Data Privacy & Digital Rights

The UAE's data-protection framework has three layers. The federal layer is Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which entered into force on 2 January 2022. The PDPL gives data subjects rights of access, correction, erasure, restriction, portability, and objection — the standard GDPR-style set. The implementation layer is still developing: an initial set of Executive Regulations was issued in 2024, but further Implementing Regulations clarifying key provisions have not all been published, and the UAE Data Office (established under FDL 44/2021) is not yet fully empowered as the enforcement regulator. The result is that some PDPL rights are practically enforceable today and others remain in transition; the situation continues to develop through 2026.

The two financial free-zones — DIFC and ADGM — have their own data-protection regimes that ARE fully operational. DIFC's Data Protection Law DIFC Law No. 5 of 2020 is in force and enforced by the DIFC Commissioner of Data Protection. ADGM's Data Protection Regulations 2021 are in force and enforced by the ADGM Office of Data Protection. If you live or work in a DIFC or ADGM-licensed entity's data ecosystem, those regimes give you working DSAR / erasure mechanisms today.

For image-abuse and online harassment, the operational regime is Federal Decree-Law 34/2021 on Combating Rumours and Cybercrimes (in force 2 January 2022) — the same framework that handles scam reporting via eCrime and the MoI. NCII / deepfake victims should also use the global hash-based services: StopNCII.org (18+) and NCMEC Take It Down (takeitdown.ncmec.org, under-18).