Skip to content

The New Cybercrime Law

The New Cybercrime Law

Lawgical with LYLAW and Tim Elliot

21 June 2022

Tim Elliot:  Welcome to Lawgical, the U.A.E.’s first and only, that we are aware of even to this day, legal podcast.  My name’s Tim Elliot.  Lawgical comes to you from the Dubai-based legal firm, HPL Yamalova & Plewka.  As always, here is the Managing Partner, Ludmila Yamalova.  It’s good to see you.

Ludmila Yamalova:  Good to be here.  Thanks for being here, Tim.

Tim Elliot:  This time, Ludmila, and there is lots to talk about here.  There is lots to unpack, is the way you’d phrase it now.  It’s the new cybercrime law.  It is Federal Degree Law Number 34 of 2021.  It came into effect January of this year.  It replaces a 10-year-old law, and I think that is an important point to make because 10 years in the cyberworld is an eternity, isn’t it?  It needed to be updated.

Ludmila Yamalova:  Indeed.  Though I have to say that even the previous version of the cyberlaw was often relied on and in a way it was, to an extent at least, did the jobs in terms of being able to address a lot of the offenses or actions that are subject to this, cybercrime if you will.  But as you rightfully said, that was 2012, the previous law, and now we are in 2022, so 10 years in the cyberworld is an eternity.  It was just a matter of time, and we were expecting a new law to be introduced.  We were not quite sure whether it would just be an amendment to the previous law or whether it would be a total overhaul of the previous law, and it is really the latter.  Instead of just amending certain provisions of the previous law, this new law, as you rightfully said this is Law Number 23 of 2021, replaces and basically makes invalid the previous law.

It is quite expansive in its scope and in its objectives, if you will.  The law came into effect just two months ago in January of 2022, so in terms of how it will be implemented and how the courts will interpret a number of these provisions remains to be seen.  But at a very high level, this law is a lot more perhaps serious if you will, in terms of the penalties, in terms of what it considers to be improper or illegal content that would be made subject to the cyber law to begin with, and on the other hand, what the penalties would be for violating those provisions in the cyber law.  Language wise and in the specifics, it is pretty – I don’t want to use the word draconian – but it is pretty serious in terms of the penalties in particular.  Now how stringent and how close the authorities will be actually wanting to apply this law and what type of actions remains to be seen, but for the time being I think it is important that we at least set out a framework of what this law is all about and what it aims to achieve.

Tim Elliot:  We will come to the penalties in a moment and look at how tough some of those penalties are, but this is a new law that specifically targets cyber or online crimes.  I want to look at what’s new.  I guess it’s reasonable to say misleading adverts, the use of fake accounts, that kind of activity is simply blatant criminal activity in most cases.  What’s interesting here is the potential for personal persecution for sharing false information over social media.  That’s a hard thing to police, but it will mean limiting the spread of some of the nonsense that we get online, take COVID, for example, some of the rubbish that was being spread on social media portals.

Ludmila Yamalova:  For sure.  This is a good place to start in terms of what is the overall objective of this law.  The objective is to ultimately ensure that the public is protected and the interests of the public at large are protected, and to ensure that there is no mechanisms or tools to incite hatred or contempt, or breach people’s privacy, or spread fake information that, once again, would be against the interests of society.  The objectives are honorable, if you will, and they are there to ultimately protect the society at large, as well as individuals as part of that society.  As you rightfully said, it’s so easy these days to mar someone’s reputation.  It’s not that much farther from there to actually destroy someone’s life almost just by virtue of posting some of this content online.  Some level of regulation is absolutely needed, if not required, and is much welcomed, particularly as we see that the new generation is a lot more dependent on the cyberworld in terms of social directions, in terms of content, and in terms of their day-to-day life and therefore what they see and what they interact with in that world needs to be regulated and needs to be monitored.  It only makes sense and it is reasonable for the authorities to step in and introduce some level of regulation to at least create or dissuade anyone from misusing or abusing the digital means that ultimately could lead to the harming of individuals and society at large.

Tim Elliot:  It’s an attempt to, I guess, encourage proper behavior.  I don’t know how you define proper behavior, but it’s a step in that direction.  This is obviously an evolving field.  Let’s talk about penalties.  In terms of criminalized activities, what are the penalties?

