UAE
UAE Data Privacy Laws: Federal PDPL, DIFC & ADGM Guide (2026)
The UAE governs personal data through three distinct frameworks: Federal Decree-Law No. 45 of 2021 (the PDPL) for mainland entities, the DIFC Data Protection Law No. 5 of 2020 for DIFC-registered organizations, and the ADGM Data Protection Regulations 2021 for ADGM entities. Which law applies depends on where your entity is registered.
The United Arab Emirates has constructed one of the Middle East's most layered data protection frameworks. Unlike jurisdictions that rely on a single statute, the UAE operates three legally distinct regimes that apply to different categories of organization, and two major federal laws address specialized sectors. Getting jurisdiction mapping wrong is the most common compliance error for organizations entering the UAE market.
This guide covers all three data protection regimes in depth, the sectoral laws that sit alongside them, the 2024-2026 developments that have materially changed compliance obligations, and comparison tables to help organizations quickly identify which framework governs their operations.
Information last verified on 2026-05-19. This article presents general legal information about UAE data protection law. It does not constitute legal advice. Statutes cited reflect their in-force versions as of May 19, 2026.
Jurisdiction scope: This article addresses (1) the federal UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021; (2) the DIFC Data Protection Law No. 5 of 2020 and its 2025 amendments; (3) the ADGM Data Protection Regulations 2021 and the 2025 Substantial Public Interest Conditions Rules; (4) Federal Law No. 2 of 2019 on ICT in healthcare; and (5) Federal Decree-Law No. 26 of 2025 on Child Digital Safety. It does not address data protection law in other Gulf Cooperation Council states or in UAE free zones other than the DIFC and ADGM.
For context on how the UAE's recording-consent rules interact with personal data, see the UAE recording laws article.
Quick Answer: The UAE Has Three Distinct Data Protection Regimes
The UAE's data protection architecture has three legally separate layers, and identifying the correct one is the threshold compliance step before anything else.
The federal PDPL (Federal Decree-Law No. 45 of 2021) governs mainland UAE entities and carries extraterritorial reach over foreign organizations processing personal data of UAE residents. It is administered by the UAE Data Office, established under Federal Decree-Law No. 44 of 2021. The PDPL entered force on January 2, 2022. Its formal executive regulations, which will supply detailed procedural rules, had not been published as of mid-2026. The UAE Data Office is operational and issuing guidance, and the parent statute is enforceable now.
The DIFC Data Protection Law No. 5 of 2020 governs entities incorporated or registered in the Dubai International Financial Centre, one of the UAE's premier financial free zones. The DIFC maintains its own independent legal system, its own courts, and its own regulator: the Commissioner of Data Protection. The DIFC law is closely aligned with the EU GDPR and was materially amended in July 2025. It also features a dedicated AI regulation framework under Regulation 10, enacted September 2023.
The ADGM Data Protection Regulations 2021 govern entities in the Abu Dhabi Global Market, Abu Dhabi's international financial free zone. The ADGM maintains its own Office of Data Protection headed by a Commissioner of Data Protection. The ADGM framework is likewise GDPR-aligned and was updated in September 2025 with new substantial-public-interest rules for special-category data.
These three regimes do not overlap for a given entity: mainland applies the federal PDPL, DIFC applies DIFC law, ADGM applies ADGM regulations. Multi-entity groups operating across zones may need to comply with more than one framework simultaneously.
The Federal PDPL: Decree-Law No. 45 of 2021
Scope and Key Definitions
Federal Decree-Law No. 45 of 2021 is the UAE's first comprehensive national data protection law. It entered into force on January 2, 2022, following publication in the Official Gazette on September 27, 2021. The law applies to the processing of personal data by automated or partially automated means, and to non-automated processing forming part of a filing system.
Personal data means any information relating to an identified or identifiable natural person, including names, identification numbers, location data, online identifiers, and any factor specific to the physical, psychological, economic, cultural, or social identity of a person.
Sensitive personal data includes information revealing family background, ethnicity, political opinions, religious or philosophical beliefs, criminal records, biometric data, genetic data, health information, and sexual life. The PDPL does not impose a separate, higher standard for sensitive data processing beyond the general lawful-basis requirement, though DPIAs and DPO appointment are more likely to be triggered at scale.
The law carries explicit extraterritorial reach. Any organization outside the UAE that processes personal data of individuals in the UAE must comply, in a manner analogous to GDPR Article 3.
