Recent media reports regarding changes to the law relating to the use of a Virtual Private Network (“VPN”) have caused significant alarm to businesses operating in the UAE.
A VPN is a private network that extends across a public network or the internet, enabling users to send and receive data across shared or public networks as if their devices were directly connected. Anecdotally, VPNs appear to be widely used in the UAE, both by consumers wanting to access content unavailable locally (eg. e-commerce or media websites focusing on specific foreign markets), and commercial enterprises wanting to directly link international offices for improved security and cost management.
Many residents of the UAE, and businesses operating in the UAE, were concerned by recent changes to Federal Law No. 5 of 2012 on Combatting Information Technology Crimes (known locally as the “Cyber Crimes Law”). Specifically, Federal Law No. 12 of 2016 amending the Cyber Crimes Law was reported as criminalising the use of VPNs in the UAE. This would have a significant impact on businesses relying on VPNs. However, it appears now that the media largely overstated the effect of these changes.
Federal Law No. 12 of 2016 amending the Cyber Crimes Law was issued last month and has only recently been gazetted and come in to effect.
Article 1 of Federal Law No. 12 of 2016 amending the Cyber Crimes Law provides for replacing the text of Article 9 of the Cyber Crimes Law as follows:
A punishment of temporary imprisonment and a fine of not less than AED 500,000 and not more than AED 2,000,000, or either of these two penalties, shall be imposed on whoever uses a fraudulent computer network protocol address by using a false address or a third-party address or by any other means for the purpose of committing a crime or preventing its discovery.
The corresponding provision in the Cyber Crimes Law as issued in 2012 read as follows:
Any person that circumvents the protocol address of the internet by using a delusive address or an address belonging to others or by any other means for the purpose of committing a crime or preventing its discovery shall be punished by imprisonment and a fine not less than (AED 150.000) and not exceeding (AED 500.000) or by any of these punishments.
The primary change is actually just an increase of the applicable fines (from the previous AED150,000 - AED500,000 range to the new AED500,000 - AED2,000,000 range). The change does not make using a VPN on its own illegal. To be illegal, there is still the requirement of using a fraudulent IP address for the purpose of committing a crime or preventing its discovery (which was already the case under Article 9 of the original Cyber Crimes Law).
Accordingly, if the VPN is being used for legitimate purposes, the use of the VPN itself would not constitute a crime.
Only recently the Telecommunications Regulatory Authority issued a media release clarifying that there is no regulation that prevents VPN used by companies, institutions and banks to gain access to internal networks via the internet. But using it for the purpose of manipulating internet protocols with the intent to commit any fraud or crime is punishable by law.
The over-arching query that remains relates to exactly what is likely to be considered a crime for the purposes of this provision. In practical terms, a broad spectrum of offences could be captured by the prohibition on the use of a VPN to mask the commission of an offence. It is our expectation that the authorities are more interested in the likes of preventing access to nefarious content likely to damage the community (eg. recruitment videos for terrorist groups) than preventing otherwise law-abiding citizens from accessing foreign TV series that are not yet available in the UAE (eg. the latest series of Game of Thrones).