Coronavirus Considerations: Use of remote access VPNs in the UAE for legitimate business purposes

As the incidence of COVID-19, the disease caused by the coronavirus, becomes more widespread employers need to assess remote working options.

Having a business–grade virtual private network (or “VPN”) may be essential for any company with remote working employees.  A VPN is a secure way of transporting private data across unknown networks through the use of encryption protocols.

A remote access VPN connection allows individual users to connect to a private network from a remote location using a laptop or desktop computer connected to the internet. Once connected the users can access the secure resource on the private network as if they were directly plugged into the network’s servers.

The UAE’s Telecommunications Regulatory Authority has previously issued a public statement in respect of the use of VPNs confirming that there are no regulations which prevent the use of VPN technology by companies, institutions and banks to access their internal networks through the internet. However, business users can be held accountable, like the users of any other technology, if it has been misused.

The TRA’s statement was issued to address some confusing media reports that the use of VPN is illegal per se in the UAE.  That confusion stems from a provision in Federal Law No. 5 of 2012 on combating information technology crimes (“UAE’s Cyber Crimes Law”) which states:

“Whoever uses a fraudulent computer network protocol address (“IP address”) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than AED 500,000 and not exceeding AED 2,000,000, or either of these two penalties” (Article 9).

VPNs can also be used by an individual to disguise his or her true IP address –  the identifier that allows information to be sent between devices on a network – concealing the person’s location information and their online activity.  While reasons for using a VPN to hide an IP address may well be legitimate, such as for privacy and identity protection, disguising an IP address is also the feature of VPN technology with the most potential for abuse – and using it to perform illegal activities is what Article 9 is directed at preventing and punishing.

Accordingly, the legal position in the UAE is that if the VPN is being used for legitimate purposes (such, as remote working to avoid a pandemic), the use of the VPN itself will not constitute a crime.

However, if you are an employer making remote access VPNs available for your employees in an effort to avoid or minimise business disruption during a potential health crisis, it would still be prudent to make it clear that the VPN is to be used for your company’s legitimate business purposes only.

Key Contact

Andrew Fawcett
Senior Counsel, Technology, Media & Telecommunications
a.fawcett@tamimi.com