Reforms to UAE Penal Code raise data protection and data management compliance standards

This article analyses recent amendments to the UAE Penal Code which have an effect on data protection, privacy, confidentiality and reputation management issues in the UAE.

Federal Decree-Law No. 7/2016 dated 18 September 2016 introduced wide-ranging reforms to the UAE Penal Code (Federal Law No. 3/1987).

Those interested in understanding the data protection and privacy landscape in the UAE, as well as confidentiality and reputation management issues in the country, should note the following new articles introduced into the Penal Code by Decree-Law No. 7:

  • Article 247 (bis): “Any public servant or a person entrusted with a public service in other than the preceding Article, who unlawfully gives, destroys, hides away or facilitates to another, data or information that came to his knowledge of or that he has extracted by reason of his office shall be sentenced to temporary imprisonment.” (Title 2, Chapter 2, “Abuse of Office and Misuse of Authority”)

    This Article extends criminal liability for misuse or unauthorised disclosure of communications or other data to public servants other than employees of postal, telegraph and telephone authorities (whose conduct was already criminalised under the preceding Article of the Penal Code). This may have been prompted by the significant growth in “smart government” initiatives in the UAE and the corresponding increase in data flows between government and citizen. Notably, Decree-Law No. 7 also extends the scope of “public servant” in Article 5 of the Penal Code to include officers and employees of “companies owned, wholly or partially, by the Federal Government or local governments”.

  • Article 380 (bis): “Any person who unlawfully reproduces, distributes or provides others with the content of a telephone call, message, information, data or other issues which came to his knowledge by virtue of his work shall be punished by a jail sentence.” (Title 7, Chapter 6, Crimes Perpetrated against Reputation, Libel, Insult and Disclosure of Secrets)

    This Article has the potential to criminalise a broad range of conduct. Article 379 of the Penal Code already criminalised the divulging of “secrets” which a person obtains “by virtue of his profession, craft, position or art”, but the new Article will capture a wider range of data, including personal data which is disclosed “unlawfully”.

    Most strikingly, since the Penal Code applies in the Dubai International Financial Centre and the Abu Dhabi Global Market, two financial free zones with their own data protection laws, this Article could have the effect of criminalising disclosures of personal data to data processors, or transfers of personal data to other jurisdictions, which are not made in compliance with those laws.

Data-related obligations in the UAE, be it in the context of digital data processing, record retention, consensual collection or privacy are evolving as technology and progressive initiatives are embraced and championed by the government. While the law plays catch up, this will remain a complex area which will require scenario and sector-specific legal analysis.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.