UAE updates cybercrime law

The UAE’s national cybercrimes legislation was last updated in 2012, but has now been repealed and replaced as part of the country’s legal reform programme by Federal Decree-Law No. 34 of 2021 Concerning the Fight Against Rumours and Cybercrime (the New Cybercrimes Law). In this article, we provide a commentary on various important changes and new offences that have been introduced by the New Cybercrimes Law.

Overview

The New Cybercrimes Law was published in the Official Gazette on 26 September 2021 and took effect on 2 January 2022. The scope of the New Cybercrimes Law’s application has been expanded to include commission of cybercrimes that are prepared, planned, directed, supervised or financed in the UAE, or otherwise considered to undermine the interests of the UAE or its citizens and residents.

Most crimes under the previous legislation have been replicated in similar terms, but some are notably broader or have been re-introduced with a specific focus on particular sectors (such as banking, media and healthcare).

The broadening of certain offences potentially captures internet service providers and raises concerns around liability of intermediaries. There are new offences that seem likely to have been introduced to better regulate the use of social media in the UAE, including in relation to the dissemination of fake news and misinformation.

Sector-specific prohibitions

The New Cybercrimes Law sets out offences that are specific to sectors which are considered essential to the country, including banking, media, health and scientific institutions. There are also certain enhanced sanctions for offences involving government data and government institutions. Previous offences relating to unauthorised access to systems and data have been split out into more granular offences dealing specifically with unauthorised access and hacking.

Penalties for hacking the system of a health, scientific, media or banking institutions can range from AED 500,000 to AED 3,000,000, in addition to the possibility of imprisonment. The crime for unlawfully accessing or tampering with government data could lead to a prison sentence of not less than 10 years and a fine of up to AED 5,000,000.

Data protection violations

The New Cybercrimes Law contains a provision that makes it a criminal offence to collect, store or process personal data of UAE nationals or residents in violation of other laws. This is notwithstanding the passing of the UAE’s personal data protection law as part of the same package of legal reforms, which separately regulates the processing of personal data in the UAE. The criminal penalties introduced by the New Cybercrimes Law would seem to be applicable in addition to any sanctions stated in the data protection law or similar legislation.

The unlawful disclosure of personal data could lead to a six-month prison sentence and a fine of between AED 20,000 and AED 100,000.

The New Cybercrimes Law also makes it unlawful to monitor, disclose or hold the location data of individuals without consent. This is a new form of privacy breach that is specified in UAE law for the first time, alongside the previously existing scenarios such as the unauthorised interception of communications, taking photographs and spreading information that could harm a person.

Fake news and misinformation

The offence of disseminating false information under the New Cybercrimes Law is much broader than under the previous law. It is neither limited to false information nor to information that harms the state. There appears to be a particular focus on misinformation and fake news on social media.

While users are responsible for the content they create and publish online and likely to be the primary targets or any criminal proceedings brought against them by the competent authorities, there is no express safe harbour defence in the law for internet service providers or social media platforms. The offence carries a prison sentence of at least one year, and a fine of up to AED 200,000.

Liability under the law

The New Cybercrimes Law contains a provision that explicitly imposes a penalty on a person in charge of a company, although there is a requirement to prove that they had knowledge and that the breach of their duties contributed to the commission of the crime.

In relation to intermediaries, a new enforcement power also allows for the confiscation of proceeds obtained as a benefit from illegal content. Additionally, any party that operates a website or electronic account where the offence was committed can be fined up to AED 10,000,000 if they refuse to remove the illegal content or block access to such content, or refuse to comply with an order from the regulator or competent authorities without an acceptable excuse.

What should organisations do?

With a range of enhanced offences and sanctions under the New Cybercrimes Law, organisations should review IT usage policies and reinforce messages to staff and contractors around the use of email, websites and electronic communications.

Marketing teams and social media managers should familiarise themselves with the UAE’s content regulation to ensure that advertising materials and communications do not fall foul of the new law.