Artificial Intelligence (AI) has emerged as an area of interest with more social and economic benefits expectations of expectations. The UAE is at the heart of the AI revolution, becoming a global tech advocate and innovator to transform various sectors, including enhancing national security. However, amidst this increased technological advancement, the UAE has faced many issues related to personal data breaches. Investigations have revealed that the problem has been attributed to the lapse or absence of effective and comprehensive or unified data protection law in the UAE. Therefore, as the country opts for strengthening national security by applying AI, it poses a threat both to the country’s and residents’ data until the technology is fully adopted in all the spheres of the UAE. Even though secured and protected by technological advances, the information is still vulnerable to experts in the field of hacking. In other words, the data nowadays depend solely on technology and its effective performance, but if the system fails unexpectedly, the chances of data breach occurrence soar drastically.
However, local and sector-specific laws have data privacy, protection, and security provisions that serve the purpose in different specific areas; their application may not be effective in the absence of a reliable data protection regulatory authority. Therefore, the current policy paper examines data breaches in the UAE caused by a lack of comprehensive or unified data protection laws and the increased dependency on information on the performance of technology and AI, specifically. Consequently, the analysis can help in recognizing the impact of AI and underdeveloped data protection laws to evaluate the limits of the current legal system and how they can be eliminated to reach national security.
Context of the Policy Problem
The past few years have seen an intensified interest in Artificial Intelligence (AI) research as a complex field emerging from computer science. In 1955, John McCarthy and colleague researchers defined AI as making a machine behave intelligently like human beings (Azar and Haddad 2021). Multiple sub-disciplines of AI include robotics, machine inference, natural language processing, and statistical machine learning. As advances continue in various subfields of AI, more expectations of bringing great social and economic benefits with communications, space exploration, and science already benefiting (Wamba et al. 2019). As a result, multiple nations globally strive to formulate and implement AI-friendly policies to facilitate the easier adoption of AI applications in various sectors. The United Arab Emirates is at the heart of the AI revolution and has already become a global tech advocate and innovator (Shamout and Ali 2021). The country established its first Ministry of Artificial Intelligence in October 2017 to transform various sectors, including enhancing national security.
AI has an enormous potential impact on the country’s national security, hence battling for leadership in the field. In 2018, the International Exhibition for National Security and Resilience Abu Dhabi demonstrated how AI had revolutionized national security in line with UAE AI Strategy (Blasch et al. 2019). The revolution has transitioned from traditional physical security and law enforcement to a more transformative and digital future. AI has continued to impact diverse UAE’s national security, including responding to potential threats, big data analytics, predictive policing, patrolling robots, and patterns on crime-fighting (Boban 2016). The latest innovations show that AI is pushing new safety and security applications development in UAE, facilitating crewless patrolling operations. It has also demonstrated a significant impact on cyber and information security by bolstering machine learning capabilities to reduce human-operated tasks and allow efficient and faster data collection and analysis. Still, it should be noted that until AI is applied in all the sectors of the country’s operations, the effectiveness of technology’s performance may not be at its maximum capacity.
UAE leadership has shown commitment to focus on AI while advancing technological innovation to enhance homeland security, including physical and cyber security. UAE applied AI to increase its national security by facing out immigrations officers by 2020 (National Program for Artificial Intelligence 2018). The country has also increasingly integrated AI in its military considering the limited size of its armed forces, the international arms race, and the multiple threats it faces (Azar and Haddad 2021). Therefore, it is evident that AI provides numerous opportunities to increase the national security of the UAE by enhancing the efficiency and effectiveness of security processes (Ghandour and Woodford 2019). However, in the national security context and the powers, UAE intelligence agencies have, using AI could lead to privacy and personal data breaches considering the absence of an adequate data protection policy and incomplete application of technology advances.
The breaches in data security undoubtedly impact residents and national security, considering that crucial information can be leaked. When a typical data breach occurs, personal information such as credit card numbers, social security numbers, and source code is exposed to attackers (Stewart 2015). The violations tend to compromise sensitive individual information that may lead to loss of significant revenue, trust, and diminished reputation. In addition, when data breaches occur, it is a threat to national security, considering that cyberattacks allow extortions, disinformation, and information warfare. The attacks tend to undermine, defraud, and weaken democratic institutions and their operations, exposing the country to security vulnerabilities (Comizio, Dayanim, and Bain 2016). Sometimes, the attackers would breach data protection to impersonate security personnel subjecting the country to threats by sharing crucial security information with enemies, including terrorists.
