The Crime of Disclosing Secrets under UAE Law

Understanding the legal risk of disclosing secrets in the UAE

In the United Arab Emirates, the law treats the protection of secrets with exceptional seriousness. Whether a person is an employee, a business owner, a professional such as a doctor or a lawyer, or a resident handling personal data or government information, that person may be legally considered to be entrusted with secrets. Disclosing secrets without lawful justification can expose the individual to criminal prosecution, civil liability, employment termination, regulatory sanctions and immigration consequences. According to the Federal Public Prosecution and the competent federal authorities, disclosure of confidential information obtained by virtue of work or profession is a recognised crime under the Federal Decree Law No. 31 of 2021 on the Issuance of the Crimes and Penalties Law, as well as under the federal legislation regulating labour relations, industrial property and personal data protection.

This article explains how the crime of disclosing secrets is treated under current legislation of the United Arab Emirates. It focuses on practical implications for people living and working in the United Arab Emirates. It highlights who is considered to be entrusted with secrets, which types of secrets are protected, which are the main legal texts in force as of April 2026, and which penalties and remedies may follow a breach, including in the context of employment, digital communications and commercial activities.

Legal framework governing disclosing secrets in the UAE

The principal starting point for understanding the unlawful disclosure of secrets is Federal Law by Decree No. 31 of 2021 Promulgating the Crimes and Penalties Law, which entered into force on 02 January 2022 and remains active, as amended. This law contains specific provisions on the protection of secrets, including state secrets, professional secrets and secrets obtained by virtue of employment. The principal criminal provisions are Article 432, which criminalises disclosure or use of a secret entrusted by reason of profession, craft, situation or art, and Article 434, which criminalises wrongful copying, distribution or provision of calls, letters, information or data accessed by virtue of profession. Article 431 concerns private and family life, and Article 433 concerns letters, telegrams and telephone conversations. Article 435 does not regulate disclosure of secrets.

In parallel, several sectoral laws reinforce the duty not to disclose secrets and must be read together with the Crimes and Penalties Law:

• Federal Decree Law No. 33 of 2021 Regulating Labour Relations, as amended most recently by Federal Decree Law No. 9 of 2024, together with its executive regulations, imposes on every worker a statutory duty to maintain the confidentiality of information and data accessed through work and not to disclose work secrets. These obligations apply across the private sector and free zones that follow the federal labour regime, and they operate irrespective of whether the employment contract expressly repeats them.
• Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data establishes a comprehensive framework to secure the confidentiality of personal data and to prevent its unauthorised disclosure or processing. It regulates the roles and obligations of data controllers and data processors and creates a general requirement for a lawful basis for any processing or disclosure of personal data.
• Federal Decree Law No. 34 of 2021 on Countering Rumours and Cybercrimes, as amended, criminalises unlawful disclosure, publication or misuse of data and information through information technology systems. In particular, Article 45 criminalises disclosure of confidential information obtained at or because of work, job or profession through information technology equipment without authorization or lawful permission. This law operates in parallel with the Crimes and Penalties Law where secrets are disclosed by means of digital or electronic channels.
• Federal Law No. 11 of 2021 on the Regulation and Protection of Industrial Property Rights protects undisclosed information and trade secrets and treats unauthorised disclosure, use or possession of such information as an infringement of industrial property rights. It provides a statutory basis for both civil and, in appropriate cases, criminal consequences where trade secrets are misused.
• Specific federal and local legislation concerning state security, defence information and electronic security, including emirate level laws on information security and electronic security, refer back to the Crimes and Penalties Law and to the cybercrime framework for offences involving disclosure of security related data or classified information.

These instruments operate cumulatively, so that a single act of disclosing secrets can, in practice, trigger criminal responsibility under the Crimes and Penalties Law, liability under the cybercrime provisions, as well as employment and civil liability under the labour and commercial statutes. The legal treatment is holistic and focuses on both the status of the person entrusted with the information and the nature and consequences of the disclosure.

Who is considered entrusted with secrets

Under the laws of the United Arab Emirates, a person does not need to sign a formal confidentiality agreement in order to be considered entrusted with secrets. The status arises whenever a person, by virtue of work, position, profession or mandate, gains access to information that is not intended for public disclosure and that is recognised as confidential by its nature or by the surrounding circumstances.

