UAE PDPL Is More Dangerous Than It Seems: 3 Privacy-Risks for Business

Risk of Cross-Border Transfer Restrictions and Complicated Data Flows

Regulatory Framework and Its Current State

Articles 22 and 23 of UAE PDPL govern the transfer of personal data outside the UAE. The mechanism broadly mirrors the GDPR architecture: transfer is permitted to countries with an “adequate level of protection” approved by the UAE Data Office, or where appropriate safeguards are in place — standard contractual clauses (SCCs), binding corporate rules (BCRs), or other contractual instruments. Article 23 also stipulates a number of exceptions, including transfer based on data subject consent or for the purposes of contract performance.

In practice, however, this mechanism does not operate in full. As of May 2026, the UAE Data Office has not published a list of countries with an “adequate level of protection“: no jurisdiction has been formally recognised as “adequate“. By comparison, the European Commission has adopted adequacy decisions for more than a dozen countries, including Japan, South Korea, Canada, and the United Kingdom. Standard contractual clauses have not been approved at the UAE federal level either, leaving businesses to rely on contractual safeguards modelled on international templates without any official regulatory endorsement. The Executive Regulations intended to specify the rules on cross-border transfers have still not been adopted, four years after UAE PDPL entered into force.

The Mirror Problem: The European Union’s Position

A separate and critically important risk is the absence of a European Commission adequacy decision for the UAE. Its practical consequence is that the transfer of personal data from the EU to the UAE cannot rely on the simplified adequacy decision regime. European counterparties are required to use EU-model SCCs and to conduct a Transfer Impact Assessment (TIA) in accordance with EDPB Guidelines 01/2020. When carrying out a TIA, they will inevitably encounter factors that reduce the assessed level of protection: broad exemptions for government authorities, questions about the institutional independence of the supervisory authority, and the absence of mature enforcement practice — discussed in more detail in Sections 2 and 3.

Practical Implications

Any cross-border transfer — in either direction — requires additional contractual safeguards. For companies operating in the EU ↔ UAE chain, this means a dual burden: the need to simultaneously comply with the requirements of both the GDPR and UAE PDPL, which, despite their conceptual similarities, have different regulatory frameworks and different sets of permissible transfer mechanisms.

Without approved SCCs and a list of countries with an adequate level of protection, businesses effectively operate in a “grey zone”: transfer is formally possible where contractual safeguards are in place, but the standard for those safeguards has not been established by the regulator. There is neither a presumption of compliance nor clear criteria for adequacy. This creates significant uncertainty in audits and in interactions with European counterparties who are required to document the legal basis for each transfer.

Recommendation: At the current stage, a prudent approach is to use contractual safeguards modelled on EU SCCs adapted to reflect the specific requirements of UAE PDPL, and to document the legal basis for each cross-border transfer. For transfers from the EU, conduct a TIA. It is necessary to establish a system for monitoring UAE Data Office publications for the appearance of an official list of countries with an adequate level of protection and approved SCCs.

Risk of Broad Government Access to Personal Data

Exemptions from the Scope of UAE PDPL

Article 2 of UAE PDPL excludes two categories from the scope of the law: government data — personal data processed by government authorities in the exercise of their powers — and data processed by security and judicial authorities. In terms of their scope, these exemptions are significantly broader than analogous carve-outs under European law. The GDPR applies to the public sector on the same basis as the private sector: government authority access to personal data held by private parties is strictly regulated and subject to judicial oversight. In the UAE, government authorities are effectively removed from the UAE PDPL regime without any specification of the limits of this exemption or established procedural safeguards.

Uncertainty About the Limits of Government Access

What is particularly concerning is not the existence of government exemptions as such — national security is a recognised ground for restricting data subject rights in any jurisdiction, including the EU — but rather the uncertainty about their scope. The law contains no clear definition of “government data” and does not establish an exhaustive list of authorities that benefit from the exemption. This creates room for broad interpretation under which the exemption could be extended to authorities whose activities have no direct connection to national security. UAE PDPL provides neither for requirements of prior judicial authorisation for access to personal data, nor for a mechanism to notify the data subject (including on a delayed basis), nor for a procedure to challenge such decisions.

Additional context is provided by Federal Decree-Law No. 34 of 2021 on Combating Cybercrimes, which grants competent authorities broad powers to access electronic data for investigative purposes. Taken together with the exemptions under UAE PDPL, this creates a legal environment in which government access to personal data is governed primarily by public law — without the standards and safeguards provided for by data protection legislation.