Notable exemptions from the PDPL:
- Personal data processed by public authorities for national security, judicial, or law enforcement purposes
- Personal data processed for purely personal use
- Health data already governed by Federal Law No. 2 of 2019 on ICT in healthcare
- Banking and credit data regulated under separate financial sector legislation
- Entities incorporated in the DIFC and ADGM, which maintain independent regimes
Lawful Bases for Processing
The PDPL requires a lawful basis for every processing activity. Consent is the primary default basis. Valid consent must be freely given, specific to the stated purpose, informed through clear disclosure, and expressed through an unambiguous affirmative act. Silence, pre-ticked boxes, and inactivity do not constitute valid consent. Data subjects may withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.
Processing without consent is lawful in the following circumstances, which broadly mirror GDPR Article 6:
- Protecting public interest or public health
- Legal claims, judicial proceedings, or security procedures
- Employment, social security, or social protection obligations
- Medical diagnosis, treatment, or health insurance purposes
- Performing or negotiating a contract with the data subject
- Complying with applicable UAE laws
- Protecting the vital interests of the data subject
- Scientific, historical, or statistical research purposes
- Processing data the subject has already made publicly available
Data Subject Rights Under the PDPL
The PDPL grants individuals nine distinct rights. Controllers must provide accessible channels for exercising these rights and must respond within a reasonable timeframe. The executive regulations, once published, will specify mandatory response periods.
- Right of access -- data subjects may request confirmation of whether their personal data is being processed and obtain copies.
- Right to rectification -- individuals can require correction of inaccurate, incomplete, or outdated personal data.
- Right to erasure -- data subjects may request deletion when personal data is no longer necessary for the purpose it was collected.
- Right to data portability -- individuals can receive their data in a structured, machine-readable format for transfer to another controller.
- Right to restrict processing -- data subjects can limit how their data is used, for example during a dispute over accuracy.
- Right to object -- individuals can oppose processing, including for direct marketing.
- Right against automated decision-making -- data subjects may refuse to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
- Right to withdraw consent -- individuals can revoke consent at any time without providing a reason.
- Right to complain -- data subjects can escalate violations directly to the UAE Data Office.
Data Protection Officer Appointment
A Data Protection Officer (DPO) is mandatory when:
- Processing involves a high risk of data security breach with serious potential consequences for data subjects
- Processing includes systematic and comprehensive assessment of sensitive personal data, including profiling and automated decision-making
- Large-scale processing of sensitive data categories occurs
The DPO must possess adequate knowledge of personal data protection law and practice. The role may be filled by an internal employee or an external appointee, and the DPO may be based inside or outside the UAE.
Data Protection Impact Assessments
A DPIA is required before commencing any high-risk processing activity. High-risk processing includes:
- Automated processing or profiling producing legal effects or significantly affecting individuals
- Processing large volumes of sensitive personal data
- Systematic monitoring of publicly accessible areas
Each DPIA must document the processing purpose, assess necessity and proportionality, evaluate risks, and propose mitigation measures. The DPO must be involved in every DPIA.
The PDPL Executive Regulations: Honest Status as of Mid-2026
Article 44 of the PDPL directed that executive regulations would be issued within six months of the law's publication. That deadline fell in approximately March 2022. As of May 2026, formal executive regulations have not been published as a discrete instrument in the UAE Official Gazette.
This is not a trivial gap. The executive regulations are the intended vehicle for specifying breach-notification timelines, cross-border transfer approval procedures, DPO qualification standards, and detailed enforcement procedures.
In practice, the UAE Data Office has issued operational guidance and signaled compliance expectations. A de facto 72-hour breach notification norm has emerged, consistent with DIFC and ADGM standards. The Chambers Data Protection and Privacy 2026 UAE chapter confirms that organizations should apply the PDPL's substantive obligations now. When the executive regulations are published, organizations will have a further six months to achieve full procedural compliance.
Breach Notification Under the Federal PDPL
Article 33 of the PDPL requires controllers to notify the UAE Data Office and affected data subjects when a personal data breach poses a risk to data subjects' rights. The breach notification must include:
- The nature and scope of the breach
- Categories and approximate number of affected data subjects
- Likely consequences of the breach
- Measures taken or proposed to address and mitigate harm
The UAE Data Office has communicated that "without undue delay" is interpreted as 72 hours from discovery, consistent with international norms. Organizations should treat 72 hours as the operative standard pending publication of the executive regulations.