Ill-gotten data is used to steal unsuspecting people’s identities for terrorists to raise funds to conduct illegal activities efficiently. Access to sensitive information allows the impersonation and blackmailing of federal employees, which leads to the questioning of national security’s effectiveness (Stewart 2015). Therefore, the current policy paper focuses on the personal data breaches experienced amidst the increasing use of AI in the UAE and further vulnerability of information due to the incomplete transition to the new technology in all the country’s sectors. Furthermore, the situation is severely impacted by the lack of effective and comprehensive data protection law in UAE as a policy problem despite the drastic adoption of AI to boost national security.
Definition of the Policy Problem
AI provides the platform for transforming national security technology by establishing reliable operations that seem more secure when it comes to protecting the country’s and its citizens’ data. The safety of personal data should be urgently achieved in order to exclude the possibility of authority’s undermining. In other words, it is evident that hackers opt for larger systems to acquire more crucial information that can threaten leadership and the country’s operations. That is why, when residents’ personal data, such as credit card numbers, social security numbers, and source code is leaked, people will blame the authority for this information’s theft. As a result, the government should prevent personal data breaches, considering that their first and foremost responsibility is to protect the residents.
The technology attempts to achieve this by dealing with data collected from intelligence operations for analysis to offer transformative digital solutions. Therefore, there is a need for data protection for effective security management to ensure that data collected does not get into the wrong hands, including the criminals, which would threaten national security against the intended purpose (National Program for Artificial Intelligence 2018). However, there is a policy gap in data protection which leads to the breach of personal data in applying AI technologies in the UAE, affecting national security. The policy gap is caused by the country’s lack of a comprehensive data protection law at the federal level despite some laws governing privacy and data security (Ghandour and Woodford 2019). Although local and sector-specific laws have data privacy, protection, and security provisions, their application may not be practical without a reliable data protection regulatory authority.
The issue of the personal data breach has attracted significant attention from the global perspective, with stakeholders in the business and security sectors calling for the need to protect data (Allen and Chan 2017). In recent years, the UAE joined other countries in the Middle East and North Africa (MENA) to legislate personal data protection. Though the move was considered encouraging to develop a framework for organizations to safeguard the personal data of individuals, it was not long before the UAE government was accused of misusing data (Shamout and Ali 2021). It has caused challenges for companies in the country to navigate the legal and ethical contradictions which have allowed unlawful and accidental disclosure of data or personal data to be processed without authority (Azar and Haddad 2021). From the report on Gulf Business news, due to the lack of comprehensive or effective personal data protection policy, there is a looming concern of cyber security for companies and institutions operating in the UAE considering their significant reliance on AI (Yaacoub et al. 2020). Among the MENA countries, UAE is ranked at the lowest level about the maturity of the data protection program, which undermines its position not only among the MENA but across the world. The UAE Cyber security survey by KPMG conducted in 2015 revealed the UAE is among the most targeted by cybercriminals, with cyber security becoming a challenge in the country to the extent of threatening the government. The failure to protect data has impacted the ability of the country to ensure optimal national security is achieved.
The breaches in data security threaten the individual and national security of the UAE in many ways. According to Stewart (2015), when data breaches occur, they impact security by creating a conspiracy for attackers to defraud the government through impairment, deceiving, and defeating the lawful government functions. Criminal groups, including terrorists, use the collection of confidential state-owned information to target critical infrastructure to bring the government down (Comizio, Dayanim, and Bain 2016). In situations that involve the theft of individual data for political reasons, such as influencing the voting in any election, it also threatens national security. The access to personal data allows attackers to expose secrets kept by the state where rivalries can use to influence government running, weakening it for more subsequent attacks (Bagdasarova 2015). The most critical individual data involve medical records, banking details, voter records, and shopping preferences from the UAE perspective. Access to these data, especially by foreign cyber attackers, threatens national security. Foreign countries want to control the political elective process of UAE to have influenced the government favoring specific countries considering the country is a hub for oil and gas production.
