EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >United Arab Emirates|
The Constitution of the United Arab Emirates (UAE) guarantees the right to privacy. The UAE Constitution in Article 31 states that an individual enjoys "Freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law."
The UAE has no comprehensive data protection or privacy law. The UAE is in the process of creating a Federal Data Privacy Commission that will regulate the credit rating business and all aspects relating to data privacy. A draft federal law on data protection is expected to be presented before the Federal Cabinet in the near future.
Article 378 of the Penal Code prohibits the publication of people's private affairs: "Shall be punishable by confinement for a period not exceeding one year and by a fine not exceeding ten thousand Dirhams in both cases or by one of these two penalties any individual who, through any means of publicity, publishes news, pictures or comments pertaining to the secrets of the people's private or familial lives even if such publications are real and true."
Article 379 of the Penal Code provides that: "... any individual who by reason of his profession, craft, situation or art is entrusted with a secret and who discloses it in cases other than those permitted by the law, who uses it for his own advantage or another person's advantage ... Shall be punishable by confinement for a minimum period of one year and by a fine of at least twenty thousand Dirhams or by one of these two penalties ... all this unless the individual to whom the secret pertains has consented that it be disclosed or used.”
The Civil Code contains no provisions pertaining to the protection of privacy, online or otherwise. As a result, individuals in the UAE currently do not have the right to sue and demand compensation for alleged transgressions of personal privacy.
The Labour Law provides that an employer of more than five employees is required to collect certain information on its the employees. This information includes, at a minimum, an employee's name, occupation, age, nationality, marital status, date of recruitment, remuneration, place of residence, any penalties imposed on him and any employment injuries or occupational diseases.
The Dubai Electronic Transactions and Commerce Law prohibits the intentional disclosure of any information included in records or files or electronic messages which became accessible to the individual through his or her employment, subject to certain exceptions. Violations are punishable by imprisonment and/or a fine of up to 100,000 DHS (19,700 EUR). 
A federal decree by Shaikh Maktoum Bin Rashid Al Maktoum, Vice President and Prime Minister and Ruler of Dubai, established the Dubai International Financial Centre (DIFC) on September 16, 2004.
Shaikh Mohammad Bin Rashid Al Maktoum, Crown Prince of Dubai, UAE Defence Minister and President of the DIFC, issued a set of 12 laws that formally establish and govern the DIFC and its independent regulatory authority, the DIFC Financial Services Authority (DFSA). The 12 laws are: the Regulatory Law, the Companies Law, the Law on the Application of Civil and Commercial Laws, the Law relating to the Application of DIFC Laws, the Limited Liability Partnership Law, the Contract Law, the Insolvency Law, the Arbitration Law, the Data Protection Law, the General Partnership Law, the Markets Law, and the Law Regulating Islamic Financial Business. DIFC laws apply to all entities registered and operating in the DIFC. UAE law does not apply (with the exception of the criminal law, which contains some privacy provisions).
The Data Protection Law 2007 (DPL), which came into force January 6, 2007, regulates the collection, handling, disclosure, storage and use of personal data and also grants certain rights to the individuals to whom the data relates. The DPL is based on the principles contained in the EU Data Protection Directive. Section 9 of the DPL requires data controllers to ensure that data is processed fairly, for limited purposes, is accurate, and is only retained for as long as is necessary to fulfill the purpose. The DPL defines the term “sensitive information” and sets out special provisions for processing sensitive data, including the requirement of a processing permit. The DPL also sets out the technical and organizational safeguards required to protect personal information. Data subjects have the right to access and correct the data, as well as to object to the processing of data. The DPL creates a Commissioner of Data Protection to whom complaints can be addressed. The Commissioner may investigate and issue findings. All entities within the DIFC had to comply with the DPL by June 30, 2007; any entities found to be non-compliant after June 30, 2007 will be subject to fines and penalties.
The Data Protection Regulations set out the procedure of permit registration for the processing of sensitive information, and for the transfer of information to third countries. The Regulations also provide further guidance to data controllers in terms of record keeping and notification.
