According to the UAE Import and Export Guide, export activities require a valid trade licence issued by a competent UAE authority, as well as registration with the Customs Department. It has been reported that such licences are currently issued by the respective local customs authorities; however, efforts are ongoing to establish a unified, UAE-wide licensing system.

Art. 5 of Federal Law No. 3 of 2012 defines the competencies of the Signals Intelligence Agency, granting it extensive powers that may include accessing personal data held by private entities. Under Art. 14, the Agency may, in urgent circumstances and following consultation with the National Security Advisor, monitor, infiltrate, disrupt, or block communications networks, information systems, and devices of any person or organisation suspected of engaging in activities that could threaten the United Arab Emirates’ security, public order, social stability, international relations, or critical infrastructure, or endanger life or property, provided that the public prosecution is notified within one week. Additionally, Art. 13 authorises the Agency to take "all necessary measures" to protect national communication networks and information systems from unlawful access and to identify vulnerabilities or malfunctions to prevent breaches of the Law.

A basic legal framework on intermediary liability for copyright infringement is absent in the United Arab Emirates' law and jurisprudence.

Pursuant to Arts. 14.22 and 1.71 of the Retail Payment Services and Card Schemes Regulation, legal entities authorised to provide one or more retail payment services are required to store and maintain personal and payment data within the United Arab Emirates. In addition, a secure and reliable backup of all such data must be established at an alternative location and retained for a mandatory period of five years.

Pursuant to Art. 10.6 of the Stored Value Facilities (SVF) Regulation, an SVF Licensee is required to ensure the adequate protection of customer data, including customer identification details and transaction records, which must be stored and maintained within the United Arab Emirates. The term Stored Value Facility refers to a facility, other than cash, in respect of which a customer, or another person acting on the customer’s behalf, remits a sum of money (including monetary equivalents such as value credits, reward points, crypto-assets, or virtual assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including monetary equivalents such as value credits, reward points, crypto-assets, or virtual assets), in whole or in part, on the facility; and (b) the performance of the "relevant undertaking". The definition of SVF encompasses both device-based stored value facilities and non-device-based stored value facilities.

Art. 13 of Federal Law No. 2 of 2019 establishes a general prohibition on the transfer, storage, generation, or processing of health data relating to health services provided within the United Arab Emirates outside its territory, save where authorised by a resolution issued by an Emirate-level health authority in coordination with the Ministry of Health and Prevention. Ministerial Decision No. 51 of 2021, under Art. 2, enumerates ten exceptions to this prohibition, including, inter alia, overseas treatment, medical diagnostic testing, scientific research (the Decision specifically requires prior approval from the competent health authority for the use of health data in scientific research), insurance claims and coverage, cooperation with governmental or international organisations, the use of wearable health monitoring devices, pharmacovigilance reporting, telemedicine, data expressly approved by a competent health authority, and transfers effected pursuant to a formal written request by the data subject or their legal representative. Arts. 3-5 of the Decision impose stringent conditions on most of these exceptions, such as obtaining the prior written consent of the patient or their representative where applicable, encrypting data prior to transmission, employing secure communication channels, and retaining a complete copy of the data within the State irrespective of any authorised cross-border transfer.

According to Section 7.8.2.2 of the Internet of Things Regulatory Policy, IoT service providers must ensure that all government data classified as secret, sensitive, or confidential is stored exclusively within the United Arab Emirates under all circumstances. Section 1.3 of the Policy further defines these classifications based on the potential harm resulting from a breach of confidentiality or uncontrolled disclosure: confidential data is that whose unrestricted disclosure could cause limited harm to individuals, businesses, or the government; sensitive data is that whose disclosure could result in significant harm to these entities; and secret data is that whose disclosure could severely compromise the supreme interests of the State and cause very substantial damage to individuals, businesses, and the government.

Pursuant to Arts. 22 and 23 of the Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data, the transfer of personal data outside the United Arab Emirates is permissible under specific conditions authorised by the UAE Data Office. Such transfers may occur where the recipient state or territory has enacted legislation ensuring an adequate level of personal data protection, encompassing essential provisions, safeguards, and enforcement mechanisms to uphold confidentiality, privacy, and the data subject’s legal rights, including the imposition of appropriate measures on controllers or processors by a judicial or regulatory authority. Transfers are also permitted where the UAE is party to bilateral or multilateral agreements concerning personal data protection with the destination state. In the absence of adequate protection in the recipient jurisdiction, cross-border transfers may proceed under a binding contractual arrangement obliging the foreign entity to adhere to the requirements of the UAE law and to submit to supervisory or judicial oversight as stipulated in the agreement. Additionally, transfers are allowed with the explicit consent of the data subject, provided such action does not contravene national security or public interest; where necessary for the establishment or defence of legal claims; for the conclusion or performance of a contract involving the data subject or a third party acting in their interest; for the execution of measures related to international judicial cooperation; or where required to safeguard the public interest.