According to the Crimes and Penalties Law and the official guidance issued by the Federal Public Prosecution, the following categories are typically treated as entrusted with secrets in the legal sense:

• Employees in the private sector, including staff who access client lists, pricing strategies, technical processes, internal policies, financial data, human resources records or any type of trade secrets by virtue of their job functions and system access rights.
• Public officials and persons in charge of a public service, who are subject to aggravated liability if they disclose information obtained in the course of their duties, especially information concerning state security, ongoing investigations, internal deliberations or confidential records of public bodies and government owned entities.
• Professionals bound by professional secrecy, such as doctors, pharmacists, lawyers, auditors, notaries, financial advisers and other regulated professionals who obtain sensitive personal, financial or commercial data in the course of providing professional services on the basis of trust and confidentiality.
• Contractors and consultants, including information technology providers, outsourcing companies and independent consultants, where performance of the contract gives them access to confidential information, data sets, systems or security protocols that are not available to the general public.
• Directors, partners and shareholders with access to information that is not available to the public and that could be used to harm the company or benefit a competitor if disclosed, such as strategic plans, merger negotiations, internal investigations or confidential financial and operational information.

Federal Decree Law No. 33 of 2021, as amended, reinforces this position by expressly stating that every worker must maintain the confidentiality of information and data accessed by virtue of work, must not disclose trade secrets, and must return all confidential material, documents and tools at the end of service. This statutory obligation applies regardless of nationality across employment relationships governed by the federal labour regime. Under the current law, employment contracts are concluded for a definite renewable term, and the confidentiality obligation is not dependent on whether the contract has been renewed or impliedly extended.

Residents should therefore understand that if they receive internal information through employment, consultancy or other assignment, they will almost always be treated in law as entrusted with secrets, even if they were never formally told that the information is confidential or even if the documents do not carry a “confidential” marking.

Types of secrets protected under UAE law

The law of the United Arab Emirates protects a wide spectrum of secrets. The seriousness of the crime and the level of penalty depend on the nature of the information, the position of the person disclosing it and the consequences of the disclosure.

State and security secrets
The highest level of protection is reserved for state defence and security secrets, covered by provisions in the Crimes and Penalties Law and in specialised state security legislation. These include military, political, economic, industrial, scientific and security information relating to the defence and strategic interests of the state, as well as any information classified as secret or confidential by the competent authorities. Unauthorised disclosure of such information, especially during wartime, during a state of emergency or in a manner that endangers national security, may attract very severe penalties, including long term imprisonment and, in extreme cases, the death penalty. The law focuses not only on actual harm but also on the inherent risk created by disclosing sensitive state information to unauthorised persons.

Professional and work secrets
Provisions in Federal Decree Law No. 31 of 2021 specifically address the disclosure of professional and work related secrets. These provisions typically criminalise disclosure by any person who becomes aware of a secret in a professional capacity or due to employment and who reveals it without legal justification or without permission from the concerned party or competent authority. The offence is considered in most cases to be a “formal” crime, meaning that criminal liability arises once disclosure occurs in breach of duty, even if no material loss is proven, provided that the offender knew, or should reasonably have known, that the information was confidential and obtained by virtue of position or work.

Examples include:

• Disclosing a patient’s medical history, diagnosis or test results without consent, except where the law requires or authorises reporting for public health protection, insurance regulation, or law enforcement purposes.
• Sharing client financial data, internal audit findings, regulatory inspection results or confidential legal advice with third parties who are not authorised to receive such information.
• Forwarding internal company emails, strategy documents, incident reports, security protocols or customer databases to an external person or to a personal device or cloud service without proper authorisation.

Trade secrets and undisclosed commercial information
Federal Law No. 11 of 2021 on the Regulation and Protection of Industrial Property Rights dedicates a chapter to undisclosed information. It considers disclosure, acquisition or use of such information without the consent of the lawful holder to be an infringement, particularly where it is contrary to honest commercial practices. Undisclosed information can include formulas, methods, processes, designs, business plans, customer lists, technical data, algorithms, prototypes and research and development documentation, provided that the information has commercial value, is not generally known or easily accessible to persons who normally deal with that type of information, and is subject to reasonable measures of secrecy by its lawful holder.

Unauthorised acquisition of trade secrets through industrial espionage, inducement of employees to breach confidentiality, or technical intrusion into information systems can therefore give rise to both civil liability and, where the conduct also meets the criteria in the Crimes and Penalties Law or the cybercrime law, criminal liability.

Personal data and privacy
Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data protects the confidentiality of personal information relating to identified or identifiable individuals. It regulates how personal data may be collected, processed, stored and transferred, and prohibits disclosure or processing without a legitimate legal basis. Lawful bases may include the consent of the data subject, compliance with a legal obligation, protection of vital interests, performance of a contract, or pursuit of legitimate interests that do not conflict with the rights of the data subject.

