UAE amends the law on use of VPNs

Recently, the use of virtual private networks (VPNs) in the UAE has received a lot of press and social media attention. VPNs allow internet users to connect to a private network online, providing them with privacy and also hiding their physical location. VPNs are widely used in the UAE to access websites and applications that are blocked by the UAE Telecommunications Regulatory Authority (TRA) and to allow access to video and voice calling applications such as Whatsapp, Viber, Skype and other VoIP services.

The recent interest in VPNs follows a government announcement of Federal Law No. (12) of 2016, which amends Federal Decree-Law No. (5) of 2012 on Combatting Cyber Crimes. The amended law states that “A punishment of temporary imprisonment and a fine of not less than five hundred thousand Dirhams and not more than two million Dirhams, or either of these two penalties, shall be imposed on whoever uses a fraudulent Virtual Private Network address by using a false address or a third-party address or by any other means for the purpose of committing a crime or preventing its discovery”.

The impact of the amended law has been overstated in the press. The same offence has existed since 2012 but under the amended law the potential fines have been increased from AED150,000 (USD40,000) to AED500,000 (USD136,000) at the lower end of the offence and from AED500,000 (USD136,000) to AED2 million (USD545,000) at the higher end.  This increase in potential liability has attracted a lot of speculation on how the amended law might be enforced.

Enforcement against companies

Following announcement of the amended law, the TRA moved quickly to ease concerns over the use of VPNs by companies. It issued a statement clarifying that companies, institutions and banks are free to lawfully use VPNs to gain access to internal networks through the internet. As the TRA statement makes clear, the new law does not cut across the commitment of the UAE leadership to continue investing internet applications and IT as a key element of the country's smart transformation (including smart cities, big data, IoT and building a knowledge-based economy).

However, the TRA's statement also emphasised that business users can be held accountable if a VPN is misused. Companies that use VPNs legitimately in the UAE should therefore consider updating their internal employee IT policies to prohibit illegal use of VPNs.

Enforcement against individuals

In the amended law, what constitutes a misuse of a VPN has not changed. It is unlawful to use a VPN fraudulently for the purpose of committing a crime or preventing its discovery. The law therefore targets those who misuse the service to conduct activities that are inconsistent with the UAE’s laws.

The issue for assessing risks related to individual use (and use by employees of a company VPN) is what amounts to a crime? This has not been clarified by the TRA in the context of the amended law. On a very strict definition of UAE laws, accessing blocked services or websites, which can only be done with a VPN or proxy, could be considered fraudulent use to commit a (cyber) crime. If that is the case, any use of a VPN to access a VoIP service or a video-steaming site blocked by the TRA, would be punishable under the law.