Pursuant to Section 7.8.2.1 of the Internet of Things Regulatory Policy, IoT service providers are required to ensure that data classified as secret, sensitive, or confidential in relation to individuals and businesses is primarily stored within the United Arab Emirates. Nevertheless, such data may be stored outside the UAE provided that the host country’s data security and user protection regulations meet or exceed those applicable within the UAE. These provisions equally apply to personal data, as the Telecommunications Regulatory Authority (TRA) designates personal data as secret in the context of individuals.
Section 1.3 of the Policy further defines these classifications based on the potential harm resulting from a breach of confidentiality or uncontrolled disclosure: confidential data is that whose unrestricted disclosure could cause limited harm to individuals, businesses, or the government; sensitive data is that whose disclosure could result in significant harm to these entities; and secret data is that whose disclosure could severely compromise the supreme interests of the State and cause very substantial damage to individuals, businesses, and the government.

In November 2024, the United Arab Emirates signed its first agreement establishing binding obligations to enable cross-border data transfers. The agreement will enter into force in October 2025. Under Art. 12.16 of the Australia–UAE Comprehensive Economic Partnership Agreement (CEPA), the parties acknowledge their respective regulatory frameworks governing electronic information transfers. However, neither party may prohibit or restrict such transfers, including those involving personal data, where necessary for the conduct of business by a covered person. This provision does not preclude the adoption of measures inconsistent with these commitments, provided they pursue a legitimate public policy objective, are not applied in a manner constituting arbitrary or unjustifiable discrimination or a disguised restriction on trade, and do not impose restrictions on information transfers beyond what is necessary to achieve the stated objective.

Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data establishes a comprehensive data protection framework in the United Arab Emirates, overseen by the UAE Data Office. In addition to this federal regime, the Dubai International Financial Centre (DIFC) is governed by DIFC Law No. 5 of 2020, and the Abu Dhabi Global Market (ADGM) is governed by the ADGM Data Protection Regulations 2021. Sector-specific legislation further regulates data handling in banking, telecommunications, and healthcare, including Federal Laws No. 14 of 2018, No. 3 of 2003, and No. 2 of 2019, respectively. Complementing these measures, Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cyber Crimes criminalises unlawful data collection and processing, while Federal Decree-Law No. 33 of 2021 on Employment Relations imposes confidentiality obligations on employees regarding information accessed through their work.

Pursuant to Art. 21 of Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data, where a form of processing involving emerging technologies is likely to pose a significant risk to the privacy and confidentiality of a data subject’s personal information, the data controller is obliged to undertake a data protection impact assessment (DPIA) prior to initiating such processing. Specifically, Art. 21.2 stipulates that the requirement to conduct a DPIA arises in circumstances where: (i) a systematic and comprehensive evaluation of data subjects is carried out through automated processing, including profiling, which produces legal effects or similarly significant consequences for the individuals concerned; or (ii) the processing involves large-scale handling of sensitive personal data.
In addition, in accordance with Arts. 10 and 11, both controllers and processors are required to appoint a data protection officer (DPO) in cases where: (i) the nature of the processing, particularly when employing new technologies or based on the scale of data processed, is likely to result in a high risk to the confidentiality and privacy of personal data; (ii) the processing entails systematic and extensive assessment of sensitive personal data, including profiling and automated decision-making; and/or (iii) the processing involves large-scale operations concerning sensitive personal data. The DPO’s responsibilities include, inter alia, ensuring that the controller or processor complies with the provisions of the legislation and any directives issued by the UAE Data Office. The DPO may be an employee of the controller or processor, or an external individual appointed by the organisation, whether located within or outside the United Arab Emirates.

Although the United Arab Emirates does not impose a uniform limit on foreign participation in the telecommunications sector, such participation remains subject to specific restrictions. The government limits foreign ownership in publicly listed companies within the sector and applies a screening regime that determines, on a case-by-case basis, the permissible proportion of foreign participation in telecommunications companies. Currently, only two public companies (Etisalat and "du") are licensed to provide public telecommunications services in the United Arab Emirates, and foreign ownership in these companies is effectively absent.
Art. 7 of the Federal Law No. 1 of 24 March 1991 Concerning the Emirates Telecommunications Corporation authorises foreign ownership of up to 49% in the Emirates Telecommunications Corporation (Etisalat), the former incumbent operator. Similarly, since 23 February 2021, non-UAE nationals are permitted to hold up to 49% of the share capital in Emirates Integrated Telecommunications Company ("du").
Moreover, as telecommunications activities are classified as “activities with a strategic impact,” additional restrictions on foreign ownership can be imposed. Pursuant to Art. 3 of the Council of Ministers Resolution No. 55 of 2021, foreign investors seeking to engage in any of the strategic activities listed in Art. 2 must submit a licence application to the competent authority. In the telecommunications sector, the Telecommunications and Digital Government Regulatory Authority (TDRA) is responsible for approving foreign direct investment licence applications and determining the permissible proportion of foreign participation in a company’s capital. The TDRA has reportedly indicated that it is not considering the issuance of new licences at this time.

The government owns shares in the only two telecom companies licensed to operate in the country. The Emirates Telecommunications Corporation (Etisalat) is 60% owned by the Emirates Investment Authority, while the remaining 40% is held by public shareholders. Similarly, du (Emirates Integrated Telecommunications Company PJSC) is majority controlled by public-sector investors, with approximately 50% owned by the Emirates Investment Authority and around 20% by DH 8 LLC, the investment holding company of the Government of Dubai, while the remaining 30% is held by public shareholders.

It is reported that the United Arab Emirates requires functional and accounting separation for telecommunications operators with significant market power (SMP). While the functional separation requirement has not been found in the legal texts, the accounting separation can be found in the Instructions Cost Accounting, Accounting Separation and LRIC Modelling.