Unauthorised disclosure of personal data, especially sensitive personal data such as health information, biometric identifiers, criminal records or financial information, may lead to civil liability, contractual liability and, where applicable, sector-specific regulatory consequences. Administrative penalties under Federal Decree-Law No. 45 of 2021 should only be referred to by citation to the specific implementing instruments in force. In serious cases, the same conduct may also attract criminal liability under the Crimes and Penalties Law and under the cybercrime framework where the disclosure occurs through an information technology system or digital platform.

Digital and electronic secrets
In the digital context, Federal Decree Law No. 34 of 2021 on Combatting Rumours and Cybercrimes penalises unauthorised access, copying, disclosure or misuse of data obtained through information technology systems, websites, networks, electronic platforms or applications. Publishing confidential information, internal documents, images, audio or video recordings without permission on social media, messaging platforms or other online channels can therefore qualify both as a traditional disclosure of secrets and as a cybercrime offence.

The competent authorities have repeatedly warned that circulating unauthorised images, videos, internal reports or security related information on social media, especially in relation to accidents, criminal incidents, judicial proceedings or security operations, may result in significant fines and terms of imprisonment. A claimed informational or awareness purpose does not, by itself, provide lawful justification for disclosure. Liability depends on the statutory elements of the relevant offence, including the absence of lawful authority or consent and, where the applicable provision requires it, the relevant mental element.

Penalties for disclosing secrets under UAE law

The penalty for disclosing secrets depends on the applicable legal provision, the nature and sensitivity of the information disclosed, the role of the offender and the consequences of the act.

Criminal penalties under the Crimes and Penalties Law
Under Federal Decree Law No. 31 of 2021 on the Issuance of the Crimes and Penalties Law, the unauthorised disclosure of professional or work related secrets by a person entrusted with such secrets can result in imprisonment and fines. Depending on the specific article applied and any aggravating factors, penalties may include:

• Imprisonment, which can range from short term detention to several years of imprisonment, taking into account whether the disclosure is simple or repeated, whether it is committed by a public official or a person in charge of a public service, whether it is committed for personal gain or for the benefit of a third party, and whether it causes substantial harm to state interests, to the employer or to individuals.
• Fines, which can be significant where the disclosure is linked to misuse of information technology, breach of public service duties, damage to national security or serious harm to the financial or reputational interests of the victim.
• Aggravated penalties where the disclosure concerns defence or state security secrets, is committed during wartime or a state of emergency, or is intended to benefit a foreign state, a foreign entity or a hostile organisation, or to damage the political, military or economic position of the state.

The law does not always require proof of actual damage as a condition for criminal liability. In many cases, the mere act of disclosing secrets, with knowledge that the information was confidential and obtained by virtue of work, profession, position or mandate, is sufficient. However, the extent of actual or potential damage can be taken into account by the court when determining the appropriate sentence within the statutory limits.

Penalties under labour and employment law
Under Federal Decree Law No. 33 of 2021 Regulating Labour Relations, as amended by Federal Decree Law No. 9 of 2024, and its executive regulations, disclosing employer secrets constitutes a serious breach of the employment contract and of the statutory duties of the worker. The law obliges the worker to maintain confidentiality and to refrain from disclosing work secrets. It also allows the employer to terminate employment without notice where the worker discloses work secrets that result in serious loss or create a real risk of loss to the employer’s legitimate interests, including industrial property rights and intellectual property rights.

Consequences for the employee may include:

• Immediate dismissal without notice and without payment in lieu of notice where the statutory conditions for summary termination are satisfied.
• End-of-service gratuity is not automatically forfeited merely because the worker is summarily dismissed. Any separate claim for damages, set-off or other financial consequence must rest on an express legal or contractual basis and, where disputed, on the determination of the competent court.
• Practical difficulties in obtaining new work permits or approvals where there is a final judgment confirming serious misconduct, particularly where the conduct has an element of dishonesty or breach of trust.
• The filing of a parallel criminal complaint for disclosure of secrets under the Crimes and Penalties Law or the cybercrime law, particularly where there is evidence of intentional harm, financial gain, or benefit to a competitor, or where trade secrets and personal data are involved.

The Ministry of Human Resources and Emiratisation and the courts of the United Arab Emirates will consider the specific facts, the contractual wording, the internal policies of the employer and the proportionality of the consequences when determining whether summary dismissal was lawful in a given case.

Civil liability and damages
Beyond criminal sanctions and employment measures, a person who discloses secrets may face civil claims for damages. Employers, business partners or individuals whose secrets were disclosed can file civil lawsuits for compensation under the provisions of the Civil Transactions Law and under specialised statutes. Civil liability can be based on:

• General rules of liability for wrongful acts causing damage, which require proof of fault, damage and a causal link.
• Specific provisions on breach of contractual obligations, including breach of confidentiality clauses, non-disclosure agreements and contractual non-compete obligations.
• Industrial property and trade secret provisions that recognise the right to compensation and to injunctive relief where undisclosed information has been misused, disclosed or acquired in a manner contrary to honest commercial practices.

