Cyber crime legislation in the UAE

January 2022  |  EXPERT BRIEFING  | RISK MANAGEMENT

financierworldwide.com

 

Information technology has begun to power almost every aspect of modern life, be it communication, commerce, law, economy or business development. The rapid evolution of cyber crime has required companies to institute robust data protection policies.

As the United Arab Emirates (UAE) has shown itself to be an emerging leader in the Middle East in the markets of e-commerce, telecommunication and digitalising private information, there is an urgent need to implement cyber security measures. Under the auspices of communications privacy as a principle already established by the UAE Constitution of 1971, the legislator felt the need to allocate a special law that provides for the protection of private communication and, more specifically, criminalises the violation of such privacy. Since the issuance of the Old Cybercrimes Law No. 2 of 2006, the introduction of new means of communication, and more importantly, new means of committing cyber crimes, has required an unavoidable evolution in outlining the types of criminalised actions, and related sanctions.

The evolution of cyber crime Legislation

Although the UAE has issued a Federal Telecommunication Law, it focused mainly on establishing a Telecommunications Regulatory Authority (TRA), regulating the activities of telecommunication companies, and requiring licences for acquiring and operating communication equipment.

Prior to the issuance of the Old Cybercrimes Law, several pieces of federal legislation were enacted in relation to the technology sector. Examples include Federal Law No. 1 of 2006 On Electronic Commerce and Transactions, Federal Law No. 3 of 2003 Regarding the Organisation of Telecommunications Sector as Amended, Decree No. 3 of 2004 Issuing the Executive Regulations of Federal Law No. 3 of 2003 Regarding the Organisation of Telecommunication Sector, the Decision of the Supreme Committee for the Supervision of the Telecommunications Sector No. 3 of 2004, General Policy for the Telecommunications Sector in the United Arab Emirates 2006 – 2010, and Ministerial Decree No. 1 of 2008 Regarding the Issuance of Certification Service Provider Regulations, among others. However, none of these pieces of legislation practically foresaw, let alone penalise, any criminal action that would be committed using information technology or the internet – what would become known as cyber crime.

Neither the Old Cybercrimes Law nor the New Cybercrimes Law No. 5 of 2012 offer a specific definition of cyber crime. In general, any criminal activity committed or facilitated via the internet is a cyber crime. Criminal actions deemed as cyber crimes can range from illegitimate emails to theft of public or private information or sensitive corporate data through remote devices around the world.

Introduction of the New Cybercrimes Law

Replacing the Old Cybercrimes Law, the New Cybercrimes Law provides for a range of new offences, including offences intended to address the UAE’s obligations pursuant to international treaties. It criminalises eavesdropping, transmitting and disclosing communications, including audio and visual material, taking photographs of others and copying, saving or publishing them, and publishing news, comments, statements and private information even if they are authentic. It is also notable that a few criminalised actions remain the same across both the New Cybercrimes Law and the Old Cybercrimes Law; however, with more specific, and notably more substantial, penalties.

From expanding on the definition and examples of criminal actions previously set forth in the Old Cybercrimes Law and rigidly increasing their associated penalties, to introducing several new categories to actions that warrant criminal sanctions, the New Cybercrimes Law shows significant adaptation to the rapidly progressing ‘market’ of electronic criminal activities.

This evolution and adaptation can be observed in how the New Cybercrimes Law expands the definition of actions, such as unauthorised access to a website or a computer network and, consequently, varies the resulting penalties based on elements such as intention of the action, the type of illegally acquired information and the results of such an action. Another example of expansion is shown in how the New Cybercrimes Law goes into the various types of sensitive private medical information susceptible of theft or disclosure, and the penalties resulting from attempting to attack such information.

The New Cybercrimes Law also notably expands on the categories of sensitive information related to credit cards, bank accounts or electronic payment details, as well as the means of accessing such information. It prohibits illegal access to credit cards or bank account information using a computer network or an electronic information system or any information technology means. Its article 12 punishes such a crime with imprisonment and/or a fine. It also further dives into variants of such crimes and categorises the attributed sanctions according to the intention of the perpetrator and the end result. For example, the mere intention of using credit card or bank account information to take over the funds of others or to benefit from the services which they provide is punishable by imprisonment for no less than a six-month period and/or a fine ranging between a minimum of AED100,000 and a maximum of AED300,000. Article 12 gradually escalates the sanction as the crime itself escalates, increasing the punishment to imprisonment for no less than one year and/or a fine between a minimum of AED200,000 and AED1m if the crime results in the takeover of the funds of others. Finally, Article 13 of the law goes further to criminalise actions related to forgery of credit cards with a punishment of imprisonment and/or a fine ranging between a minimum of AED500,000 and a maximum of AED2m.

