UAE Cybercrime Laws in Focus: How Online Harassment, Digital Evidence and Privacy Are Enforced

The UAE maintains one of the most comprehensive cyber-regulatory systems in the region, centred on Federal Decree-Law No. 34 of 2021 on Countering Rumours and Cybercrimes, which replaced the 2012 cybercrime statute. The modernised law criminalises a wide range of unlawful online conduct, including hacking, identity theft, harassment, defamation and the dissemination of false information. Its provisions apply to acts committed through “information networks”, “information systems” or “information technology means”, definitions broad enough to cover mobile phones, computers, social media platforms, messaging applications and cloud-based systems.

 

Alongside this, Federal Decree-Law No. 31 of 2021 (the Penal Code) sets out general criminal principles governing defamation, insult, threats, sexual harassment and related offences, which attract aggravated penalties when committed through technological means. The framework is reinforced by the Evidence Law (Federal Decree-Law No. 35 of 2022) and the Electronic Transactions and Trust Services Law (Federal Decree-Law No. 46 of 2021), ensuring electronic records, digital signatures, device extractions, server logs and online communications are admissible in court once authenticity and integrity are established.

 

Privacy and data-processing obligations are regulated by the UAE Personal Data Protection Law (PDPL), which applies to organisations and also guides how authorities handle personal data during cybercrime investigations. As a result, cyber offences are addressed through an interlinked criminal, regulatory, evidentiary and privacy framework.

Scope and jurisdiction of the Cybercrimes Law

The Cybercrimes Law applies broadly to acts committed through electronic systems, even where the offender is located outside the UAE. Jurisdiction may be asserted if harmful content is accessible in the UAE or if the victim resides there. Courts assess factors such as accessibility, intent to target a UAE-based individual and the location of harm.

The law also addresses public-order concerns, criminalising digital content that threatens national security, spreads false rumours, undermines confidence in institutions or offends religious values and public morals. These offences sit alongside personal crimes such as harassment and defamation, reflecting the UAE’s policy focus on digital discipline and reputational protection.

Unauthorised access and system interference

Accessing a website, network or system without authorisation, or exceeding permitted access, is a criminal offence. Penalties increase where data is obtained, deleted, altered or disclosed, or where the targeted system belongs to a government body or critical sector. Even unauthorised “security testing” may amount to criminal intrusion.

System interference, including service disruption, data corruption, ransomware attacks, malware deployment and distributed denial-of-service (DDoS) attacks, is punishable separately. Both unauthorised access and subsequent interference can attract cumulative charges.

Cyber fraud, identity misuse and impersonation

The law criminalises obtaining property, signatures or confidential information through system manipulation, false identities or impersonation. Creating fake social-media accounts or websites in another person’s or entity’s name can trigger liability, with heavier penalties where financial damage occurs or a public authority is involved.

Cyber fraud includes phishing schemes, fraudulent e-commerce platforms, payment-card manipulation and scams designed to extract funds or sensitive data. An attempt alone may be sufficient for prosecution if digital deception is established.

Content-based cyber offences and child protection

Producing, distributing or possessing child sexual abuse material, including digitally created images, carries severe penalties. The law also prohibits online content that promotes immorality, offends religious values or public morals, or spreads false information likely to cause panic or harm the public interest.

These provisions frequently intersect with harassment cases, particularly where abusive or defamatory posts involve manipulated images or sexually degrading material.

Defamation and insult through digital platforms

Defamation and insult are criminal offences under the Penal Code, but Article 43 of the Cybercrimes Law imposes significantly harsher penalties when such conduct occurs online, including imprisonment and fines of between Dh250,000 and Dh500,000. Public dissemination is not required; even a single private message may constitute an offence if it harms reputation.

Online defamation covers false allegations, accusations of misconduct, derogatory comments, hostile social-media posts, abusive emails and damaging reviews. Courts treat such cases seriously due to the speed and permanence of digital publication.

 

Cyber threats and digital blackmail

Threats or extortion carried out using information technology are criminal offences. This includes threats to publish private images, demands for money or actions, and threats of reputational damage. Where threats involve dishonourable matters or imply serious crimes, additional Penal Code provisions increase penalties.

 

Digital blackmail is among the most actively prosecuted cyber offences, particularly where intimate images or confidential information are involved.

 

Sexual harassment and indecent conduct online

Sexual harassment includes persistent digital behaviour intended to arouse sexual interest or humiliate a victim. Sending explicit images, making sexual demands or repeatedly contacting someone online may trigger liability under both the Penal Code and the Cybercrimes Law, with enhanced penalties where the victim is a minor, subordinate or vulnerable person.

 

Cyberbullying as repeated abusive conduct

While “cyberbullying” is not defined as a standalone offence, repeated abusive behaviour -- including impersonation, doxxing, coordinated harassment, rumour-spreading and humiliating content -- falls within existing criminal provisions. Authorities have stressed that repeated online harassment is not trivial, even when conducted privately.

 

Legal recognition of digital evidence

The Evidence Law confirms that electronic evidence cannot be rejected solely because it is digital. Electronic signatures validated under the Electronic Transactions Law carry the same legal force as handwritten signatures when statutory conditions are met. Courts regularly rely on emails, chats, digital contracts, metadata and device extractions.

Common forms of digital evidence

Investigations frequently rely on screenshots, chat logs, emails, server records, IP addresses, cloud backups and forensic device images. Deleted data may still be recoverable from devices or service providers, who can be compelled to disclose records under law.

Authentication and forensic verification

Courts often appoint digital forensic experts to verify authenticity and integrity. Processes include imaging devices, examining metadata, analysing logs and preserving chain of custody. Expert forensic reports play a decisive role in evidentiary assessment.

Evidential value of screenshots and printouts

Screenshots and printouts are admissible when corroborated, uncontested or supported by expert verification. Courts may require access to underlying devices or accounts, and unjustified refusal to produce electronic data may result in adverse inferences.

Privacy violations and image-based abuse

Capturing, storing or publishing another person’s image, video, voice recording or private information without consent is a criminal offence where privacy is expected. Sharing images online to shame, harass or threaten may also constitute defamation or extortion.

Cases involving minors attract significantly harsher penalties. Authorities consistently warn that sharing intimate images without consent is criminal even where no financial demand is made.

Data protection obligations during investigations

Under the PDPL, organisations must secure personal data, limit processing and ensure lawful disclosure. During investigations, authorities and organisations must avoid unnecessary exposure of personal information, with courts increasingly anonymising sensitive data.

Reporting cybercrime in the UAE

Victims can report cyber offences through digital platforms operated by Dubai Police, Abu Dhabi Police, the Ministry of Interior and the Federal Public Prosecution’s “My Safe Society” app. These platforms allow rapid evidence submission and swift action by specialised units.

Enforcement trends and practical consequences

Authorities regularly prosecute cases involving online defamation, harassment, blackmail, scams and misinformation. Enforcement actions are frequently publicised to deter misconduct, and foreign nationals are reminded that overseas online conduct may still attract liability if its effects are felt in the UAE.

Criminal proceedings are often accompanied by civil claims for compensation, particularly for reputational or emotional harm. In employment settings, misuse of corporate systems or online harassment may justify disciplinary action or dismissal, supported by digital records such as emails, chats and access logs.

 

For any enquiries or information, contact ask@tlr.ae or call us on +971 52 644 3004. Follow The Law Reporters on WhatsApp Channels.