The UAE has been a cyber-attack target for political motivations that focus on causing damage and destruction in the critical utility and infrastructural sectors. These damages and destructions impair and defeat the ruling regime’s adequate functioning, threatening its ability to facilitate security for citizens. The specific targets for oil and gas and government entities destabilize their operations, setting a weak base for enemies to attack for economic gains (Daley 2017). Furthermore, when private citizens’ information is stolen from various government departments, it is deployed as a weapon against the same government, derailing its functioning. The target of local government agencies for lack of vital resources and technical infrastructure to protect themselves weakens the basis of government function, exposing it to security threats as enemies use lower avenues to access government information to defraud and impair functions.
Purpose of the Policy Paper
The UAE is topping the list of countries that have embraced using AI as a global tech advocate and innovator after becoming the first country to establish the Ministry of Artificial intelligence under the UAE AI Strategy Program. The government has transformed national security by enhancing physical and cyber security using an AI strategic plan (Will 2017). The intelligence and security agencies using AI technology have absolute powers in accessing data to facilitate the country’s security (National Program for Artificial Intelligence 2018). However, even with the national security context and power given to security agencies, there is a lack of adequate and comprehensive data protection law in the UAE to ensure that personal data collected through AI technology is protected and only accessed by authorized groups or people (Hoadley and Lucas 2018). Therefore, the purpose of this policy paper is to investigate the personal data breaches that may occur in the UAE due to the lack of comprehensive and unified data protection law amid AI technological usage increase in the country.
Furthermore, the investigation extends to how this policy gap threatens the stability of national security in the UAE, acknowledging the importance of data in responding to potential threats, big data analytics, predictive policing, patrolling robots, and patterns of crime-fighting. The paper also offers policy options to enhance national security by addressing digital transformation’s current data protection gap. The data protection laws should be enforced to maintain the safety of crucial information that is stored with the help of AI adoption.
This project aims at identifying the impact of AI adoption to strengthen the national security in the UAE on data breaches. Therefore, the theories and principles concerning this situation were studied to draw a reliable conclusion and summarize the recommendation for reducing information leakage. This approach was also developed to match the project’s objective: the threat that the lack of data protection laws poses to the country and citizens.
Therefore, the policy paper applied the qualitative method, which focuses on using words or visual images to analyze the policy problem in the AI application and its effect on national security. The paper considered the qualitative method to find the theoretical perspectives on the circumstances leading to the policy problem exhibited. Therefore, the needed data should be in words or visual images without numbers. Data collected in numbers is not applicable as only the theoretical part is considered for this paper. Based on the purpose of the study, the information needed is provided in various sources, including journals, books, internet sources, and government documents. Thus, the paper relied on secondary data collected from the already existing records on data protection, technological advancements, and national security to recognize the significance of data protection laws’ enforcement due to the AI adoption.
Limitations of Study
The study was limited regarding the modernity of the data needed for analysis. Most of the required information was the most recent to show the currency of the policy problem identified and how it currently affects the UAE. Similarly, much information on AI and its impact on the UAE was based on social and economic fields. Yet, the study was only focused on the security area: personal data breaches and cybersecurity. It caused the challenges of finding the relevant sources to the study as security-related papers were scarce. Those found presented a global perspective rather than focusing on the UAE alone.
Background of the Problem
There has been an increasing pace of adopting technology in Middle East Africa, with the UAE leading among the rest of the countries. The said technology involves AI, cloud migration, and remote-work deployment that have facilitated the government and institutions to operate more efficiently (Ofori-Duodu and Samuel 2019). In the UAE, the implementations of AI have been in numerous sectors, including national security. However, the downside is that the increased adoption and use of AI have made institutions more vulnerable to cyberattacks as personal critical information gets accessed, threatening the efficiency of ensuring security provision (Birnhack 2008). The UAE has increasingly become the target, especially of sophisticated attacks to steal personal data and threaten the country’s position. The attacks have, however, in many cases exposed the secrets of the state as rivalries of age-old geopolitical play out online. Significantly, many UAE-based companies remain also critically vulnerable to various cyber-attacks on the data they preserve. At the same time, they also face another threat of falling foul of the General Data Protection Regulation (GDPR) that recently took effect as per the insurance firm AIG. GDPR requires reporting any form of personal data breach to the authorities by institutions within 72 hours after being aware.
