Data protection law at the heart of UAE cybersecurity strategy

Out-Law Analysis | 30 Sep 2019 | 4:16 pm | 3 min. read

A new data protection law is to be introduced in the UAE to underpin a new national cybersecurity strategy under plans published by the Telecommunications Regulatory Authority (TRA).

The change to data protection law will follow on from the introduction of the General Data Protection Regulation (GDPR) in Europe and will form part of a wider package of legislative changes that policy makers in the UAE hope to deliver in response to growing cyber risks.

Data protection in the UAE

There is no specific data protection law covering all of the UAE currently, although a patchwork of other laws provides some rights to privacy and prohibits certain actions, including the disclosure of data obtained electronically in an unauthorised manner.  Sector specific laws deal with the confidentiality of data in certain scenarios.

Data protection reform has already been implemented in the Abu Dhabi Global Market (ADGM) and, more recently, in Bahrain. Further plans to update data protection law in the Dubai International Financial Centre (DIFC) and Oman have been outlined too.

According to a report by Tech Radar, Mohammad Al Zarooni, director at the TRA, said that a data protection law will be drafted for the UAE to support the TRA's new national cybersecurity strategy for 2020-25.

Al Zarooni said the UAE will "look at the best performing practices performed worldwide", including the GDPR, when drafting the new data protection law.

"We want to make sure that whatever regulations are put, are easy to be implemented across different sectors," he said, according to Tech Radar.

In the longer term, a data protection law covering all of the GCC states, is a possibility, Al Zarooni said, though he has admitted that "it will be challenging to come up with".

The UAE's national cybersecurity strategy

The new cybersecurity strategy contains 60 initiatives. They include measures to extend existing cybersecurity laws and regulations to all forms of cybercrime, introduce new cybersecurity standards for SMEs, mandate cybersecurity certification for government suppliers, and train 40,000 new cybersecurity experts.

The strategy also includes further plans to bolster the security of critical infrastructure across the government, energy, ICT, electricity and water, finance and insurance, emergency services, health, transportation, food and agriculture sectors.

The TRA has said 12 national awards will be given annually to individuals and organisations to encourage entities to drive cybersecurity programmes, inspire entrepreneurs to innovate in cybersecurity, and support and motivate students to pursue cybersecurity careers.

Changes to cyber crimes law in 2018

A series of amendments to the UAE's Cybercrimes Law, including harsher penalties and sanctions for those who commit technology-related offences, were made in 2018 and serve as a precursor to the changes likely to follow through implementation of the national cybersecurity strategy.

Those reforms represented the latest in a series of updates to electronic and cyber legislation in the UAE. As cybercrime becomes more widespread and increasingly harmful, the UAE government is seeking to extend the sanctions against cyber criminals and bring the legislation into line with the latest standards and technologies.

Federal Decree-Law No. 2 of 2018 (the Amending Decree) was issued to amend certain provisions of Federal Decree-Law No. 5 of 2012 on combatting IT crimes (the Cybercrimes Law), although the update did not amount to substantial changes for organisations operating in the UAE.

The penalty for establishing, managing or running a website or publishing electronic information that promotes terrorist groups or unauthorised organisations was increased from a minimum five-year imprisonment and AED 2,000,000 ($540,000) fine to imprisonment for a period of between 10 and 25 years with a fine of up to AED 4,000,000 ($1.09m). In addition, uploading, retransmission or publication of content from such sites is now an offence punishable by up to five years' imprisonment and a fine of up to AED 1,000,000 ($272,000).

In either case, the court may send the offender for counselling or put them under electronic surveillance to present them from using any IT media for a period decided by the court.

The offence under Article 28 relating to establishing, managing or running a website or using electronic information with intent to incite acts that may endanger national security, state interests or public security has also been widened to cover acts that may endanger judicial or law enforcement officers.

Without prejudice to provisions in the Penal Code, the UAE courts may deport any foreign party that is guilty of crimes relating to honour or specified in the Cybercrimes Law.

Tom Bicknell is a Dubai-based expert in financial services at Pinsent Masons, the law firm behind Out-Law.