon as possible.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 22
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

On-time response to a data subject's request

The Regulations provide data subjects specific rights and establish a two-month deadline
for your firm to react to/comply with any data subject request once it is received. However,
for difficult requests, the compliance period may be extended by another two months.

Conducting an impact analysis

The Regulations require a data controller to perform a data protection impact assessment
when the processing of data is likely to result in a high risk to natural people' rights. The
Commissioner is expected to publish a list of processing operations that are subject to the
obligation for a data protection impact assessment. As a result, if your company is a data
controller, you should be on the lookout for additional notifications from the
Commissioner.

Dodging penalties
Because the Regulations impose significant fines for any data breaches, your firm should
have proper measures/procedures in place to guarantee that data is projected
appropriately. The Regulations set a maximum fine of USD 28 million for administrative
infractions, with the possibility of higher fines for more serious offenses. In the event of
numerous violations for the same or related behaviour, penalties will be applied and the
USD 28 million maximum will apply cumulatively.

Recap:
1. Understanding what all are the most noteworthy provisions of the new UAE cybercrime
legislation in terms of fines and punishments.

2. Article 7 of the New Cyber Crime Law now broadens the definition of conduct in relation
to medical data and information by stating that anyone who obtains, amends, damages,
or discloses information obtained online related to medical records, examinations,
diagnoses, treatment, or care without permission will face a temporary prison sentence.

3. Learning and understanding;

● Communication via electronic means;
● Activities involving gambling and items that are detrimental to public morality;
● What amounts to defamation;
● Articles for disparagement towards religion;
● Sedition, sectarianism, and undermining national unity are all unacceptable;
● Terrorist activity and the trafficking of weapons;

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 23
shall attract suitable action under applicable law.
Data Protection Regime in UAE: Dubai & Abu Dhabi

● Donation collection without a permit;

● State protection;
● Organizing demonstrations without a permit;
● Antiquities trade without a permit;
● Online communication services;
● Money laundering and narcotics.

4. Knowing about the Federal Law governing the collection, processing, and transfer of
healthcare data.

5. Regulatory Framework for Internet of Things (IoT) and its provisioning requirements.

6. Understanding the Laws which are applicable within the Dubai International Financial
Centre: Data Protection Law DIFC Law No. 5 of 2020.

7. Learning about completing relevant policy documents and how Personal data breaches
must be reported to the Commissioner.

8. Comprehending the process to conduct an impact analysis and Dodging penalties.

© Addictive Learning Technology Pvt. Ltd.

Any unauthorized use, circulation or reproduction P - 24
shall attract suitable action under applicable law.