Attacks against individual data have continued to gain momentum in the UAE as the country experienced over 2 million phishing attacks in 2020 alone. These attacks have been particularly concerning emails being exposed to more damaging incidents, including ransomware attacks. In the UAE, personal data breaches are costly, with that damage averaging about $4 million, according to Ponemon Institute and IBM Security (Chandra, Sharma, and Liaqat 2019). Thus, the UAE that has been embroiled in geopolitical conflicts for years has continued to witness a rise in cyberattacks as rivalries move into the digital realm and open up the remote work of new targets for attackers. In 2018, the country experienced two severe data breaches, leading to “14 million records being compromised” (Chandra, Sharma, and Liaqat 2019). The two breaches recorded include at the Dubai-based ride-hailing platform Careem, while another happened in an airline.
The data breaches reported involved names and the trip details in South Asia, North Africa, and the Middle East, where the UAE was part of the incident. The additional report indicated that the UAE’s Telecommunications Regulations Authority (TRA) recorded about 274 cyber attacks (Schwab and Poujol 2018). These attacks, according to TRA, targeted government, semi-government, and private sector institutions, including airlines, in 2018, threatening the country’s security. According to Chandra, Sharma, and Liaqat (2019), despite a considerable reduction in the number of information security incidents, the data breaches continue to become faster and more extensive. Therefore, the UAE is ranked high in cyber-attack exposure even as measures are taken to minimize these cases to a considerably lower level.
The rise in technological transformation, including AI use in the UAE and the many incidences of personal data breaches, have pressured authorities in the country to regulate data privacy. However, despite these efforts, the central policy problem that has been identified in this paper is the UAE currently lacks a comprehensive federal data privacy and protection law (Will 2017). It means that the country does not have a dedicated data protection regulatory authority that has allowed attackers to access data collected through AI technologies by government and other entities, causing data breaches (Rubinstein, Nojeim, and Lee 2014). In other words, since the data protection laws are not established, access to AI information is not regulated. Consequently, the government’s members can use their power and authority to access the residents’ personal data for their own benefit. In addition, it may happen with the aim of blackmailing the UAE or undermining its position on the international market, which may severely harm other sectors of the country.
Similarly, under the Federal Law of UAE, there is no mandatory requirement to report data security breaches. Based on this problem, the country only has some distinct local laws and specific sectors containing some provisions related to data protection, privacy, and security. The provisions of data privacy and safety in UAE only apply to institutions established in onshore UAE and those in free zones not governed by specific data privacy laws (Aboul Enein 2017). Thus, the existence of these selective restrictive data protection policies could have significantly hindered the achievement of the comprehensive federal law that could deal with personal data breaches in the UAE. Therefore, the country’s data protection laws are not highly developed compared to other jurisdictions. That is why it seems apparent that the UAE has not yet imposed laws concerning specific or all-inclusive privacy.
The Problem within Its Current Policy Environment
The UAE does not have specific regulations for data protection as a whole, though the constitution guarantees the freedom of communication and its secrecy. However, some data protection laws are specific-sector based, such as the Health Data Law and those specific to economic free trade zones (Global System for Mobile Communications 2019). Several provisions and articles exist in other federal laws regarding privacy and data protection. The federal laws in the UAE also have strengthened the right for privacy and security of data under penal and civil codes where individuals can take civil actions; in many cases, they are subjected to personal data breaches.
Some penal code provisions administer the data protection and issues that relate to privacy. According to Chandra, Sharma, and Liaqat (2019), the law that focuses on providing the data with regulation and protection is “controlled by The UAE Penal Code.” For instance, the institution ensures that people who disclose personal information or publish it online, prejudicing individuals’ privacy, are appropriately penalized. Additionally, the cybercrime law, the telecommunications law, and the regulatory policy on electronic communications all have provisions that support data protection and privacy (Boban 2016). The rules applying to specific areas of ensuring data privacy and safety have been recently validated. The enactment involved the UAE Federal Law 3 of 2013 establishing the National Electronic Security Authority, UAE Federal Law 5 of 2011 to combat Cyber Crime, and the 21 of 2013 Cabinet Resolution on the regulations of IT Security at government parastatals (Global System for Mobile Communications 2019). Thus, considering all these laws in place to protect data and privacy, it can be concluded that at the moment, UAE’s data privacy laws are complex and piecemeal.