Ludmila Yamalova:  Before I get into penalties, I do want to fine tune a little further in terms of what the content is that the cyber law attempts to regulate or seeks to regulate.  On the one hand, it is just these general statements such as to avoid misinformation and rumors and defaming the country and states and such.  These are more general objectives, if you will.

But on the other hand, there are also a number of specific objectives that the cybercrime law aims to ensure, and those are related to specific content that in the U.A.E., for one reason or another, is either considered inappropriate or illegal or banned altogether, for example, gambling.

The reason the specific content or examples of content are important because when we talk about penalties, there are different penalties that apply depending upon which part of the content is implicated.  For example, anything related to gambling, any kind of advertising of gambling, anything related to gambling per se, is considered against the cyber crime law.  Why?  Because gambling in the U.A.E. as a country is illegal.  That may not be the case in other countries, and that is why it is an interesting example.  But in the U.A.E. there is a very specific law that makes gambling as an activity banned altogether.  Therefore, any other events, actions, or attempts that in one way or another, would directly or indirectly, either promote gambling or even advertises gambling, obviously are illegal.  The same thing with pornography.  Now pornography is a little more objectively banned and improper and illegal across the world, but that is another example.

One of the other more nuanced examples specific to the U.A.E. is collecting unauthorized donations.  There are a whole set of penalties that follows when you use digital means to collect donations.  Again, collecting donations in other parts of the world is not often regulated in the same way, or maybe it is regulated but it is not exactly legal in the U.A.E.  It is a highly regulated area, so you have to be careful.  Another example is conducting unauthorized surveys, something that may be as simple or as mundane as online surveys.

Tim Elliot:  That’s interesting to me.  I was going to bring that up.  It is specifically in the law.  “Conducting unauthorized surveys” is the phrase.  What if you published a simple Twitter poll, for example, to ask people to like or share, depending on which way they see an issue, is that an unauthorized survey?

Ludmila Yamalova:  That is the million-dollar question, if you will.  This is where, as I said earlier, it will be interesting to see how closely this law is applied, interpreted, and to what kind of activities.  Something like that, as you said, through Twitter, just posting a questionnaire, perhaps it is not done at a commercial level or perhaps the reach is such that it doesn’t really get the authorities interested, I would like to think there is some overall objective in terms of your activities and the scope of the activities has to have some kind of larger applicability or reach, rather than just, let’s say, you doing an online survey through your own Facebook account, for example.  It depends.

Tim Elliot:  It just struck me that if you send out a tweet, do you like cheese croissants or chocolate croissants?  It is not a harmful thing to ask somebody to give their opinion on that.  But if I was to say, what do you think of X government decision against X government decision?  I guess the nuance is as simple as that.  It is common sense.

Ludmila Yamalova:  Indeed, but there is perhaps something a little in the middle.  Let’s say you wanted to know how many Pakistanis live in the U.A.E. or how many Russians live in the U.A.E. and you just wanted to conduct a survey like that.  That in itself does not necessarily have a political message embedded in it.  But it may be that the objective of that kind of survey would violate or would be contrary to what the government would want to be disseminated and perhaps some of it is because they want to be able to ensure that whenever such surveys are conducted, they are conducted by authorized entities and therefore again there is no misinformation regarding your survey results versus my survey results.  I would say that is perhaps the underlying purpose for regulating this.  It is not that surveys are illegal altogether.  It is just that they should be done with the necessary approvals.  But that would be another example.

Let’s say if you do a survey of how many police live in the U.A.E. and then another more institutionalized entity would conduct a similar survey, and then you publish your results and they publish their results.  Could there potentially be discrepancies?  In a way, at least arguably, it might be deemed by the authorities as harming the public interest.  That is an example with surveys.

Another interesting example, and again perhaps more specific to the U.A.E. in terms of content that is illegal, is electronic begging.  There is a specific section for just that, and that perhaps is linked to donations and raising funds and other activity that is regulated in the U.A.E. and therefore requires a license.  Any use of digital means to solicit some kind of donations by virtue of electronic begging is considered to be illegal and punishable under the cybercrime law.

These are some examples, in addition to the more overarching objectives.  To avoid misinformation and fake news, there are certainly very specific and directives as to what you should not be either posting or certainly re-sharing because that specific content or subject matter es either strictly regulated in the U.A.E. or outright prohibited.

