Cybercrime in the UAE (page 1 of 3)

By Rebecca Kelly and Diana Hudson, Clyde & Co.

In an era where we have increasingly put more of our lives and businesses online, individuals and businesses face new challenges protecting their information and reputation in the form of cybercrime.

For individuals there is the threat of viruses, identity theft and cyber stalking. For businesses, there is the fear their systems can come under attack, either externally or by negligent and malicious acts of their employees or third parties, putting vital data and reputations at risk.

Pricewaterhouse Coopers' (PwC) Global Economic Crime Survey of 2011 highlighted cybercrime as a serious emerging risk and threat to businesses the world over. The Middle East is no exception. Indeed, one need only refer to the cyber-attack suffered by Saudi Aramco in August 2012 to note this worrying trend.

As awareness of the implications of cybercrime increases around the globe, many jurisdictions have put into place specific legislative regimes, compliance with which is crucial in the effort to limit the financial and reputational harm that consumers and businesses may suffer as a result of such breaches.

Data Privacy and Data Loss

Data privacy laws are enacted to focus on the protection of and storage of personal data. These laws usually address and sanction illegal use, disclosure and processing of personal data. In most legal systems, "personal data" refers to information relating to an identified or identifiable individual.

The term 'data loss' refers not just to the accidental loss of information, but may also include any data breach. It may, therefore, take the form of infiltration of a company's IT system by external parties or a virus. Or, most likely, result from an employee's deliberate or negligent actions, such as leaking confidential information to external parties, incorrect use of email forwarding or losing (or having stolen) equipment such as laptops or USB flash drives.

UAE Legal Framework / Federal Laws

There is no specific data protection law in the UAE, however there is a data protection law in certain free zones (explained in more detail below). For the rest of the UAE, restrictions and or penalties relating to data privacy can be found in a number of legislative sources including:
• The UAE Constitution of 1971, which enshrines the right to privacy of personal information and guarantees "Freedom of communication by post, telegraph or other means of communication and the secrecy thereof."
• The UAE Penal Code of 1987 (as amended), which in particular prohibits:
o (a) the publication, through any means, of news, pictures or comments pertaining to the secrets of people's private or familial lives;
o (b) any person who by reason of profession, craft, circumstance or art, is entrusted with a secret from disclosing or using (to his or another's advantage) that secret without the consent of the individual concerned or where not otherwise permitted by law; and
o (c) the interception and/or disclosure of correspondence or a telephone conversation without the consent of the relevant individuals. For those who fail to adhere to the law, the Penal Code sets severe penalties, which include fines and imprisonment.
• The UAE Civil Transactions Law, Federal Law No.