Penalties Under the Federal PDPL
Violations of the PDPL carry financial penalties from AED 50,000 to AED 5 million (approximately USD 13,600 to USD 1.36 million at current exchange rates). The UAE Data Office determines penalty amounts based on the nature and severity of the violation, whether sensitive data or large volumes were involved, intent versus negligence, and prior compliance history.
The Data Office may also order suspension or restriction of processing activities. Additional criminal penalties apply under Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrimes for severe data-related offenses; unlawful disclosure of personal data can attract a fine of at least AED 20,000 and up to one year's imprisonment.
The UAE Data Office
The UAE Data Office was established under Federal Decree-Law No. 44 of 2021 as the national supervisory authority. The Office operates under the authority of the UAE Cabinet and is affiliated with the Ministry of Cabinet Affairs.
The UAE Data Office is charged with:
- Preparing data protection policies and secondary legislation
- Proposing and approving PDPL compliance standards
- Handling complaints and grievances from data subjects
- Issuing guidance and implementation instructions for the PDPL
- Conducting audits of controllers and processors
- Approving or rejecting cross-border data transfer arrangements
- Imposing financial penalties for violations
The Telecommunications and Digital Government Regulatory Authority (TDRA) has provided administrative support to the Data Office during its establishment phase under Article 9 of Law No. 44/2021. As of mid-2026, the Data Office has shifted from an awareness and outreach phase toward active enforcement. The Chambers 2026 guide characterizes the period as a transition toward stricter enforcement as the executive regulations timeline is resolved.
The DIFC Data Protection Law No. 5 of 2020
Overview and Scope
The Dubai International Financial Centre enacted Data Protection Law No. 5 of 2020, entering into force on July 1, 2020, with enforcement commencing October 1, 2020. It replaced DIFC Data Protection Law No. 1 of 2007. The DIFC law is among the most GDPR-aligned data protection frameworks outside the European Union.
The DIFC law applies to:
- Any controller or processor incorporated or registered in the DIFC
- Any entity that processes personal data within the DIFC on a regular basis, regardless of place of incorporation
The DIFC Commissioner of Data Protection is the independent regulator with full enforcement powers within the financial centre.
DIFC Regulation 10: AI and Autonomous Systems
One of the most distinctive features of the DIFC's framework is Regulation 10, enacted on September 1, 2023, as part of the DIFC Data Protection Regulations. Regulation 10 addresses the processing of personal data through autonomous and semi-autonomous systems, making the DIFC one of the first Gulf jurisdictions to enact dedicated AI-data-protection rules.
Definition. An "autonomous system" is any machine-based system that operates autonomously or semi-autonomously, can process personal data for human-defined purposes or for purposes the system defines within human-set parameters, and generates outputs on that basis. This captures contemporary AI and machine-learning systems used in automated decision-making, profiling, and AI-driven services.
Roles. Two distinct roles are established:
- A Deployer is a person under whose authority or for whose benefit the system operates, or who benefits from its output; the deployer is deemed the controller for regulatory purposes.
- An Operator is a person who operates or maintains the system on behalf of the deployer.
Autonomous Systems Officer. For AI systems used commercially in high-risk processing contexts, the Deployer or Operator must appoint an Autonomous Systems Officer (ASO). The ASO must possess substantially similar status, competencies, and tasks to a Data Protection Officer: governance oversight, conducting DPIAs for AI systems, risk review with senior management, and accountability recommendations.
Certification requirement. Commercial use of autonomous systems for high-risk processing is prohibited unless:
- The DIFC Commissioner has established audit and certification requirements for the relevant system category
- The system is compliant with all such requirements
- The system processes personal data solely for human-defined or human-approved purposes
- An ASO has been appointed
The DIFC has launched the Regulation 10 Accelerator program as a sandbox where AI systems can be tested against privacy-by-design principles before commercial deployment.
2025 Amendments: Amendment Law No. 1 of 2025
Amendment Law No. 1 of 2025 came into force on July 15, 2025. It introduced four material changes:
Private right of action. For the first time, data subjects who suffer damage from a contravention of the DIFC Data Protection Law can bring direct claims in the DIFC Courts without first going through the Commissioner. Data subjects are entitled to compensation for both financial and non-financial losses, including distress. This significantly increases litigation exposure for DIFC-based organizations.
Expanded extraterritorial scope. The amendments apply the DIFC law to all data processing within the DIFC, regardless of whether controllers, processors, or sub-processors are incorporated or physically present there. Prior to this change, entities without a formal DIFC presence could argue non-applicability even when processing occurred within the zone.