Tim Elliot:  Let’s get back to specific penalties, as you mentioned earlier.  It’s worth running through what you may face if you do conduct an unauthorized survey, for example.

Ludmila Yamalova:  The penalties are almost in all cases – and this is a good place to interject that the cybercrime law in the U.A.E. is in a way similar and is perhaps either an add on or an alternative to the penal code in many ways because of the penalties that it imposes.

Because if we talk about civil law, a jail sentence is not usually a penalty; there is always a fine or some sort of compensation, not even a fine so much, but a compensation.

In criminal law, there is always a fine.  And there is a big difference between a fine and compensation because a fine goes to the government, whereas compensation goes to the victim to be compensated.  That is done through the civil law.  In criminal law, usually all penalties are in one of three forms, either a fine, a jail sentence, or both.  There is a fourth one sometimes, a rehabilitation of sorts, some institutional kind of experiences.  In that way, in terms of penalties, the cyberlaw is very similar to the penal code.  It is not to say that in all of these cases where the digital world is concerned the criminal code will not come into play.  It also will come into play.

But in the cyberworld, crime in general has harsher or more severe penalties than the criminal law.  It is possible to have both laws apply sometimes, or one or the other, and if it is one or the other, anything to do with digital actions will be penalized more harshly under the cyberlaw.  At a high level, the penalties will always include one or the other, or either/or of penalties or fines or a jail sentence.

For example, a penalty for defaming a foreign country on social media or on any sort of online platform can lead to either, or both, 6 months in prison and/or a fine of 100,000 dirhams to 500,000 dirhams.  That is just basically spreading content online, either posting or even sharing content online that one way or another defames a foreign country.  Pretty serious.  This is important to keep in mind even if it is content that is not authored by you.  Re-sharing alone could implicate the cyber law as well.

For electronic begging, for example, or seeking illegitimate help from a federal or local government entities and officials, again through online platforms, can lead to either 3 months in prison and a fine of 10,000 dirhams, or both.

Then publishing and sharing fake news and rumors on social media can result in 1 year in prison and a fine of a minimum of 100,000 dirhams.  Furthermore, the penalties can increase to 2 years in prison and a minimum of 200,000 dirhams if the fake news or the crime is committed during a state of crisis, for instance, a pandemic.  If you are spreading some kind of misinformation or so-called fake news during the time of crisis, all these penalties are basically doubled.

Then there is misleading in advertising or some kind of impersonation as well.  That in itself has specific fines and those are fines of 20,000 dirhams to 500,000 dirhams, or a jail term for 3 months, or both.

Then there is another interesting category, and that is information published that does not coincide with the outlined media content criteria in the U.A.E.  This can also lead to a fine o 300,000 dirhams and upwards, and also a year in prison, or both.

Then there is a whole category of industry specific content that could further lead to either specific penalties or additional penalties.  For example, anything to do with selling medical products without a license can also lead to specific penalties of fines of 50,000 dirhams to 200,000 dirhams and a jail term as well.

As I mentioned earlier, the online surveys is another interesting example.  If you have used digital means to conduct online surveys without the proper license, then it could lead to a jail term and a fine of anything between 100,000 dirhams and 500,000 dirhams.  Then anything to do with creating fake companies online to collect money, again this is either electronic begging or some kind of unauthorized donations, it is a 5-year jail term and a fine between 250,000 dirhams and up to 1,000,000 dirhams.

There is another specific category which is interesting and timely, cryptocurrency.  It is only to be expected that cryptocurrency will be covered by the cybercrime law, but there is a specific provision that provides that if any unlicensed trading in cryptocurrency can lead to either or both a jail term or a fine between 20,000 dirhams and up to 500,000 dirhams.  There it is.

Another example is harming, for example, banking, medical, media institutions, or scientific institutions.  Believe it or not, there is a whole category that specifically zeroes in on those institutions.  Damaging or causing those institutions which, for obvious reasons, we need to be mindful of because we have seen a lot of breaches that have been done to large institutions, like banking or medical institutions, that have so much data on us, the public in general, so it’s natural that any kind of actions that aim to target those institutions would be given special emphasis or attention.  That could lead to fines anywhere between 500,000 dirhams to 3,000,000 dirhams and a jail sentence, and so on and so forth.

