All insights Data & IP

Binance and the DOJ: what happens to your UAE account data?

UAE · data protection
Photo: FlyD / Unsplash

Binance's insistence that it has not scaled back cooperation with US law enforcement raises a sharper question for its UAE customers: what legal basis, if any, allows a Dubai- or Abu Dhabi-based exchange to hand personal and transaction data to a foreign prosecutor, and what can an affected customer actually do about it.

The question clients are asking

The Binance–DOJ story is being read in the market as a compliance-posture story. For UAE-based customers and their counsel, it is a data protection story. VARA-licensed and onshore-regulated virtual asset service providers (VASPs) hold know-your-customer files, transaction histories and device metadata on UAE residents. When a foreign law enforcement agency requests that data — whether via a grand jury subpoena, an MLAT channel, or informal cooperation under a deferred prosecution or monitorship arrangement — the immediate practical question is: can they lawfully send it, and do I have a remedy if they do?

The starting point: consent buried in the terms of service

Most VASPs' customer agreements contain broad disclosure clauses permitting sharing of personal data with regulators, law enforcement and affiliates worldwide, often framed as necessary for AML/CFT compliance. Customers who onboarded through a UAE entity or a UAE-facing platform will typically have accepted these terms as a condition of account opening. That contractual consent is the first line of defence a VASP will rely on, and it is broad enough that most routine law enforcement requests will fall within it without triggering a breach.

Where UAE data protection law actually bites

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the PDPL) applies onshore across the UAE and imposes conditions on processing and cross-border transfer of personal data, including a general requirement that transfers to jurisdictions without adequate protection be justified by one of a limited set of grounds — consent, contractual necessity, or a legitimate interest properly balanced against the individual's rights. A blanket contractual consent clause does not automatically satisfy this: the PDPL requires that consent be specific, informed and given for a defined purpose, and regulators applying it have increasingly scrutinised standard-form disclosures buried in lengthy terms of service.

DIFC-registered entities sit under a separate but analogous regime — the DIFC Data Protection Law — which imposes its own cross-border transfer restrictions and requires an adequacy finding, appropriate safeguards, or a specific derogation before data leaves the DIFC. If a VASP's data processing runs through a DIFC entity or a DIFC-hosted cloud infrastructure, this is the operative framework, not the onshore PDPL.

A subpoena compels the recipient in its own jurisdiction — it does not, by itself, override the data protection obligations a UAE-regulated VASP owes its customers here.

The VARA overlay

Separately from data protection law, VARA's rulebook imposes confidentiality and record-keeping obligations on licensed VASPs, including controls on who may access customer information and for what purpose. A VASP disclosing bulk customer data to a foreign agency outside a formal mutual legal assistance channel risks a VARA compliance breach independent of any PDPL exposure, particularly if the disclosure was not proportionate to a specific, identified request.

What a UAE customer can actually do

  • Request disclosure. Under the PDPL, individuals have a right to be informed about processing of their data, including transfers abroad. A formal request to the VASP asking whether their data has been shared with a foreign authority, and on what legal basis, is the first practical step.
  • Complain to the regulator. The UAE's federal data protection authority (established under the PDPL) and, for DIFC entities, the DIFC Commissioner of Data Protection, both accept individual complaints and can investigate whether a transfer met the statutory threshold.
  • Assess contractual remedies. If the VASP's own terms of service misrepresented its data-sharing practices, a breach of contract claim may run alongside the regulatory complaint, particularly where financial loss followed from the disclosure (for example, account freezes triggered by a foreign agency's action).
  • Distinguish formal from informal cooperation. A subpoena served on Binance's US entity compels that entity in its own jurisdiction. It does not, without more, compel a UAE-licensed affiliate to hand over data held onshore — that generally requires a formal mutual legal assistance request routed through the UAE's designated central authority, or voluntary cooperation that itself must satisfy PDPL and VARA requirements.

Practical takeaway

Clients holding significant crypto positions through UAE-facing platforms should ask their provider, in writing, what legal basis it relies on for any cross-border data disclosure and whether that basis has been tested against the PDPL's specific-consent standard — not merely inferred from a sign-up click.

Key instruments: Federal Decree-Law No. 45 of 2021 (UAE Personal Data Protection Law); DIFC Data Protection Law No. 5 of 2020; VARA Rulebooks (confidentiality and compliance provisions). This is general information, not legal advice.

Have a matter to discuss?

If a regulatory change or a dispute is on your desk, let's talk it through — confidentially and without obligation.

Get in touch