Free Zone provides two data protection laws and regulations that govern the processing and control of data. The two laws include the 2020 Data Protection Law for the Dubai International Financial Centre and the 2015 Data Protection Regulations for the Abu Dhabi Global Market (Fatafta and Samaro 2021). The 2015 Data Protection Regulations protects personal data in Abu Dhabi’s Global Market (ADGM) while governing how businesses use data, including data processors and controllers within the ADGM zone. The 2020 Data Protection Law for the Dubai International Financial Centre (DIFC) involves controlling and processing data in the economic free trade zone. Originally, institutions were supposed to follow these regulations by the latest October 2020. In 2019, DIFC updated its 2007 data protection law incorporating GDPR elements and passed amendments to its law in 2018 that included the imposition of stricter requirements for data controllers to facilitate reporting of any data breach while increasing the fine for those who did not comply.
There is no overarching data privacy legislation in place on the federal level in UAE, apart from those governing specific sectors. UAE released Federal Law No. 2, in which it emphasized various concepts, including some of those captured in GDPR. The law requires providers to retain information for not less than 25 years. The UAE also released a regulatory framework for the national Internet of Things (IoT) that emphasized the critical role of purpose limitation, data minimization, and storage limitation. All entities offering IoT services were required to register with the government regardless of their headquartered. According to the EMC Global Data Protection Index, the Data Protection Index Maturity Rank report ranked UAE as scoring lowly when it comes to data protection.
Amidst the push for data privacy legislation in UAE to be in line with other countries, the country is still grappling with many concerns. The government of the UAE has failed to respect people’s privacy within its borders. Reuters accused it in early 2019 of conducting a secret program that entailed spying on the dissidents, activists, and journalists in the UAE (Sethu 2020). The spying extended to foreigners, which led to calls for restrictions on how intelligence officials using AI should handle data, especially those employed by foreign nations. The country was also accused of spying on people using the popular messaging app. Though, the government has continued to maintain its stand that is data collection policies have anything nefarious (Bomah 2016). Therefore, within the current policy problem environment, it is indicative that to handle data in UAE needs a delicate balancing act. On compliance, localization and retention are some of the most demanding aspects of UAE laws. The requirements of UAE around security focus on the management of accessibility and the need to ensure restrictions of access to sensitive data to the right people.
The Framework of Analysis
The policy paper focuses on the problem associated with a personal data breach in the UAE attributable to comprehensive or unified data protection laws. Instead, the country experiences local and sector-specific laws that are selective on their application and may not satisfy the countrywide need for policies that protect personal data. The UAE has considered legislating law that would protect data from being accessed by an unauthorized person and misused to threaten the nation’s security. There is, however, a need to have alternative comprehensive law—identifying best policy alternatives or best options for the current problem in the UAE requests to have framework analysis based on various criteria measures. The evaluation criteria for analyzing the best alternative policy options considered time regarding the readiness of the policy for launching, considering that the UAE’s application of AI technologies has increased. The continued absence of adequate comprehensive or unified data protection law exposes to risks the data of many people and those in-store and used by the government for security purposes (Vermeulen and Lievens 2017). Thus, time was considered a significant criterion for determining the best alternative policy options to ensure the new law is applicable as soon as possible.
The cost of formulating the new data protection law was considered within the framework analysis regarding the expenses incurred in developing and implementing the same policy. The policy should be less costly in formulation and implementation when considering contracting and getting the personnel involved in the entire process. The drive for invention was also a consideration as a criterion for evaluation. On innovation, the policy should impact startups, patents, and projects such that it gives new and advanced insight into various applications to make the outcome much better.
Questions were asked where the new policy option would inspire the new generation to make its application more favorable to all the groups to limit the risk of misusing personal data. All the policies considered for implementation to address the gap identified would be run by the government, including their management and execution. Significantly, the policy would apply by both the public and private hence their partnership was critical. Thus, time, cost, drive for innovation, and generational inspirations were the aspects considered for evaluating the policy options, forming the basis for framework analysis.
