Data & Privacy · UAE
Data protection & privacy laws in UAE (2026)
UAE shaded by its data & privacy status
The UAE enacted its first omnibus data protection law — Federal Decree-Law No. 45 of 2021 (PDPL) — which came into force on 2 January 2022 and applies to mainland processing of personal data by domestic and foreign entities alike. Executive Regulations issued in 2024 activated detailed compliance obligations, with the Emirates Data Office as the mainland supervisory authority. DIFC and ADGM each operate separate data protection regimes with independent enforcement offices.
Key points
Federal Decree-Law No. 45 of 2021 is the UAE's first comprehensive, omnibus personal data protection statute, in force from 2 January 2022. It applies extraterritorially to any entity — domestic or foreign — processing personal data of individuals located in the UAE.
The Emirates Data Office, created by Federal Decree-Law No. 44 of 2021, is the mainland supervisory authority responsible for enforcement, issuing binding guidance, maintaining controller registers, and receiving data-breach notifications.
Data subjects hold rights to access, rectification, erasure, restriction of processing, and data portability, broadly comparable to GDPR. Consent is the primary legal basis for processing personal data; limited exceptions exist for public interest and legal obligations.
DIFC operates under DIFC Data Protection Law No. 5 of 2020 (substantively amended by Amendment Law No. 1 of 2025, effective 15 July 2025, expanding individual rights and cross-border transfer rules); ADGM operates under its Data Protection Regulations 2021, each with an independent supervisory office and enforcement powers.
Transfers of personal data outside the UAE are permitted only to jurisdictions determined by the Emirates Data Office to provide adequate protection, or subject to approved safeguards such as standard contractual clauses or binding corporate rules.
The PDPL provides for administrative fines up to AED 5 million (~USD 1.36 million) and criminal penalties (minimum 6 months' detention) for serious violations. Federal Decree-Law No. 26 of 2025 on Child Digital Safety further imposes mandatory age verification, content-filter, and parental-control obligations on digital platforms, with elevated penalties for breaches involving minors.
Timeline - major decisions & events
Establishes a cross-sector federal framework banning collection of personal data of children under 13 without verifiable parental consent and prohibiting targeted advertising to minors; requires age verification, content filtering, and parental controls from all digital platforms and ISPs. Effective 1 January 2026 with a one-year compliance window.
UAE Federal Legislation Portal (uaelegislation.gov.ae) ↗Most significant overhaul of the DIFC data-protection regime since 2020: introduced a statutory private right of action allowing data subjects to sue controllers directly before DIFC Courts without first filing with the Commissioner, expanded extraterritorial scope to any controller processing data in the DIFC, and tightened rules on disclosures to public authorities.
DIFC Official Legal Database ↗Detailed implementing rules for the 2021 PDPL: 72-hour mandatory breach notification to the Data Office and 7-day notification to affected individuals, DPO appointment conditions, cross-border data transfer whitelisting criteria, and mandatory Data Protection Impact Assessments for high-risk processing. Organizations received a six-month grace period; full enforcement deadline set for 1 January 2027.
UAE Government Official Portal (u.ae) ↗Federal Decree-Law No. 45/2021 (PDPL) and Federal Decree-Law No. 34/2021 on Combatting Rumours and Cybercrimes became operative on the same date, creating a dual enforcement regime: civil/administrative penalties up to AED 10 million under the PDPL and criminal prosecution (including imprisonment) for unauthorised data access and disclosure under the Cybercrime Law.
UAE Government Official Portal (u.ae) ↗Twin federal decrees on the same date: FDL No. 44/2021 established the Emirates Data Office as the national data-protection regulator with powers to issue guidance, set adequacy decisions for cross-border transfers, and levy fines; FDL No. 45/2021 — the Personal Data Protection Law — created the UAE's first comprehensive federal privacy statute, introducing GDPR-style data-subject rights, consent requirements, sensitive-data categories, and data-minimisation principles.
UAE Federal Legislation Portal (uaelegislation.gov.ae) ↗Abu Dhabi Global Market replaced its 2015 regime with a GDPR-aligned framework introducing comprehensive data-subject rights, mandatory breach notification, DPO requirements, controller accountability, and restrictions on cross-border transfers. Came into force after a 12-month transition for existing ADGM entities and 6 months for new entrants.
ADGM (Abu Dhabi Global Market) ↗Replaced the 2006 cybercrime statute with substantially broader criminal penalties for unauthorised electronic access, data interception, and privacy violations affecting individuals and government systems. Served as the principal federal tool for data-privacy enforcement for nearly a decade until superseded by FDL No. 34/2021.
TDRA — Telecommunications & Digital Regulatory Authority ↗UAE - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →