In the UAE, few transactions involve buying AI technology itself, but many target companies now use or depend on data analytics and AI tools. Across industries, data and algorithms now underpin operations — and legal risk.

Traditional due diligence checks share capital and contracts. Now buyers must ask: Who owns the data? Can it be used legally? Is it compliant — or a future liability?

1. Personal Data Compliance

The UAE Personal Data Protection Law (Federal Decree-Law 45 of 2021) has applied since 2022, supervised by the UAE Data Office. Executive Regulations are awaited, and enforcement remains limited while the authority becomes fully operational.

When reviewing a target:

• Confirm lawful bases for processing under the PDPL (consent, contractual necessity, or legal obligation). “Legitimate interests” applies only in DIFC and ADGM.
• Review privacy notices and cross-border transfers (destinations, safeguards, consents).

DIFC and ADGM frameworks — the DIFC Data Protection Law No. 5 of 2020 and ADGM Regulations 2021 (amended 2025) — include legitimate interests and stricter breach-reporting rules.

Why it matters: Non-compliant data flows can halt processing or force costly remediation post-closing.

2. IP Ownership

Under the Copyright Law (Federal Decree-Law 38 of 2021), software and databases are protected works.

Check:

• Clear chain of title (employee and contractor assignments).
• No unlicensed or “scraped” content — the UAE has no text-and-data-mining exception.
• Accurate open-source and model-licence inventory (SBOM).

3. Data Provenance

Identify data sources (licensed, public, user-generated, or sensor). Ensure PDPL-compliant collection and verify permissions or ToS for third-party material.

If models use personal data, confirm data-purge / do-not-train policies.

4. Governance and Ethics

While no UAE-wide AI Act exists, assess alignment with Digital Dubai AI Ethics Guidelines, the UAE Council for Artificial Intelligence and Blockchain, and the Abu Dhabi Artificial Intelligence and Advanced Technology Council (AIATC).

Major clients now expect:

• Bias testing and explainability,
• Human oversight, and
• Documented AI-risk assessments.

Strong governance increasingly determines vendor credibility.

5. Sector Regulations

Cross-check sector overlays:

• Central Bank – outsourcing and cloud standards.
• Health Authorities – patient-data rules.
• TDRA – cyber-security and hosting requirements.

Licences and cloud locations must align with regulator expectations.

6. Key-Person Risk

AI systems often depend on small technical teams.

Verify:

• Invention-assignment and confidentiality clauses,
• Access controls to code and repositories, and
• Continuity planning if key staff exit.

7. Rapid Self-Test

1. Can we use the data and models under PDPL/DIFC/ADGM?
2. Can we commercialise outputs without IP or licence breaches?
3. Do we meet UAE AI-ethics expectations?

If not, negotiate indemnities, price adjustments, or remediation covenants.

8. SPA Drafting Points

• Representations on ownership of software, datasets, and models.
• Compliance warranty for PDPL/DIFC/ADGM, with transfer disclosures.
• Indemnity for data or IP breaches found post-closing.
• Seller covenant to assist with compliance updates.
• Condition precedent for pending data-office or regulator filings.

Why This Matters

As of late 2025, data and AI are becoming more mainstream operational assets in the UAE. Boards and investors now ask not only “Is the deal clean?” but “Is the data compliant and defensible?”

Answering that question protects both value and reputation.

Key Takeaway

Few UAE deals buy AI itself — but many target relies on it. Treat data and algorithms as core IP: verify ownership, legality, and compliance before closing.

That diligence turns potential liabilities into protected, valuable assets.

Contact

For further information on AI and data-related risks in UAE transactions, including due diligence considerations and compliance under the PDPL, DIFC, and ADGM data protection regimes, please contact:

Ahmed Hadeed
Email: a.hadeed@hadeedpartners.ae

© Hadeed & Partners 2025