Reversed burden of proof. Controllers and processors must now demonstrate they were not responsible for damage-causing incidents. The burden no longer falls on the data subject to prove the organization's fault. This follows the GDPR Article 82 approach.
Updated transfer assessment requirements. Organizations must conduct and document an assessment confirming that data subjects will benefit from adequate legal protections and effective remedies in the recipient jurisdiction. The Commissioner retains the power to review and withdraw adequacy determinations.
DIFC Penalties (Post-2025 Amendment)
| Violation | Maximum Fine |
|---|---|
| Breach of data subject statutory rights | USD 100,000 |
| Failure to conduct required DPIA | USD 50,000 |
| Breach of data-sharing rules with public authorities | USD 50,000 |
| Failure to notify Commissioner of DPO assessment | USD 25,000 |
| General administrative violations | USD 25,000 to USD 50,000 |
The DPIA violation fine increased from USD 20,000 to USD 50,000 following the 2025 amendments, reflecting the Commissioner's view of DPIAs as a core accountability mechanism.
DIFC Breach Notification
Controllers in the DIFC must notify the Commissioner of Data Protection within 72 hours of becoming aware of a personal data breach. Affected data subjects must be notified when the breach poses a significant risk to their rights. Breach reports must include the nature of the breach, categories and numbers of affected data subjects, likely consequences, and remedial measures.
DIFC Cross-Border Transfers
The DIFC maintains an adequacy list (Appendix 3 of the Data Protection Regulations) identifying jurisdictions to which transfers can proceed without additional safeguards. The current list includes EU and EEA member states, the United Kingdom, Switzerland, Japan, South Korea, and California (USA, added following a CCPA adequacy decision in August 2023).
For transfers to non-adequate jurisdictions, the DIFC Commissioner has published Standard Contractual Clauses (SCCs), including abbreviated versions for smaller transfers. Binding Corporate Rules (BCRs) are accepted for intragroup transfers. Following the 2025 amendments, organizations must document a formal adequacy assessment before relying on SCCs or other transfer mechanisms.
One critical point: mainland UAE is not on the DIFC adequacy list. A DIFC entity sending personal data to a mainland UAE entity must implement SCCs or BCRs, just as it would for a transfer to a non-adequate third country.
ADGM Data Protection Regulations 2021
Overview and Scope
The Abu Dhabi Global Market enacted its Data Protection Regulations 2021 on February 14, 2021, replacing the earlier Data Protection Regulations 2015. The 2021 regulations align closely with the GDPR and represent one of the most comprehensive data protection frameworks in the Gulf region.
For entities incorporated in the ADGM on or after February 14, 2021, the regulations applied from August 14, 2021. Existing entities had a transition period expiring February 14, 2022.
The ADGM Office of Data Protection
The ADGM Office of Data Protection is headed by an independent Commissioner. The Commissioner's enforcement powers include:
- Reviewing personal data processed by data handlers and processors
- Collecting information during investigations
- Issuing directions, warnings, and compliance orders
- Imposing financial penalties
- Revoking compliance certifications
The Commissioner investigates each case and offense separately, supporting individualized, proportionate enforcement.
Data Subject Rights Under the ADGM Regulations
The ADGM regulations provide a rights framework closely mirroring the GDPR:
- Right of access (confirmation and copies)
- Right to rectification of inaccurate or incomplete data
- Right to erasure under defined conditions
- Right to data portability
- Right to object to processing, including direct marketing
- Right to restriction of processing during disputes
- Right against automated decision-making and profiling
- Right to prior information before data is disclosed to third parties
Controllers must respond to rights requests within two calendar months, with a possible one-month extension for complex cases.
ADGM Substantial Public Interest Conditions Rules 2025
On September 9, 2025, the ADGM Registration Authority enacted the Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025, following Consultation Paper No. 6 of 2025 published in June 2025. The Rules identified two gaps in the existing substantial public interest grounds under Schedule 1 of the Regulations.
Insurance processing. A new condition permits processing of special-category personal data without consent where processing is necessary for an "insurance purpose" (defined broadly to cover advice, underwriting, claims handling, fraud investigation, and reinsurance) and is necessary for reasons of substantial public interest.
Child and vulnerable-person safeguarding. Special-category processing without consent is also permitted for safeguarding purposes where the individual is under 18, or is an adult whom the controller has reasonable cause to suspect is experiencing or at risk of neglect or physical, mental, or emotional harm and is unable to protect themselves as a result.
