Home

Web scraping legality in the UAE with data protection laws and cybercrime regulations

Legality of Web Scraping and Data Collection in the United Arab Emirates

Web scraping — the automated extraction of data from websites — is not explicitly regulated as a standalone offence under UAE law. Its legality depends primarily on the nature of the data scraped, the method used, whether the data is publicly available without restrictions, and compliance with relevant federal laws, including the Federal Decree-Law No. 34 of 2021 on Countering Rumors and CybercrimesCybercrimes Law”, the Federal Decree-Law No. 45 of 2021 on the Protection of Personal DataPDPL”, the Federal Decree-Law No. 38 of 2021 on the Copyright and Neighboring Rights “Copyright Law”, and general principles from the UAE Constitution and Civil Code.

UAE law distinguishes between different categories of data and imposes strict protections on sensitive or restricted information. Scraping publicly available, non-protected data generally does not trigger criminal liability, provided no harm is caused and no access controls are bypassed. However, civil risks (such as claims for unjust enrichment or breach of terms of service) may still arise, and best practices require caution to avoid unintended violations.

Categories of Protected Data Under UAE Law

UAE legislation, particularly the Cybercrimes Law, categorizes data and information as follows:

  1. Government Data Electronic data or information belonging to or pertaining to government entities that is not made available to the public. Unauthorized acquisition, copying, or dissemination of such data constitutes a crime under Article 7 of the Cybercrimes Law, with significant penalties including imprisonment and fines.
  2. Personal Data and Information Data relating to natural persons that concerns their private lives, personal identities, or that could directly or indirectly reveal a person’s identity. Unauthorized handling (acquisition, copying, dissemination, etc.) is prohibited under Articles 6 and 13 of the Cybercrimes Law. The PDPL further regulates the processing of personal data, generally requiring consent or another valid legal basis, though publicly available personal data made public by the data subject may qualify for certain exceptions.
  3. Confidential Information and Data Any information or data that is not permitted to be accessed or disclosed to third parties without prior permission from the person authorized to grant it. Violations fall under Articles 8 and 45 of the Cybercrimes Law.
  4. Data Related to Commercial or Economic Establishments This includes organized or unorganized collections of data, facts, concepts, etc., in various forms. A “commercial or economic establishment” refers to any entity holding a license from a competent UAE authority. Unauthorized acquisition, possession, modification, copying, or dissemination of confidential data belonging to such establishments is criminalized under Article 8 of the Cybercrimes Law, carrying penalties of temporary imprisonment (at least 5 years) and fines ranging from AED 500,000 to AED 3,000,000.

Is Scraping Publicly Available Data a Crime?

Under the fundamental principle enshrined in Article 27 of the UAE Constitution (and reflected in the principle of “no punishment without law”), no act may be punished unless it is expressly prohibited by law at the time it is committed.

Categories of protected data under UAE law including government, personal, confidential, and commercial data in web scraping
Overview of protected data categories under UAE Cybercrimes Law and data protection regulations

Scraping publicly available data that is:

  • The type of data is not protected by any law,
  • Not personal or confidential,
  • Accessible without bypassing any login, paywall, or technical access controls (e.g., no special permission required), and
  • Not belonging to a protected UAE-licensed commercial establishment in a confidential capacity,

is generally not a criminal offence under the Cybercrimes Law. No specific provision criminalizes the mere automated collection of openly accessible, non-protected information.

Analysis of Article 8 of the Cybercrimes Law

Article 8 punishes the unauthorized acquisition, possession, modification, destruction, revelation, copying, dissemination, or re-dissemination of confidential data or information pertaining to any financial, commercial, or economic establishment using information technology.

For this article to apply:

  • The data must be confidential (i.e., not permitted to be accessed or disclosed without permission).
  • The establishment must typically qualify as a UAE-licensed commercial or economic entity.

Publicly available data on websites does not meet the definition of “confidential.” Additionally, if the targeted entity lacks a UAE license or the scraped data is not owned or controlled by a UAE-licensed branch in a way that grants them standing, Article 8 is unlikely to apply. Separate legal entities (e.g., a local LLC versus a parent company) generally have distinct legal personalities under UAE law e.g. scraping data from a main server outside the UAE which have an LLC in the UAE.

