Data & Privacy - UAE

Federal Decree-Law No. 45 of 2021 is the UAE's first comprehensive, omnibus personal data protection statute, in force from 2 January 2022. It applies extraterritorially to any entity — domestic or foreign — processing personal data of individuals located in the UAE.

The Emirates Data Office, created by Federal Decree-Law No. 44 of 2021, is the mainland supervisory authority responsible for enforcement, issuing binding guidance, maintaining controller registers, and receiving data-breach notifications.

Data subjects hold rights to access, rectification, erasure, restriction of processing, and data portability, broadly comparable to GDPR. Consent is the primary legal basis for processing personal data; limited exceptions exist for public interest and legal obligations.

DIFC operates under DIFC Data Protection Law No. 5 of 2020 (substantively amended by Amendment Law No. 1 of 2025, effective 15 July 2025, expanding individual rights and cross-border transfer rules); ADGM operates under its Data Protection Regulations 2021, each with an independent supervisory office and enforcement powers.

Transfers of personal data outside the UAE are permitted only to jurisdictions determined by the Emirates Data Office to provide adequate protection, or subject to approved safeguards such as standard contractual clauses or binding corporate rules.

The PDPL provides for administrative fines up to AED 5 million (~USD 1.36 million) and criminal penalties (minimum 6 months' detention) for serious violations. Federal Decree-Law No. 26 of 2025 on Child Digital Safety further imposes mandatory age verification, content-filter, and parental-control obligations on digital platforms, with elevated penalties for breaches involving minors.