Both conditions require the processing to be of special-category personal data and to be necessary for substantial public interest reasons. These changes align the ADGM framework with analogous provisions in the UK GDPR's Schedule 1 conditions.
ADGM Breach Notification
Controllers must notify the ADGM Commissioner within 72 hours of becoming aware of a data breach. Data subjects must be notified promptly when the breach creates a significant risk to their rights.
ADGM Penalties
The ADGM regulations carry the heaviest penalties of any UAE data protection regime. The maximum fine is USD 28 million per offense. The Commissioner determines amounts based on: the nature and gravity of the violation; the number of affected data subjects; the level of cooperation demonstrated; and prior enforcement history.
ADGM Cross-Border Transfers
The ADGM recognizes EU Commission adequacy decisions and the DIFC as adequate jurisdictions. Transfers to non-adequate jurisdictions require appropriate safeguards including BCRs, SCCs, or other Commissioner-approved mechanisms. Like the DIFC, the ADGM does not recognize mainland UAE as an adequate jurisdiction; ADGM-to-mainland transfers require contractual safeguards.
Sectoral Data Protection Laws
Healthcare Data: Federal Law No. 2 of 2019 on ICT in Health Fields
Federal Law No. 2 of 2019 on the Use of Information and Communication Technology in Health Fields imposes a strict data localization obligation for electronic health data. Article 13 prohibits the transfer, storage, generation, or processing of health information outside the UAE as a default rule. Electronic health records must be stored on servers physically located within the UAE.
Ministerial Resolution No. 51 of 2021 introduced ten exceptions, permitting cross-border health data transfers in circumstances including:
- Overseas medical treatment for a UAE patient
- Pharmacovigilance reporting
- Scientific and clinical research
- Administration of international insurance claims
- Processing associated with wearables and healthcare monitoring devices
Non-compliance with the localization requirement carries fines of between AED 500,000 and AED 700,000 (approximately USD 136,000 to USD 190,500).
The PDPL expressly carves out health data governed by Federal Law No. 2 of 2019, meaning that a UAE hospital processing electronic health records follows the sector-specific law rather than the PDPL for those records.
Child Digital Safety: Federal Decree-Law No. 26 of 2025
Federal Decree-Law No. 26 of 2025 on Child Digital Safety was issued on October 1, 2025, and entered into force on January 1, 2026. Full enforcement begins January 1, 2027, giving in-scope entities a one-year compliance grace period.
The CDS Law applies to digital platforms and internet service providers operating within the UAE or directed at UAE users, including websites, search engines, social media platforms, messaging platforms, online gaming services, video streaming services, and e-commerce platforms. Foreign platforms directed at UAE-based users are within scope.
Key data protection obligations under the CDS Law:
- Digital platforms are prohibited from collecting, processing, publishing, or sharing personal data of children under 13 without explicit, documented, and verifiable parental consent.
- Platforms must provide mechanisms for easy withdrawal of parental consent.
- Access to children's personal data must be restricted to authorized personnel on a data-minimization basis.
- Behavioral profiling and targeted advertising directed at children under 13 is expressly prohibited.
- Default high-privacy settings must be applied for child users.
- Age verification mechanisms proportionate to service risk must be implemented.
The law establishes a Child Digital Safety Council, chaired by the Minister of Family, as the coordinating body for policy and strategy.
How to Determine Which Regime Applies
| Organization Type | Applicable Regime |
|---|---|
| Incorporated in mainland UAE | Federal PDPL (Decree-Law No. 45/2021) |
| Incorporated in the DIFC | DIFC Data Protection Law No. 5/2020 (as amended 2025) |
| Incorporated in the ADGM | ADGM Data Protection Regulations 2021 |
| Foreign entity processing UAE residents' data | Federal PDPL (extraterritorial scope) |
| Multi-entity group spanning mainland and DIFC | Federal PDPL and DIFC law apply to respective entities |
| Healthcare provider in mainland UAE | Federal Law No. 2/2019 for health data; PDPL for other personal data |
| Digital platform with UAE-based child users | Federal Decree-Law No. 26/2025 on Child Digital Safety (from January 2026) |
Watch out: A company incorporated in the DIFC that sends customer data to its mainland UAE parent must treat that as a cross-border transfer requiring SCCs or BCRs. Mainland UAE does not appear on the DIFC adequacy list. The same rule applies to ADGM-to-mainland transfers.