Adding to the criminal actions already listed in Article 6 of the Old Cybercrimes Law, its mirroring of article 10 of the New Cybercrimes Law sets a punishment of imprisonment and/or a fine for any action of spamming an email leading to its malfunctioning, deactivation or destruction of its content; all while expanding on the definition and the sanctions of the already existing punishable crime of unauthorised access to a specific information system software. The article punishes the use of unauthorised software to access a computer network or an electronic information system, leading to its malfunctioning, crashing, deletion, destruction or alteration by imprisonment for a period of no less than five years and/or a fine ranging between a minimum of AED500,000 and a maximum of AED3m.

Exploring its international application, article 42 of the law ‘double punishes’ any foreigner who commits any of the crimes set forth in its articles by the sanction attributed to the committed crime, followed by immediate deportation. Moreover, Article 47 extends the application, as well as the jurisdiction, of the law to crimes committed outside of the UAE if the subject of the crime is a computer network, information system or a website belonging to the UAE federal government or the local governments or authorities of any of the Emirates of State.

The UAE has undoubtedly embraced the notion that technology has a crucial role to play in virtually every aspect of private or public life; as such, the articles of the New Cybercrimes Law clearly show the attempt to predict and deter every possible crime that can be committed using technology. To that end, the law extends its application to cover fields such as gambling, defamation, contempt of religion, human trafficking, weapons trade, state security, unlicensed donation collection, promotion of demonstrations, the trade of antiquities and the narcotics trade; all of which are punishable under the provisions of the law if they are committed using any electronic means as defined and covered by article 1.

Notwithstanding any of the above, it is only the practical application of the law that will show its effectiveness and, more importantly, as in the case of any piece of legislation, its shortcomings.

Practical application of cyber crime legislation

While many Middle Eastern countries have taken steps toward enacting legislation penalising cyber crimes, many jurisdictions have found the application thereof to be more challenging than originally anticipated. Penalising criminal activities committed through technological means depends enormously on each country’s own technological evolution. Simply put, you cannot fight technology-based crime if you do not possess technology.

The UAE authorities have shown persistence on applying the letter of the law and sanctioning any crime committed through technology, regardless of the level of its urgency, its significance in the eyes of the media or a layperson’s perspective. In fact, and as the law is currently being, and will continue to be, rigidly and strictly applied, relatively small cases have been discussed within the media as an example of how keen UAE authorities are to prevent any damage being inflicted through technology, and particularly through social media platforms.

For example, on 27 September 2016, the Abu Dhabi police had reportedly arrested three men caught for allegedly dealing in drugs on social media, concealing their identity. In another incident, an Australian woman was sentenced to imprisonment in July 2012, and later deported, over a Facebook post, after she was convicted of “using offensive words on social media”, following a complaint filed before the Abu Dhabi Police. Also, a Dubai football coach, accused of cyber-blackmailing a boy using social media platforms, was sentenced to three years in prison by the court which also ordered his deportation after completing his sentence.

Conclusion

The UAE, and the Emirate of Dubai in particular, has adopted a pattern of strict application when it comes to sanctioning any criminal action that would be classified as a cyber crime, from offensive social media posts to drug trafficking, blackmailing and sexual abuse. The establishment of authorities and outlets such as the Smart Police Station in 2021 has not only demonstrated the UAE authorities’ intention of continuing to monitor and sanction cyber crimes, but also the realisation that such crimes, due to their special nature and related evidence, are prone to destruction, must be reported, dealt with and sanctioned as quickly and effectively as possible.

So far, the effectiveness of the legislation combatting cyber crime has shown little, if any, of its anticipated shortcomings. However, it is widely agreed that a law is only as flawed as the methods of the authorities carrying out its application. The UAE has shown that its fast adaptation to the evolution of cyber crimes will help maintain the integrity of the sanctions and penalties set forth in the provisions of the cyber crimes law.

 

Mohamed El Sherbini is an associate at Horizons & Co. He can be contacted on +9714 354 4444 or by email: mohamed.elsherbini@horizlaw.ae.

© Financier Worldwide


BY

Mohamed El Sherbini

Horizons & Co.


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.