A permit must be obtained from the Commissioner in order to transfer personal information out of the DIFC. The DIFC Commissioner of Data Protection applies the same adequacy standards with regards to third countries as set out by Article 29 Working Party of the European Commission on Data Protection. The Commissioner has published a list of countries that meet the adequacy standard; these include 28 European Union and European Economic Area countries, Switzerland, Argentina, Canada, Guernsey, Isle of Man, and the US Department of Commerce Safe Harbor Policy.
The UAE Telecommunications Regulatory Authority announced in June 2007 that it will create a UAE Computer Emergency Response Team (aeCERT) for the detection and prevention of cyber crime in the country. TRA Director-General Mohammed Al Ganem said the response team would serve as a point of contact for incident reporting in the country, and also collaborate with international cyber crime prevention organizations. The Team may also assist in the drafting of new cybercrime laws.
Every person must register for an identity card within six months of having turned 15 years of age. The front side of the card includes the holder's name, nationality, personal photo and the 15-digit ID number. The electronic chip contained on the card stores a face photo, digital certification and fingerprints. The backside of the card shows the date of birth, sex, signature of the holder, number and date of card validity. Cards are valid for five years.
In April 2007, the government announced plans to transition from identity cards to “smart cards,” all-in-one cards that will replace labor, residency and health cards. It will also act as an e-gate, ATM card and an e-passport. In addition to current personal data stored on the identity card chip, the smart card will include iris scans of both eyes. The card will have two 64-bit chips. Mass enrollment of the national ID system will start by the middle of 2007.
The Gulf region is increasingly adapting biometric security systems to confirm the identity of individuals in the workplace and at government sites, including airports and border points. The Dubai Bank, for instance, has introduced biometric security systems, where lockers are offered to consumers in different sizes at different annual rates. Cash can, therefore, be stored safely and can only be accessed through several security checks, including a palm print biometric scan.
The UAE was admitted to the United Nations on December 9, 1971. It is also a member of the International Labor Organization.
 Internet City Global IT Initiatives <http://www.internetcitylaw.com/glbit.htm>.
 “Federal body to regulate credit business and data privacy,” Gulfnews.com, April 19, 2007, available at <http://archive.gulfnews.com/articles/07/04/19/10119279.html>.
 Federal Law No. 3 of 1987. See Internet City Global IT Initiatives <http://www.internetcitylaw.com/glbit.htm>.
 Federal Law No. 8 of 1980 (as amended) at Art. 53 and 54.
 Federal Law No. 2 of 2002.
 “Key legislation to establish DIFC issued,” Gulfnews.com, September 20, 2004, available at <http://archive.gulfnews.com/articles/04/09/20/132665.html>.
 James Michael, “Dubai Adopts First DP Law in an Arab Country,” Privacy Laws and Business, February 2007.
Protection Law 2007, DIFC Law No. 1 of 2007, available at
 Id. at Part 2.
 Id. at art. 10.
 Id. at Part 3.
 Id. at Part 5.
 Commissioner of Data Protection, Circular No.1: Enforcement and Compliance Notice, May 29, 2007, available at <http://www.dp.difc.ae/legislation/circulars/files/circular_no_01.pdf>.
 Data Protection Regulations 2007, available at <http://www.dp.difc.ae/legislation/dp_regulations/>.
 Data Protection Commissioner, Transferring Data Outside the DIFC, available at <http://www.dp.difc.ae/legislation/transferring_personal/>.
 Ivan Gale, “UAE creates team to fight cyber crime,” Gulfnews.com, April 5, 2007, available at <http://archive.gulfnews.com/articles/07/04/05/10116057.html>.
 Federal Law
No. (9) For the Year 2006 Apropos Population Register System and the Identity
Card, 9th Rabee AL Akher 1427 H., May 7, 2006, available at
 Emirates Identity Authority <http://www.emiratesid.ae/en/?T=1&ID=343>.
 Jay B. Hilotin, “Smart ID Cards for Every Resident,” Emirates Identity Authority, April 26, 2007, available at <http://www.emiratesid.ae/en/?T=13&ID=38>.
 Esha Nag, supra.