Cross-Border Transfer Rules: Full Comparison
Cross-border data transfers are the most operationally complex aspect of UAE data protection compliance because each regime handles them differently, and the intra-UAE transfer problem compounds the challenge.
Federal PDPL
Article 22 permits transfers to countries the UAE Data Office determines provide adequate protection. Article 23 permits transfers to non-adequate countries through binding contracts imposing PDPL-equivalent protections, express data subject consent, court necessity, contract performance, international judicial cooperation, or public interest grounds.
As of mid-2026, no federal adequacy list and no official SCCs have been published by the UAE Data Office. Organizations transferring data from mainland UAE should use contractual safeguards modeled on international standards while documenting the legal basis for each transfer category.
DIFC
The DIFC maintains a published adequacy list covering EU/EEA states, the UK, Switzerland, Japan, South Korea, and California. The Commissioner publishes SCCs, including abbreviated versions for smaller transfers. Following the July 2025 amendments, organizations must document a formal adequacy assessment before relying on these mechanisms.
ADGM
The ADGM recognizes EU Commission adequacy decisions and the DIFC as adequate. BCRs, SCCs, and other Commissioner-approved mechanisms are available for non-adequate jurisdiction transfers.
The Intra-UAE Transfer Problem
Transfers between different UAE zones are treated as cross-border transfers for DIFC and ADGM purposes because mainland UAE does not appear on either adequacy list. A DIFC entity sending personal data to a mainland UAE entity needs SCCs or BCRs. An ADGM entity sending data to a DIFC entity relies on the DIFC's adequate status. An ADGM entity sending data to a mainland UAE entity needs SCCs or BCRs.
Organizations should map all intra-UAE data flows as if they are international transfers and implement appropriate safeguards for each flow.
Comparing the Three UAE Data Protection Regimes
| Feature | Federal PDPL | DIFC Law No. 5/2020 | ADGM DPR 2021 |
|---|---|---|---|
| In force since | January 2, 2022 | July 1, 2020 | August 14, 2021 |
| Regulator | UAE Data Office | DIFC Commissioner of Data Protection | ADGM Commissioner of Data Protection |
| GDPR alignment | Moderate | High | High |
| Executive regulations | Pending (as of mid-2026) | Published | Published |
| Maximum administrative fine | AED 5M (~USD 1.36M) | USD 100,000 per violation | USD 28M per offense |
| Breach notification deadline | 72 hours (Data Office guidance) | 72 hours (statutory) | 72 hours (statutory) |
| Private right of action | Not established | Yes (since July 2025) | Not established |
| Extraterritorial scope | Yes | Yes (expanded July 2025) | Yes |
| AI-specific regulation | None currently | Regulation 10 (since Sept 2023) | None currently |
| Response time for rights requests | Reasonable (unspecified) | 1 month (extendable) | 2 months (extendable) |
Recent Developments (2023-2026)
September 2023 (DIFC): Regulation 10 enacted, establishing the Autonomous Systems Officer role and a certification framework for commercial AI systems that process personal data. The DIFC Regulation 10 Accelerator program launched as a compliance sandbox.
July 2025 (DIFC): Amendment Law No. 1 of 2025 entered force, introducing the private right of action in DIFC Courts, reversed burden of proof for breach claims, expanded extraterritorial scope, and mandatory documented adequacy assessments for cross-border transfers.
September 2025 (ADGM): The ADGM enacted the Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025, introducing specific grounds for processing special-category data in insurance and child-safeguarding contexts without consent.
January 2026 (Federal): Federal Decree-Law No. 26 of 2025 on Child Digital Safety entered force. Full enforcement commences January 2027. Digital platforms must implement age verification, parental consent workflows for under-13 users, and behavioral advertising prohibitions for children.
Mid-2026 (Federal): The UAE Data Office continues to issue operational guidance and build enforcement capacity. The PDPL's formal executive regulations remain unpublished. The operative breach notification standard is 72 hours. The Chambers & Partners Data Protection and Privacy 2026 UAE chapter characterizes this period as a transition toward stricter enforcement across all three regimes.
Business Compliance: Nine-Step Roadmap
Step 1: Map jurisdictions. Identify which regime applies to each legal entity. Document whether any entity operates across multiple zones and therefore faces overlapping obligations.
Step 2: Conduct a data inventory. Map all personal data processed, including health data (triggering the ICT Health Law) and children's data (triggering the Child Digital Safety Law from 2026).