Risk of Causing Harm to Servers (Denial of Service or Overload)

The classic scraping works by automating sending multiple requests to download the data, those requests may damage the server e.g., if its old or if the requests are too aggressive. 

The Cybercrimes Law (notably provisions related to Article 4) penalizes the willful causing of harm, destruction, interruption, or disruption to websites, information systems, or networks. Penalties include imprisonment and/or substantial fines.

  • Without intention: If scraping uses standard tools and reasonable rates (e.g., with delays, user-agent identification, and respect for robots.txt where applicable), and the server is modern and capable of handling normal traffic, accidental overload is unlikely to be deemed “willful.” Courts generally require proof of intent for such offences.
  • Precautions recommended: Implement polite scraping practices (rate limiting, caching where possible, avoiding peak hours) to minimize any risk of perceived harm.

If harm occurs unintentionally, a criminal case may still be filed, but a strong defence can argue lack of intent, often leading to dismissal or favourable resolution with proper legal representation.

Scraping and Using Public Images or Photographs

UAE law (including the Copyright and Neighbouring Rights Law, Federal Decree-Law No. 38 of 2021, and privacy provisions in the Cybercrimes Law and Penal Code) protects certain images as follows:

  • Creative or unpublished images (copyright protection).
  • Images containing personal identifiers (e.g., faces combined with contact details, licence plates) that could reveal identity.
  • Images from private life that have not been made public.

Publicly available images:

  • Photographs of public places, architecture, or events generally do not attract criminal liability when scraped or reused if they do not infringe privacy or copyright in a protected manner.
  • UAE courts have held in precedents (e.g., involving public social media posts by public figures) that once an image is posted publicly for an audience, the owner waives certain privacy protections for criminal purposes. Civil compensation may still be possible but is often limited (e.g., calculated based on lost advertising value, resulting in modest awards).

Publishing or reusing such images should still respect any applicable copyright in the creative work itself and avoid commercial use that could trigger civil claims.

Potential Civil Liability

Even where no criminal offence exists, a targeted entity could pursue a civil claim, commonly under principles of unjust enrichment (Article 318 of the UAE Civil Code: “No person may take the property of another without lawful cause, and if he takes it he must return it”).

To succeed in such a claim, the plaintiff must typically prove:

  • The scraper obtained a benefit (e.g., increased wealth or value from the data).
  • The benefit came at the plaintiff’s expense.
  • A direct link between the act and the alleged enrichment.
  • No lawful cause for the benefit.

UAE courts tend to award only direct, proven losses in such cases and exclude indirect or reputational damages. Awards are often modest. The claiming party must usually be the entity with ownership or rights over the database.

Additional civil risks may arise from breach of website terms of service (if enforceable as a contract), though enforcement depends on jurisdiction and notice.

To mitigate reputational risks from any judgment, parties may request confidential hearings where permitted.

Infographic explaining UAE cybercrime law on data scraping and legal vs illegal practices
Overview of legal and prohibited data scraping practices under UAE Cybercrime Law

Key Recommendations and Best Practices

  • Avoid protected data: Never scrape government, personal (unless lawfully public and compliant with PDPL), or confidential information.
  • Respect technical measures: Do not bypass access controls, CAPTCHAs, or robots.txt in ways that suggest bad faith.
  • Use ethical scraping: Rate-limit requests, identify your bot, and cache data where possible to avoid server strain.
  • Seek specific advice: Legality is highly fact-specific. Consult a qualified UAE lawyer for tailored assessment, especially for commercial projects involving large-scale scraping or AI training.
  • Compliance with PDPL: If any personal data is involved, ensure a valid legal basis for processing.

In summary, scraping non-protected, publicly accessible data without causing harm or bypassing controls is generally permissible under UAE law and does not violate the principle of legality. However, civil exposure and practical risks remain, and all activities should prioritize compliance, proportionality, and respect for server integrity.

This overview is for general informational purposes and does not constitute legal advice. UAE laws evolve, and specific circumstances require professional legal consultation.

Prepared by Abdulrahman Al Nabhan