The competent court can order compensation for direct financial loss, for consequential losses that are proven with sufficient certainty, and for moral damages in appropriate cases, for example where disclosure of personal or family secrets causes distress or reputational harm. The court can also order preventive and corrective measures such as orders to cease using or publishing the information, to deliver up or destroy copies of misused data and, where necessary, to publish a correction or apology in an appropriate form.

Sectoral and administrative sanctions
Regulatory authorities, for example in the financial services sector, in the health sector, in telecommunications and in data protection, may also impose administrative measures where professionals or licensed entities unlawfully disclose secrets or fail to implement adequate controls to prevent such disclosure. These measures can include:

• Written warnings, compliance directives and mandatory remediation programmes.
• Administrative fines, which in some regulated sectors can be substantial and can be imposed on both institutions and responsible individuals.
• Suspension, non-renewal or revocation of licences, permits or professional registrations in serious or repeated cases.

These sectoral sanctions can apply alongside criminal and civil liability and form part of a broader supervisory and enforcement approach aimed at ensuring that institutions adopt effective internal policies, training and technical safeguards to prevent unauthorised disclosure of secrets.

Practical situations where residents risk disclosing secrets

For people living and working in the United Arab Emirates, the risk of committing the crime of disclosing secrets frequently arises in everyday situations. Some common scenarios include:

• Sharing internal documents with friends or family
  Forwarding internal emails, performance reports, customer data, pricing information, security protocols or system screenshots to friends, relatives or personal devices, even with no malicious intention, can amount to disclosing secrets if the information is not public and was obtained through work or a professional assignment. Good faith or lack of financial gain does not eliminate criminal or employment liability where the conduct is intentional.
• Posting work related content on social media
  Publishing photographs taken inside non public work areas, copies of internal memoranda, images of computer screens, or details of ongoing projects and incidents on social media can violate employer policies and may constitute an offence under the Crimes and Penalties Law and under the cybercrime framework. The risk is higher where the post reveals client data, personal data of colleagues, security arrangements, potential vulnerabilities, or information about incidents, investigations or court cases.
• Moving to a competitor with data
  Downloading client lists, marketing databases, source code, product roadmaps, technical documentation or research data before resigning and using them in a new job with a competitor may lead to criminal proceedings for disclosing secrets, civil claims for trade secret infringement, and enforcement of post termination non-compete clauses and non-solicitation clauses under the Labour Relations Law and related provisions. Even the mere retention of confidential information after termination, without actual use, can create serious legal exposure.
• Informal discussions by professionals
  Healthcare professionals, lawyers, auditors, consultants and other regulated professionals must be particularly cautious when discussing cases outside formal professional settings. Even anonymised discussions may risk identification in small communities or in highly specialised industries. Unless a clear legal exception applies, discussing patient details, client strategies, internal investigations or regulatory inquiries in public spaces, in lifts, in restaurants, in taxis or on online forums can be considered disclosing secrets.
• Handling personal data and digital records
  Employees dealing with customer registration, payment processing, human resources records, compliance files or online platforms must protect personal data, access credentials and internal system architecture. Exporting spreadsheets to personal email, copying data to unapproved cloud services, using unauthorised removable media, or sharing login credentials and authentication tokens can all be treated as unlawful disclosure or misuse of data under both the personal data protection law and the cybercrime provisions.

Residents and professionals should also be aware that ignorance of internal policies, the absence of explicit labels such as “confidential” or the belief that “everyone already knows this” do not prevent liability where the nature of the information and the circumstances clearly indicate that it is a secret obtained through work or professional duty.

How to protect yourself and your organisation from disclosure offences

For individuals and organisations in the United Arab Emirates, preventing the crime of disclosing secrets requires a combination of legal awareness, contractual safeguards, internal procedures, cultural reinforcement and technical controls.