Step 3: Appoint a DPO. Under all three regimes, DPO appointment is required for large-scale or high-risk processing. DIFC entities running AI systems commercially for high-risk processing must also appoint an ASO under Regulation 10.
Step 4: Complete DPIAs for high-risk processing. Every high-risk processing activity requires a completed DPIA on file before commencing. This includes large-scale sensitive-data processing, systematic profiling, and systematic monitoring.
Step 5: Map cross-border and intra-UAE data flows. Identify every transfer outside your entity's home zone. Implement SCCs, BCRs, or adequacy-based safeguards for each. Document the legal basis used. DIFC-to-mainland and ADGM-to-mainland are not adequate-jurisdiction transfers.
Step 6: Implement 72-hour breach notification capability. Build systems capable of detecting, containing, and reporting a breach within 72 hours across DIFC and ADGM operations. Apply the same standard for federal PDPL operations based on current Data Office guidance.
Step 7: Establish data subject rights channels. Provide accessible channels for access, rectification, erasure, portability, objection, and complaint. Comply with the specific response timelines under each applicable regime.
Step 8: Prepare for the Child Digital Safety Law. Digital platforms accessible to UAE-based users, whether incorporated in the UAE or not, should implement age verification, parental consent workflows, and behavioral advertising prohibitions for under-13 users before the January 2027 enforcement deadline.
Step 9: Monitor regulatory developments. The federal executive regulations, when published, will reset the six-month compliance clock. Track updates from the UAE Data Office (u.ae), the DIFC Commissioner of Data Protection (difc.com), and the ADGM Office of Data Protection (adgm.com).
Disclaimer
This article presents general legal information about data protection law in the United Arab Emirates, covering the federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the DIFC Data Protection Law No. 5 of 2020 and its 2025 amendments, the ADGM Data Protection Regulations 2021 and the 2025 Substantial Public Interest Conditions Rules, Federal Law No. 2 of 2019 on ICT in health fields, and Federal Decree-Law No. 26 of 2025 on Child Digital Safety. Information was verified as of May 19, 2026. Laws and regulations change; confirm currency before acting. This article does not constitute legal advice. Readers should consult a lawyer licensed and qualified to practice in the relevant UAE jurisdiction for advice specific to their situation.
Frequently Asked Questions
Which UAE data protection law applies to my business?
The answer depends on where your entity is registered. Companies incorporated in mainland UAE fall under the federal PDPL (Federal Decree-Law No. 45 of 2021). Companies registered in the Dubai International Financial Centre follow the DIFC Data Protection Law No. 5 of 2020. Companies in the Abu Dhabi Global Market follow the ADGM Data Protection Regulations 2021. Foreign organizations that process personal data of individuals in the UAE must comply with the federal PDPL regardless of their own location.
Have the UAE PDPL executive regulations been published?
No. As of mid-2026, the formal executive regulations for Federal Decree-Law No. 45 of 2021 have not been published in the UAE Official Gazette as a discrete instrument, despite being originally due approximately six months after the law's passage in 2021. The PDPL itself remains fully in force and enforceable. The UAE Data Office has issued operational guidance in their absence, including a de facto 72-hour breach notification standard. When the regulations are published, organizations will have a further six months to achieve full procedural compliance.
What are the penalties for violating UAE data protection laws?
Penalties vary across the three regimes. The federal PDPL imposes administrative fines of AED 50,000 to AED 5 million (approximately USD 13,600 to USD 1.36 million). The DIFC Data Protection Law imposes violation-specific fines up to USD 100,000 per violation, and data subjects can now sue directly in DIFC Courts under the 2025 amendments. The ADGM Data Protection Regulations carry the region's heaviest fines at up to USD 28 million per offense. Criminal penalties under Federal Decree-Law No. 34 of 2021 on Cybercrime may also apply to unlawful data disclosure.
Can I transfer personal data from a DIFC entity to my mainland UAE office?
Not without safeguards. Mainland UAE does not appear on the DIFC adequacy list. Transferring personal data from a DIFC entity to a mainland UAE entity requires standard contractual clauses (SCCs) published by the DIFC Commissioner, binding corporate rules for intragroup transfers, or another Commissioner-approved mechanism. Since the July 2025 amendments, organizations must also document a formal adequacy assessment before relying on these safeguards. The same applies to ADGM-to-mainland transfers.
What does DIFC Regulation 10 require for AI systems?