Evaluation of Policy Alternatives
An analysis based on the defined framework is conducted to evaluate the policy alternatives. The focus of the policy problem is based on personal data breaches in AI technological applications threatening national security due to the lack of comprehensive data protection law in the UAE (Sethu 2020). Therefore, an evaluation is based on two major policy options; the first is to introduce, formulate, and implement an entirely new federal data protection law that comprehensively covers the entire UAE, including the public and private sectors (Mawgoud et al. 2019). The second option involves improving on the already existing local, sector-specific, and federal laws to capture the interests of the entire country and give it the ability to protect data from a more federal perspective that assures data security within the territories of the UAE.
The first policy alternative involves the complete drafting of a comprehensive data law as a milestone towards the total protection of data. However, this option is costly and time-consuming considering the long and involved processes that entail various aspects (Vermeulen and Lievens 2017). The increased length of time in enacting this law is because the drafting is to be conducted in partnership with major technology companies. The collaboration ensures that every individual is empowered to control how people’s data is used, stored, and shared for privacy protection (Organization for Economic Co-operation and Development 2019). It is also intended to limit entities in front of using personal data without consent for other benefits. The considered policy alternative also is an agent to drive innovation as a criterion identified in the evaluation requirement due to the new data in the oil that is expected to grow into big data.
As a government, UAE has to consider new ways to protect such data through the acknowledgment that for economic prosperity, businesses require data, a vital thing. Therefore, these policy options allow the country to find a middle ground without compromising data protection and privacy or interfering with the national security or companies that rely on the same information for survival or providing services to the people. The new data protection law would give the principal the rights, including the owner of the data, to access the data as stored and only use such information with full consent to ensure that it is not used for the wrong purpose apart from the intended course.
UAE has maintained its concerted effort at the innovation and development forefront, requiring that any new policy alternative to be considered should drive innovation. The UAE Minister for AI indicated that the new comprehensive or unified data protection law is based on considering all data laws on the planet (Bomah 2016). As a result, it would allow all the companies, including the patents and startups set up in the UAE, to transition smoothly because it avoids most of the pitfalls existing in other data laws currently operating in the country. The undertaking of this policy option would be considered a remarkable step in inspiring the government to protect personal data that would ensure the country’s security. The public and private sectors will significantly get inspired by the policy alternative towards protecting individual data to be used only for the intended purpose.
There are various advantages attached to this first-ever comprehensive data privacy and protection law in UAE. It provides the right of access, the right of correction, the right to be forgotten, and the right to get information already part of the DIFC, ADGM, and EU GDPR laws that provide data protection (Bomah 2016). Similarly, this new policy alternative offers the provisions for a new regulator of national data privacy. At the same time, restrictions on cross-border data flow are minimal while referring to restricted or sensitive data. Once enacted, the law would serve a good purpose in protecting data transfers from regulated jurisdictions, including ADGM and DIFC.
The second option involves a revision of the existing local, sector-specific, cybercrime, and federal laws to capture the entire country’s interests for improvement. The laws gain the ability to protect data from a more federal perspective that assures data security within the territories of the UAE (Younies and Na 2020). The reforms in data protection law about the existing laws involve changes in the ADGM with the plans to update the law in DIFC to make them applicable in many different sectors across UAE rather than specific sectors alone. The option gives an extension whereby almost all the sectors in UAE that deal with personal data or those using AI would be subjected to legal requirements all the time.
The significant consideration regarding the second policy alternative will involve extending the existing cybersecurity laws and regulations. The extension will include the introduction of new cybersecurity standards, all forms of cybercrime, and mandating that all the government’s dealers are certified (Duan, Edwards, and Dwivedi 2019). Strategically, it would be critical to bolster the critical infrastructure security across the various sectors of the government, including ICT, energy, and finance. The initiative is to ensure that there is an extension of the data protection laws not only in specific sectors and local areas but also across the government areas of operation (Imranuddin 2017). Consideration needs to be given to extending sanctions against cybercriminals and having legislation based on the latest technologies and standards, considering that cybercrime has become increasingly harmful and more widespread. The decision to revise and improve these existing laws is to increase the inclusiveness of all UAE’s sectors to have personal data protected even in the absence of comprehensive data protection law.