Again, the cyber law, at a very high level, is divided into two categories.  One category is content, what is the content that is improper or illegal to disseminate, and the other category is the penalties for doing so.  Most of the cyber law is basically a continuation of what I just set out, by way of example, in terms of whether this is illegal content, and these are the specific penalties that follow if you are found to have violated.

Tim Elliot:  It’s very easy to be somebody that you’re not online, and often that is nefarious as an underlying cause of issue.  The point of this, it seems to me, is to as much get across that before you post, think, before anything else.  There is almost a civic duty in not posting when you think, well, maybe I shouldn’t say that.  Would I say that to your face?  Do you see where I’m going?

Ludmila Yamalova:  For sure, because it’s so easy to post something, because we’re so attached, almost 24/7 to our devices.  It’s way too easy.  We walk and sleep with these devices.  It is so easy to open up any one of these apps.  You don’t even have to type anymore.  You just dictate a message.  It is so easy to do, but it’s impossible to undo.  A lot of businesses, people, spend years, their lifetimes, to create something, for example, and just by virtue of someone posting a defamatory message about a business could destroy that in an instant.  It does happen.  Certainly there is a balance, but there is definitely public interest involved in figuring out a way to have the right framework and the right tools to strike that balance where freedom of expression in still encouraged and creativity is incentivized, but at the same times these kinds of abuses can harm, not just individuals, but the greater public, harm that almost never can be undone.

At least those kinds of instances happen less often, and that is perhaps by virtue of having such laws, some of which may appear to be draconian.  But also, don’t forget that one of the nuances of criminal law is that it is not for me as a civilian, as a citizen, or a resident, to bring a case against you for having done something.  It is for the State.  It is the State that brings the case.  In a way, having perhaps this kind of a law that is so detailed in terms of penalties and forbidden content is helpful for education purposes, so the society knows these are the do’s and these are the don’ts.

But in terms of which one of these acts, particularly in gray areas, like you used the example before of doing some sort of small survey on a Twitter account, for those things, will the State prosecute you for that?  Because again, it wouldn’t be me as an individual, it would be the State.  So, which of these actions, offenses, crimes, the State will consider serious enough, that are worthy of prosecution and criminalization?  Perhaps those are the checks and balances.  On the one hand, the law and the language are very specific in terms of what the penalties are, and they can be quite severe.  But in terms of actual practice, how often these kind of activities will actually be penalized by these measures, it is really for the State to decide and I would say the State is not going to go after you for doing an online survey through your Twitter account because it is no consequence, until it is, and when it is, then obviously the underlying aim or objective is if it gets serious enough for the State to see that it is worthy of pursuing, that means that whatever your tweet or your survey has done has actually been serious enough to potentially compromise either the interest of the State or a certain segment of the population.

Tim Elliot:  It really is a case of think before you send, I suppose.  Ludmila, finally we are at the early stages of the cyberworld, the internet, the arena, whatever you want to call it now, whatever the kids say.  Digital media is really still in its infancy.  I think that is a reasonable statement.  You would expect, I guess, that this is area of law that would be revisited sooner rather than later, I suppose.

Ludmila Yamalova:  I expect that this will be a bit of an evolving or, if you will, a living organism.  It will continue to evolve and continue to grow and adapt to different levels as technology develops and as we as a society continue to embrace technology in new ways.  So, for sure, and as is often the case, not just in the U.A.E., but in other jurisdictions, but particularly in the U.A.E., you have the main law that is published and then you have a number of regulations and implementing decisions and decrees and circulars, so it may be that instead of having the law itself be amended, we will see further regulations that will define or explain or add to some of the provisions that are already in this current version of the law.

Tim Elliot:  The U.A.E.’s cybercrime law, that’s another episode of Lawgical.  As ever, our legal expert here on the program, Ludmila Yamalova, the Managing Partner here at Yamalova & Plewka.  Thank you, as always.

Ludmila Yamalova:  Thank you, Tim.

Tim Elliot:  Find us at LYLAW on social media, Facebook, Instagram, TikTok, LinkedIn.  There is also our ever-growing library of hundreds of podcasts, all kinds of legal questions and matters here in the U.A.E., all free to listen to.  If you’d like a legal question answered in a future episode of Lawgical or you’d like to talk to a qualified U.A.E. experienced legal professional, click the Contact at

Subscribe to get Latest News