Cybercrime is a criminal activity done using computers and the internet. This includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses such as creating and distributing viruses on other computers or posting confidential business information on the Internet.
The New Cybercrimes Law was published on 26 September 2021 and took effect on 2 January 2022. The scope of the New Cybercrimes Law’s application has been expanded to include commission of cybercrimes that are prepared, planned, directed, supervised or financed in the UAE, or otherwise considered to undermine the interests of the UAE or its citizens and residents.
Most crimes under the previous legislation have been repeated in similar terms, but some are notably broader or have been re-introduced with a specific focus on specific sectors.
The broadening of certain offences potentially captures internet service providers and raises concerns around liability of intermediaries. There are new offences that seem likely to have been introduced to better regulate the use of social media in the UAE, including in relation to the spreading of fake news and misinformation.
Sector-specific prohibitions
The New Cybercrimes Law sets out offences that are specific to sectors which are considered essential to the country, including banking, media, health and scientific institutions. There are also certain enhanced sanctions for offences involving government data and government institutions. Previous offences relating to unauthorized access to systems and data have been split out into more granular offences dealing specifically with unauthorized access and hacking.
Penalties for hacking the system of a health, scientific, media or banking institutions can range from AED 500,000 to AED 3,000,000, in addition to the possibility of imprisonment. The crime for unlawfully accessing or tampering with government data could lead to a prison sentence of not less than 10 years and a fine of up to AED 5,000,000.
Data protection violations
The New Cybercrimes Law contains a provision that makes it a criminal offence to collect, store or process personal data of UAE nationals or residents in violation of other laws. This does not overturn the passing of the UAE’s personal data protection law as part of the same package of legal reforms, which separately regulates the processing of personal data in the UAE. The criminal penalties introduced by the New Cybercrimes Law would seem to be applicable in addition to any sanctions stated in the data protection law.
The illegal disclosure of personal data could lead to a 6 month prison sentence and a fine of between AED 20,000 and AED 100,000.
The New Cybercrimes Law also makes it unlawful to monitor, disclose or hold the location data of individuals without consent. This is a new form of privacy breach that is specified in UAE law for the first time, alongside the previously existing scenarios such as the unauthorized interception of communications, taking photographs and spreading information that could harm a person.
Fake news and misinformation
The offence of disseminating false information under the New Cybercrimes Law is much broader than under the previous law. It is neither limited to false information nor to information that harms the state. There appears to be a particular focus on misinformation and fake news on social media.
While users are responsible for the content they create and publish online and likely to be the primary targets or any criminal proceedings brought against them by the competent authorities, there is no express safe harbor defense in the law for internet service providers or social media platforms. The offence carries a prison sentence of at least one year, and a fine of up to AED 200,000.
Liability under the law
The New Cybercrimes Law contains a provision that explicitly imposes a penalty on a person in charge of a company, although there is a requirement to prove that they had knowledge and that the breach of their duties contributed to the commission of the crime.
In relation to intermediaries, a new enforcement power also allows for the confiscation of proceeds obtained as a benefit from illegal content. Additionally, any party that operates a website or electronic account where the offence was committed can be fined up to AED 10,000,000 if they refuse to remove the illegal content or block access to such content, or refuse to comply with an order from the regulator or competent authorities without an acceptable excuse.
What should organizations do?
With a range of enhanced offences and sanctions under the New Cybercrimes Law, organizations should review IT usage policies and reinforce messages to staff and contractors around the use of email, websites and electronic communications.
Marketing teams and social media managers should familiarize themselves with the UAE’s content regulation to ensure that advertising materials and communications do not fall foul of the new law. In addition to this they must also consult any legal advisors regarding anything they post online to ensure they are not violating any articles under the New Cybercrimes Law.