There are various advantages associated with this second alternative, considering that it intends to extend the scope of protection. There is little cost and the short time required because the basics of the subject already exist, and only areas of weaknesses or those that need improvement are examined. The cons of this alternative are the high level of rigidity which limits the drive for innovation considering that the basic structure of the law cannot change (Al Neaimi, Ranginyam, and Lutaaya 2015). The new institutions in the government and private sector are likely to lose the inspiration of data protection as some of the laws, even if modified, may only favor specific sectors.
Conclusion and Recommendations
Synthesis of the Major Findings
This is a policy paper that intends to identify a policy gap in AI in the UAE that could affect the national security in the country. An investigation conducted through a qualitative method identified personal data breaches as a critical problem in the UAE, which is contributed by the lack of comprehensive or united data protection law despite the increasing usage of AI. Some significant findings show that UAE has significantly implemented AI in different sectors, including national security. However, the country is vulnerable to losing personal data or being used for the wrong purpose, primarily due to age-old geopolitical rivalries that play out online. The main reason for this vulnerability is the lack of a unified law that protects individual data collected through technologies, including AI. Though there is no comprehensive federal data protection law, conclude that the country enjoys local regulations, specific sector laws, cybercrime laws, and some UAE federal laws that apply only in certain situations and areas. Thus, some regions or sectors that may be significant at the national level are left out to breach on their use of data.
Set of Policy Recommendations
- The investigation on the policy problem in UAE identifies the breach of data as a significant problem in its jurisdiction, threatening its security. Therefore, it is recommended that consideration be given to ensure that data future policy adoption considers comprehensive data protection centered around national security more than the government’s economic interests and private companies.
- There is a need to have a data protection authority robust with powers and mechanisms to enforce the protection of data so that it is only used for the intended purpose without getting into the wrong hands. Besides powers, the authority needs to be equipped with expertise and resources to monitor, investigate, and sanction individuals or groups misusing data.
- There is also a need to avoid exemptions of protecting broad data and privacy limitations to enhance national security. It ensures that national security agencies do not operate on the pretext of safeguarding the country when secretly operating without oversight. They may be an avenue for some officers to access data and misuse it.
- When collecting personal data, controllers should inform the affected people on time to limit suspicion and easiness of accessing the same data without consent.
The personal data breach is a serious issue that has affected the UAE and the world, especially in the MENA countries that have continued embracing technology. The primary concern is the absence of a comprehensive data law that would have helped deal with the data breaches that continue to affect the UAE. Though the government is focusing on legislating some laws that would assure data protection, there is a need to have some speed to minimize more damages and continuous threats to the country’s security.
Sameh, Aboul Enein. 2017. “Cybersecurity Challenges in the Middle East – International Security Sector Advisory Team (ISSAT).” International Security Sector Advisory Team (ISSAT). Web.
Al Neaimi, Abdulla, Tago Ranginya, and Philip Lutaaya. 2015. “A Framework for Effectiveness of Cyber Security Defenses, a Case of the United Arab Emirates (UAE).” International Journal of Cyber-Security and Digital Forensics 4 (1): 290–301.
Allen, Greg, and Taniel Chan. 2017. “Artificial Intelligence and National Security.” Cambridge, MA: Belfer Center for Science and International Affairs.
Azar, Elie, and Anthony N. Haddad. 2021. “Artificial Intelligence in the Gulf Challenges and Opportunities.”
Bagdasarova, Susanna. 2015. “Brave New World: Challenges in International Cybersecurity Strategy and the Need for Centr Ategy and the Need for Centralized Governance Ernance.” Dickinson Law Review 119(4).
Birnhack, Michael D. 2008. “The EU Data Protection Directive: An engine of a global regime.” Computer Law & Security Review 24 (6): 508-520.
Blasch, Erik, James Sung, Tao Nguyen, Chandra P. Daniel, and Alisa P. Mason. 2019. “Artificial intelligence strategies for national security and safety standards.”
Boban, Marija. 2016. “ePrivacy and new European Data Protection Regime.” Economic and Social Development: Book of Proceedings: 152.
Bomah, Kelvin. 2016. “Information Security and Data Protection: An Overview of Dubai (UAE).” Legal, Ethical & Social Issues in Computing.
