When Datacentres Come Under Attack: Data Privacy Obligations

Recent reporting has flagged war missiles targeting commercial datacentres in the UAE. The headlines have focused on the geopolitical dimension — escalating regional tensions, state-sponsored cyber operations, and the vulnerability of critical digital infrastructure. But behind the geopolitics lies an equally urgent and underappreciated question: what happens to data protection obligations when the infrastructure holding personal data becomes a theatre of conflict?

The UAE’s Data Protection Framework

The UAE has invested heavily in building a modern data protection framework. The Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which came into force on 2 January 2022, is the country’s first comprehensive federal data protection law. Modelled in part on the EU General Data Protection Regulation (GDPR) but tailored to the UAE’s regulatory landscape, the PDPL applies to all entities processing personal data within the UAE and extends extraterritorially to foreign businesses that process the data of UAE residents. The UAE Data Office serves as the federal data regulator. It is responsible for policy development, compliance oversight, and issuing guidance on implementing the PDPL.

Alongside the federal PDPL, sector-specific and freezone regimes add further layers of obligation. The Dubai International Financial Centre operates under DIFC Data Protection Law No. 5 of 2020, which is closely aligned with the GDPR, and introducing mandatory documented adequacy assessments for transfers, a private right of action for data subjects before the DIFC Courts and increased administrative fines. The Abu Dhabi Global Market applies its own ADGM Data Protection Regulations 2021. Health data is governed separately under Federal Law No. 2 of 2019 on the Use of Information and Communication Technology in Healthcare. Banking and credit data falls under Central Bank regulations. The result is a layered and fragmented regulatory architecture, within which organisations must identify which regime or regimes govern their processing activities.

When a Datacentre is Compromised

When a commercial datacentre is compromised, the downstream legal consequences are immediate. Organisations must assess whether personal data has been affected, whether breach notification obligations have been triggered, and whether their contractual duties to customers and partners remain intact.

Under the PDPL, a data breach is defined as any unauthorised or unlawful access to personal data; including replication, transmission, distribution, disclosure, destruction or processing that leads to divulgence to third parties. The accountability principle embedded in the PDPL requires organisations to demonstrate, proactively, that they have taken appropriate technical and organisational measures to protect personal data. Those measures include encryption, pseudonymisation, implementation of systems guaranteeing long-term data integrity and availability, and the ability to restore timely access to data following technical failure or other incidents.

Data Localisation Policy

Data localisation requirements have been a cornerstone of the UAE’s digital sovereignty strategy. Under the PDPL and sector-specific legislation, certain categories of data must remain within UAE borders. Banking data must be stored onshore and any transfer abroad is subject to Central Bank approval and the data subject’s explicit consent. Health records are subject to localisation requirements under Federal Law No. 2 of 2019. IoT data relating to government institutions and critical infrastructure must remain within the UAE at all times. Non-compliance with localisation obligations carries serious consequences — including financial penalties, suspension of business licences, and in certain cases criminal liability.

The principle underpinning localisation is sound: keep sensitive data subject to domestic law and beyond the reach of foreign jurisdictions. What the policy did not fully anticipate is a scenario where the threat comes not from a foreign jurisdiction seeking to access data through legal process, but from a hostile actor seeking to compromise the infrastructure itself.

This creates a structural tension. Localisation concentrates data within a defined geography. When that geography becomes a target, concentration becomes vulnerability. Organisations that have built their compliance posture around localisation as a risk-mitigation strategy are now discovering that regulatory compliance and operational security do not always point in the same direction.

Data Migration Dilemma: Cross-Border Data Transfer Rules

In response to these developments, a growing number of businesses are quietly reviewing their infrastructure arrangements. Multi-cloud architectures, distributed data environments, and sovereign cloud partnerships are all being explored as ways to reduce single-point-of-failure exposure. The logic is straightforward: if a single datacentre or cluster of facilities presents a concentrated target, distributing data reduces the impact of any single compromise.

The legal complexity, however, does not simplify along with the architecture. Moving data outside the UAE — even partially, even temporarily, even for resilience purposes — engages cross-border data transfer rules that require careful navigation. Depending on the sector, a transfer may require regulatory approval, an adequacy assessment, or specific contractual safeguards. Doing this reactively, under pressure, and without proper legal structuring creates its own category of compliance risk. Businesses that migrate first and document later will find themselves exposed on two fronts: the original security incident and the regulatory consequences of an improperly managed transfer.

Accountability

Controllers and processors must demonstrate that they have embedded data protection into their technical and organisational infrastructure. In the context of infrastructure threats, this means conducting thorough due diligence on datacentre providers; ensuring data processing agreements contain clearly allocated responsibilities for security incidents and breach notification; maintaining incident response plans that address state-sponsored scenarios and not just conventional cyberattacks; and ensuring legal and compliance functions are integral to infrastructure decisions — not consulted after the fact.

Organisations should also maintain Records of Processing Activities, conduct Data Protection Impact Assessments where processing poses elevated risk, and appoint a Data Protection Officer where the scale or sensitivity of processing warrants it. Where sector-specific localisation rules apply — in banking, healthcare, or critical infrastructure — any contingency planning for data distribution must be structured with regulatory approval pathways identified in advance, not improvised under pressure.

The Broader Legal Principle

What is happening in the UAE is not an isolated incident. It is an early and visible example of a global shift in which commercial digital infrastructure is increasingly treated as a legitimate target in state-level conflicts. The legal frameworks governing data protection, privacy, and digital sovereignty were designed for a different environment — one in which the primary concerns were commercial data misuse, cross-border enforcement gaps, and regulatory arbitrage.

Those frameworks now need to reckon with a world in which a commercial datacentre in Abu Dhabi or Dubai can become, without warning, the site of an act of asymmetric warfare. The law has not kept pace with this reality. Force majeure clauses are untested against cyber warfare. Localisation requirements were not designed with kinetic infrastructure risk in mind. Executive Regulations that would clarify transfer rules remain outstanding.

Businesses need to act now — reviewing their infrastructure posture, testing their contractual arrangements, mapping their regulatory obligations across every regime in which they operate, and building legal resilience into their security strategy rather than treating it as an afterthought.