As many of you are no doubt aware, media outlets in the UAE and beyond have been reporting various viewpoints on the apparent new state of the law regarding Virtual Private Network (VPN) use in the United Arab Emirates - reportedly pursuant to new Federal Law No.12 of 2016 Amending Federal Law 5 No. of 2012 ("2016 Amending Law").

Some of these articles are stating or suggesting that the use of VPNs in the UAE is now strictly prohibited. However, we do not believe this to be the overall effect or intent of the reported legislative amends. We discuss our views on this matter in further detail below.

What is Reportedly Changing?

The UAE Federal Law No. 5 of 2012 On Combatting Cybercrimes ("Cybercrimes Law") is the law that is being amended by the 2016 Amending Law, in particular Article 9 – the original version of which provides as follows:*

Article 9: Punishment of Circumvention on the Protocol Address of the Internet for the Purpose of Committing a Crime or Preventing its Discovery

Any person that circumvents the protocol address of the internet by using a delusive address or an address belonging to third party or by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by imprisonment and a fine of not less than (AED 150,000) and not exceeding (AED 500,000) or by any of these punishments.

The 2016 Amending Law replaces the operative section of Article 9 with the following:*

Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address or by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of not less than AED 500,000 and not exceeding AED 2,000,000, or either of these two penalties.

*Emphasis added for illustrative purposes. Please also note that all English language translations of UAE law are by definition unofficial, and only the original Arabic text as published in the UAE Official Gazette constitutes the legally recognised version.

What Does this Mean?

On the basis of an assessment of the provisions set out above, the overall legal status of VPNs in the UAE under the Cybercrimes Law generally has not changed. That is to say, in both of the above iterations of Article 9, it is not the strict use of a VPN alone that attracts potential liability – but rather its use "for the purpose of committing a crime or preventing its discovery". However, this does of course in turn trigger a further necessary question – namely, what exactly might constitute criminal behaviour (or the concealment of it) in this context under various UAE laws and regulations? Unfortunately, this is not a particularly simple or straightforward line of inquiry – and in many cases would be very fact-driven and specific. This is because many restrictions or prohibitions under UAE legal frameworks – in particular regarding the use or distribution of different types of content – can be quite broad and subjective and therefore open to different potential interpretations (for example, legal prohibitions on content that is contrary to public morals or considered to be offensive). On the other hand, certain prohibitions or restrictions under UAE legal frameworks can be quite prescriptive or specific (for example, restrictions on the use of certain specified technologies, such as VOIP).

Therefore, it would be prudent to make an assessment as to the overall UAE legal and regulatory compliance of activities being conducted via VPN. To the extent that such activities are not in fact compliant with the wider UAE legal and regulatory framework, there is indeed a clear risk of potential repercussions pursuant to the Cybercrimes Law (as amended or otherwise). It is also worth bearing in mind that the corresponding fines under Article 9 have been increased significantly pursuant to the 2016 Amending Law (from a maximum of approximately US$135,000 to a maximum of approximately US$550,000), and therefore any potential misuse of a VPN in the UAE may now also carry a significantly heightened commercial risk.

What Should Be Done Now?

In light of the developments and observations set out above, we would recommend taking next steps as follows:

  • Audit and assess your specific VPN usage – is it compliant with the applicable UAE laws and wider regulatory framework, in particular regarding matters of communications regulation and/or content restrictions?
  • If the answer to the above query is no, undertake appropriate corrective action – if you are uncertain, your local legal adviser should be able to assist.
  • Implement a system to continue monitoring and stay informed of any relevant legal/regulatory developments in this area.
  • Ensure that any changes to your activities/usage involving a VPN in the UAE are cognisant of the points raised above.