Practical Implications

EDPB Guidelines 01/2020 explicitly state that a TIA must take into account “the right of public authorities to access transferred data“. If the assessment reveals that the level of protection in the recipient country is insufficient, the data exporter is required, in accordance with the EU Court of Justice ruling in Schrems II, to suspend the transfer or implement supplementary measures — including technical measures preventing government authorities from accessing personal data in unencrypted form.

Recommendation: Conduct a detailed analysis of the categories of personal data stored and processed in the UAE, taking into account the real risk of requests from government authorities. For sensitive categories, consider applying end-to-end encryption, pseudonymisation, and tokenisation. Develop an internal policy for responding to government authority requests, establishing the principle of minimum disclosure.

Risk of Legal Uncertainty and Weak Predictability of Enforcement Practice

Immaturity of Enforcement Practice

UAE PDPL stipulates the establishment of the UAE Data Office — a supervisory authority with powers to monitor compliance, conduct investigations, and impose fines. The Data Office was established pursuant to Federal Decree-Law No. 44 of 2021. However, as of May 2026, its practical activity remains extremely limited.

The Executive Regulations that are intended to specify the key provisions of UAE PDPL — the procedure for appointing a DPO, detailed notification requirements for incidents, and the legal bases for processing in their practical application — have still not been adopted, four years after the law entered into force. There are no published fine decisions, no public investigations, and no other enforcement information. A body of guidelines and clarifications has not been developed either: unlike European DPAs, which actively publish practical guidance and opinions, the UAE Data Office has not yet created a comparable basis for interpreting the requirements of the law.

The UAE PDPL provides for the possibility of administrative sanctions. However, the specific list of violations and the amount of fines must be determined by a separate Cabinet decision, based on a proposal from the UAE Data Office. Until such a decision is published, this risk remains difficult to calibrate: businesses cannot accurately assess either the likelihood of enforcement or the categories of violations that the regulator will prioritise.

Separately from the UAE PDPL, criminal liability may arise under Federal Decree-Law No. 34 of 2021 on Countering Rumours and Cybercrimes, for example, in cases of unlawful access to, use, disclosure or illegal processing of personal data through information technology.

The current absence of enforcement practice does not mean that enforcement will not emerge tomorrow: the GDPR experience shows that regulators often begin with precedent-setting cases.

Questions of Institutional Independence

The UAE Data Office was established under the Telecommunications and Digital Government Regulatory Authority — a government body that combines the functions of telecommunications sector regulator and data protection supervisory authority. This structural subordination creates a potential conflict of interests and raises questions about the regulator’s willingness to consistently apply the law in relation to government entities or large state-affiliated companies. In the European model, full institutional independence of supervisory authorities is a constitutional requirement, expressly established by Article 52(1) of the GDPR. It is precisely this independence that is taken into account in a TIA as one of the key indicators of the actual effectiveness of the legal mechanisms for personal data protection in the recipient country.

Fragmentation: The Federal Level and Special Zones

The UAE legal landscape has a distinctive feature — the coexistence of three separate data protection regimes. The federal ****UAE PDPL applies on the UAE mainland. DIFC Data Protection Law No. 5 of 2020 applies in the Dubai International Financial Centre, while ADGM Data Protection Regulations 2021 apply in the Abu Dhabi Global Market.

Each of the three regimes has its own regulator, its own rules on cross-border transfers, and its own level of enforcement maturity. For a company operating simultaneously in mainland UAE, the DIFC, and the ADGM, this means a situation of triple compliance — the need to simultaneously satisfy three different legal regimes with significant differences in their requirements. The DIFC and ADGM regimes are considerably more mature and predictable: they have independent regulators, published practice, and detailed rules. In practice, this means that companies may find it difficult to independently build a unified personal data protection compliance framework in the UAE based on a single model.

Conclusion

UAE PDPL is an ambitious and conceptually modern law. However, the gap between its text and the state of its institutional implementation gives rise to three fundamental risks that businesses need to address now. For a company processing personal data in the UAE, compliance starts with three questions:

🔹 Which personal data flows involve UAE territory — and which specific regime (federal UAE PDPL, DIFC, ADGM) applies to each of them?

🔹 How vulnerable is the personal data processed by the company to requests from government authorities, are the technical safeguards sufficient to mitigate this risk?

🔹 Is the compliance programme ready for rapid restructuring when Executive Regulations are adopted and the UAE Data Office becomes more active?

Ignoring UAE PDPL in the absence of visible enforcement may seem reasonable, but GDPR experience convincingly demonstrates the opposite: regulators often begin with high-profile cases, and the cost of reactive compliance far exceeds that of preventive action.