Regulation 10, enacted September 2023, requires organizations using autonomous or semi-autonomous AI systems commercially for high-risk processing in the DIFC to: appoint an Autonomous Systems Officer (ASO) with competencies equivalent to a Data Protection Officer; obtain certification under a scheme established by the DIFC Commissioner of Data Protection; ensure the system processes personal data solely for human-defined or human-approved purposes; and conduct regular DPIAs for AI processing activities. The DIFC launched the Regulation 10 Accelerator program as a regulatory sandbox for testing AI systems before commercial deployment.
What does the UAE Child Digital Safety Law require for data protection?
Federal Decree-Law No. 26 of 2025, in force from January 1, 2026, with full enforcement from January 2027, prohibits digital platforms from collecting, processing, publishing, or sharing personal data of children under 13 without explicit, documented, and verifiable parental consent. Platforms must apply default high-privacy settings for child users, implement proportionate age verification, restrict access to children's data to authorized personnel, and prohibit behavioral profiling and targeted advertising directed at children. The law applies to both UAE-based platforms and foreign platforms directed at UAE users.
Does UAE health data follow the PDPL or a separate law?
A separate sector-specific law applies to electronic health data on the mainland. Federal Law No. 2 of 2019 on the Use of ICT in Health Fields requires health information to be stored on servers physically in the UAE. Cross-border transfers are prohibited except in ten categories set out in Ministerial Resolution No. 51 of 2021, including overseas treatment, pharmacovigilance, and clinical research. Non-compliance carries fines of AED 500,000 to AED 700,000. The PDPL expressly carves out health data already governed by Federal Law No. 2 of 2019.
What did the ADGM Substantial Public Interest Conditions Rules 2025 change?
The Rules, enacted September 9, 2025, introduce two new conditions for processing special-category personal data without consent under the substantial public interest ground in the ADGM. First, processing for insurance and reinsurance purposes, including advice, underwriting, claims handling, and fraud investigation. Second, processing for safeguarding children under 18 and vulnerable adults who are at risk of harm and unable to protect themselves. Both conditions require the processing to be of special-category personal data and to be necessary for substantial public interest reasons.
What is the data breach notification deadline in the UAE?
The DIFC Data Protection Law and the ADGM Data Protection Regulations both require notification to the relevant regulator within 72 hours of becoming aware of a personal data breach. The federal PDPL requires notification without undue delay; the UAE Data Office has communicated that 72 hours is the operative standard, though the formal executive regulations specifying this deadline have not yet been published. Organizations should apply 72 hours as the working standard across all three regimes.
Sources and References
- Federal Decree-Law No. 45 of 2021 on Protection of Personal Data — UAE Legislation Portal(uaelegislation.gov.ae).gov
- Data Protection Laws — Official UAE Government Platform(u.ae).gov
- DIFC Data Protection Law No. 5 of 2020 — Dubai International Financial Centre(difc.com).gov
- Regulation 10 — Processing Personal Data through Autonomous and Semi-Autonomous Systems — DIFC(difc.com).gov
- Data Export and Sharing — DIFC Commissioner of Data Protection(difc.com).gov
- ADGM Office of Data Protection — Guidance and Regulations(adgm.com).gov
- ADGM Data Protection Regulations 2021 — Full Text(assets.adgm.com).gov
- ADGM Consultation Paper No. 6 of 2025 — Substantial Public Interest Conditions Rules(assets.adgm.com).gov
- Federal Law No. 2 of 2019 on Use of ICT in Health Fields — UAE Legislation Portal(uaelegislation.gov.ae).gov
- Federal Decree-Law No. 26 of 2025 on Child Digital Safety — UAE Legislation Portal(uaelegislation.gov.ae).gov
- United Arab Emirates Cross-Border Data Flows — U.S. International Trade Administration(trade.gov).gov
- DIFC Enacts Amendments to Data Protection Law — Bird & Bird(twobirds.com)
- UAE Issues Landmark Child Digital Safety Law — Clyde & Co(clydeco.com)
- ADGM Implements New Substantial Public Interest Rules 2025 — Clyde & Co(clydeco.com)
- AI Regulation in the DIFC: Autonomous and Semi-Autonomous Systems — Mayer Brown(mayerbrown.com)
- Data Protection and Privacy 2026: UAE — Chambers Global Practice Guides(practiceguides.chambers.com)
- DIFC Data Protection Law Update Increases Claims Risk — Pinsent Masons(pinsentmasons.com)
- Data Protection and Privacy Landscape in the Middle East — Clyde & Co(clydeco.com)