Federal Decree-Law No. 31 of 2021 on Cybercrimes: Deepfake Law, Most Important Provisions, and Sanctions

1. Overview

Deepfake creation and sharing are some of the numerous cybercrimes that, as a rule, are unlawful under the UAE Cybercrimes Law (Federal Decree-Law No. 31 of 2021). The new law will protect individuals and organizations from internet threats such as defamation, invasion of privacy in the media, and deceit through AI-created content.

2. Scope of the Law

The Cybercrimes Law addresses fraud, defamation, and privacy invasion crimes that can be committed with deepfake technology. It addresses the creation and circulation of manipulated content such as audio and video recordings. The provisions in the law address AI-generated content used for the purposes of misleading people or companies, though deepfakes are not directly addressed by the law. When the content is clearly labeled as satire or parody, an exemption can be provided.

3. Material Provisions

• Defamation (Section 425) – Criminalizing defamation of an individual with the introduction of technology such as deepfakes.
• Fraud (Section 451) – Obtaining an advantage by fraud, modus operandi of adopting ChatGPT deepfakes to commit fraud will be criminalized.
• Invasion of Privacy (Section 40) – Includes a person’s right to privacy and safeguards the person against technology-supported invasions of privacy, including the making or circulation of deepfake without permission.
• Computer Fraud (Section 40) – A fraud with all types of deepfake for the use in deception by way of technology.
• Vicarious Corporate Offense (Section 58) – Liable for the offense of manipulation of the corporate bodies with deepfake technology, as equally responsible are the corporate bodies and the entire top management.

4. Fines & Enforcement

• Defamation: First by way of imprisonment for a term of at least one year, and also a fine between AED 250,000 and AED 500,000
• Fraud and Breaching privacy: At least one year of imprisonment and AED 250,000 to AED 1 million in fine. Encompasses at least 6 months’ imprisonment and a fine between AED 150,000 and AED 500,000 for invasion of privacy.
• Corporate Holder: Payment of the fines and the possible suspension of the negligent facilities.
• Enforcement by the Telecommunications and Digital Government Regulatory Authority (TDRA).

5. High-Profile Cases

There have been no such cases of deepfakes reported by the UAE Cyber Security Council, which issued warnings regarding the potential threat posed by deepfakes. The warnings point toward the likelihood of fraud, intrusion into privacy, and damage to reputation resulting from abuse of deepfakes.

6. Comparison with Global Standards

UAE’s reaction to deepfakes is characteristic of international practice in that recourse is made to existing law in an effort to address the issue posed by content produced by artificial intelligence. Similar to the rest of the world, a keen emphasis in the UAE is placed on the need for regulatory frameworks that will be able to keep up with technology in an effort to safeguard individuals and entities against cyberattacks.

7. Implications

In creating or sharing digital content, individuals and entities in the UAE should be mindful of not infringing on the rights of others or defrauding them. Offences under deepfakes can be prosecuted in local or TDRA courts. Damages recovery is outlined in the UAE Civil Transactions Law as a relief in a court case.

8. Future Outlook

As this technology is developed further, maybe more specific legislation for the particular problems of deepfake technology is needed. Such problems could be organizational and individual digital well-being, so the UAE legal system can similarly, over several future years, need to make changes to accommodate such new technologies and the concomitant risks of them being misused.