Chandra, Geetanjali Ramesh, Bhoopesh Kumar Sharma, and Iman Ali Liaqat. 2019. “UAE’s strategy towards most cyber resilient nation.” International Journal of Innovative Technology and Exploring Engineering (IJITEE) 8(12): 2803-2809.
Comizio, V.G., Dayanim, B. and Bain, L., 2016. “Cybersecurity as a global concern in need of global solutions: an overview of financial regulatory developments in 2015.” Journal of Investment Compliance.
Daley, J., 2017. “Insecure software is eating the world: promoting cybersecurity in an age of ubiquitous software-embedded systems.” Stanford Technology Law Review, 19(3).
Duan, Yanqing, John S. Edwards, and Yogesh K. Dwivedi. 2019. “Artificial intelligence for decision making in the era of Big Data–evolution, challenges and research agenda.” International Journal of Information Management 48: 63-71.
Fatafta, Marwa, and Dima Samaro. 2021. “Exposed and exploited: data protection in the Middle East and North Africa.”
Ghandour, Ahmad, and Brendon J. Woodford. 2019. “Ethical Issues in Artificial Intelligence in UAE.” International Arab Conference on Information Technology (ACIT): 262-266.
Global System for Mobile Communications. 2019. “Data Privacy Frameworks in MENA Emerging approaches and common principles 2019.”
Hoadley, Daniel S., and Nathan J. Lucas 2018. “Artificial intelligence and national security.”
Imranuddin, Mohammed. 2017. “A Study of Cyber Laws in the United Arab Emirates.” Rochester Institute of Technology.
Mawgoud, Ahmed A., Mohamed Hamed N. Taha, Nour Eldeen M. Khalifa, and Mohamed Loey. 2019. “Cyber security risks in MENA region: threats, challenges and countermeasures.” International Conference on Advanced Intelligent Systems and Informatics:912-921.
National Program for Artificial Intelligence. 2018. “UAE National Strategy For Artificial Intelligence 2031”.
Organization for Economic Co-operation and Development. 2019. Enhancing Access to and Sharing of Data Reconciling Risks and Benefits for Data Re-use Across Societies. OECD Publishing.
Ofori-Duodu, and Michael Samuel. 2019. “Exploring Data Security Management Strategies for Preventing Data Breaches.” Walden University.
Rubinstein, Ira S., Gregory T. Nojeim, and Ronald D. Lee. 2014. “Systematic government access to personal data: a comparative analysis.” International Data Privacy Law 4(2): 96-119.
Schwab, Wolfgang, and Mathieu Poujol. 2018. “The state of industrial cybersecurity 2018.” Trend Study Kaspersky Reports 33.
Sethu, Sagee Geetha. 2020. “Legal Protection for Data Security: A Comparative Analysis of the Laws and Regulations of European Union, US, India and UAE.” In 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT):1-5.
Shamout, Farah E., and Dana Abu Ali. 2021. “The strategic pursuit of artificial intelligence in the United Arab Emirates.” Communications of the ACM 64(4): 57-58.
Stewart, Jonas. 2015. ”Strong Artificial Intelligence and National Security: Operational and Strategic Implications.” Naval War College Newport Ri Joint Military Operations Dept.
Vermeulen, Gert, and Eva Lievens. 2017. ”Data protection and privacy under pressure: transatlantic tensions, EU surveillance, and big data.” Maklu.
Wamba, Samuel Fosso, Ransome Epie Bawack, and Kevin Daniel André Carillo. 2019. “The State of Artificial Intelligence Research in the Context of National Security: Bibliometric Analysis and Research Agenda.” In Conference on e-Business, e-Services and e-Society: 255-266. Springer, Cham.
Will, Tim. 2017. “Is Dubai the city a new city should be? The Dubai International Financial Centre as an example for Free Zones within Dubai.”
Yaacoub, Jean-Paul, Hassan Noura, Ola Salman, and Ali Chehab. 2020. “Security analysis of drones systems: Attacks, limitations, and recommendations.” Internet of Things 11: 100218.
Younies, Hassan, and Tareq Na. 2020. “Effect of cybercrime laws on protecting citizens and businesses in the United Arab Emirates (UAE).” Journal of Financial Crime.