For employees and professionals

• Understand that any information learned through work or professional engagement which is not clearly and legitimately public may be treated as a secret. When in doubt, the prudent approach is not to disclose it to anyone outside the authorised circle.
• Review the employment contract, the code of conduct, professional rules and any non-disclosure or non-compete clauses. The statutory duty of confidentiality under Federal Decree Law No. 33 of 2021, as amended, applies even if the contract is silent, but contractual terms may provide additional detail and examples of what the employer considers to be confidential information.
• Use only approved channels for handling work information. Avoid sending files to personal email accounts, private devices or messaging applications without clear, documented permission and without compliance with the information security policies of the organisation.
• Refrain from posting or commenting about internal matters of the workplace on social media, even in closed or private groups. Once information is placed online, it can be copied, forwarded, captured by screenshots and circulated beyond the original audience.
• When leaving a job or ending an assignment, return all devices, documents, data carriers and access cards. Do not retain copies of client files, databases, reports, source codes or software. Deleting data only after being confronted or after receiving a legal notice may be interpreted as evidence of bad faith or destruction of evidence.
• If there is any uncertainty about whether certain information may be shared with a colleague, a client, a regulator or a third party, seek written guidance from the compliance function, the data protection officer or the legal department instead of relying on personal assumptions.

For employers and business owners

• Implement clear written confidentiality, data protection and information security policies that are consistent with Federal Decree Law No. 31 of 2021 on Crimes and Penalties, Federal Decree Law No. 33 of 2021 on Labour Relations, Federal Decree Law No. 45 of 2021 on Personal Data Protection, Federal Decree Law No. 34 of 2021 on Combatting Rumours and Cybercrimes, and with any applicable sector specific regulations.
• Include well drafted clauses on confidentiality, ownership of intellectual property, protection of trade secrets and, where appropriate, post termination non-compete and non-solicitation obligations in employment and consultancy contracts. Ensure that such clauses are reasonable in scope, geography and duration and comply with the criteria set out in the Labour Relations Law and its amendments in order to be enforceable before the courts of the United Arab Emirates.
• Classify information and assets, label confidential documents appropriately, and implement access controls based on the “need to know” principle. Where possible, use technical controls to prevent large, unexplained downloads, mass printing, unauthorised transfers, and to detect anomalous behaviour on information systems.
• Train employees and contractors on a regular basis about their legal obligations regarding secrets, personal data and cyber security. Training should include practical examples, explanation of potential imprisonment and fines for unauthorised disclosure, and guidance on secure behaviour in both physical and digital environments.
• Establish and communicate procedures for reporting suspected data leaks, cyber incidents or confidentiality breaches, and respond promptly by securing systems, preserving evidence, notifying affected parties where legally required, and obtaining specialised legal and technical advice.
• Where a serious disclosure occurs, consider both criminal and civil routes. Employers may file criminal complaints for disclosure of work secrets, cybercrime offences or data protection violations, and at the same time pursue civil claims for damages, temporary injunctions, seizure of infringing materials and orders to delete or destroy misused data. Decisions should be taken swiftly and supported by robust internal investigations and documentation.

Seeking professional legal support

Given the breadth and technical nature of the legal framework and the potentially severe consequences of disclosing secrets in the United Arab Emirates, individuals and companies facing such issues should seek assistance from experienced law firms based in the jurisdiction. An experienced legal team can:

• Assess whether specific conduct qualifies as criminal disclosure of secrets, as a violation of cybercrime provisions, as a civil breach of confidentiality, or as a combination of these, taking into account the most recent amendments to the relevant laws and judicial practice.
• Advise on internal investigations, digital forensics, evidence collection and immediate steps to contain and mitigate damage after a suspected leak or cyber incident, including communication with regulators and affected individuals where required.
• Draft and review employment contracts, consultancy agreements, non-disclosure agreements, non-compete clauses, data processing agreements and internal policies to align them with Federal Decree Law No. 31 of 2021, Federal Decree Law No. 33 of 2021 as amended, Federal Decree Law No. 45 of 2021, Federal Decree Law No. 34 of 2021 and the laws regulating industrial property and trade secrets.
• Represent employers, institutions or affected individuals before the Ministry of Human Resources and Emiratisation, sector regulators, the data protection authority when operational, the public prosecution and the courts of the United Arab Emirates, and assist in negotiating settlements or remedial undertakings where this is in the best interests of the client.

For residents and businesses in the United Arab Emirates, understanding that being entrusted with secrets carries serious legal responsibilities is essential. Respecting confidentiality obligations, adopting sound governance and information handling practices and obtaining timely legal advice when needed will significantly reduce the risk of criminal, civil and regulatory exposure related to the crime of disclosing secrets under the law of the United Arab Emirates.

For any queries or services regarding legal matters in the UAE, you can contact us at (+971) 4 3298711, or send us an email at proconsult@uaeahead.com, or reach out to us via our Contact Form Page and our dedicated legal team will be happy to assist you. Also visit our website https://uaeahead.com

Article by ProConsult Advocates & Legal Consultants, the Leading Dubai Law Firm providing full legal services & legal representation in UAE courts.