AI hiring law in the UAE: no Act, but plenty of rules

There is no UAE AI Act. That is not the same as no rules.

I get asked this question at every coffee in Dubai. "Lokesh, the EU has an AI Act, the Americans are arguing about state laws, what does the UAE do?" The honest answer is that there is no horizontal AI law in force in the UAE that regulates how private-sector recruiters use AI. There is the National AI Strategy 2031, which is direction and ambition, not a binding obligation on employers. There is no PDPL Article that targets recruitment AI specifically. There is no DCWP-style bias audit requirement. There is no Annex III of high-risk uses.

What there is, when you sit down and read the laws that already exist, is a clear set of obligations that catch AI hiring even though they were not written about AI. The UAE has moved fast on technology adoption and slow on technology-specific regulation. That gap is real, and it is a competitive advantage for agencies that operate properly inside it.

This post is what I would tell a friend running a Dubai agency. The laws that actually apply to you when you use AI for screening or sourcing. The free zones where the rules are stricter. And the extraterritorial laws from other countries that follow your placements even when your office is in JLT.

The laws that already apply to you

Federal Decree-Law No. 33 of 2021, the UAE Labour Law, governs the employment relationship in the private sector. Its anti-discrimination provisions apply to AI-driven decisions the same way they apply to human ones. If your AI sourcing tool systematically filters out a protected category, the fact that the filtering was done by software is no defence. The obligation sits on the employer and, in practice, on the agency advising the employer.

Federal Decree-Law No. 45 of 2021, the Personal Data Protection Law, is the data layer. The PDPL applies to the processing of personal data, in whole or in part through electronic systems, inside or outside the country. AI systems that process candidate data, including CV parsers, matching engines, scoring tools, and outreach personalisation engines, are processing personal data within the meaning of the PDPL. Consent or another lawful basis is required. The candidate has rights of access, correction, and objection. None of these obligations are new because of AI; the AI just makes them more visible.

If you operate in DIFC, the picture is sharper. DIFC Data Protection Law No. 5 of 2020 includes specific provisions on automated individual decision-making, including profiling. DIFC's regime is closer to the EU GDPR than to the federal PDPL. If your agency is a DIFC entity, or you process data subjects who are inside DIFC, the DIFC DP Law applies. Most agencies in Dubai do not realise they may have a foot inside DIFC's data perimeter through how their CRM or sourcing tools are hosted.

ADGM has its own Data Protection Regulations, which similarly draw heavily on GDPR. If you operate or transact in ADGM, those apply too. Three regimes within one country. Federal PDPL is the floor. DIFC and ADGM are the ceilings.

The government uses AI on candidates too

From 1 May 2026, every new work permit application in the UAE is evaluated by an AI and robotics platform jointly run by the Federal Authority for Identity, Citizenship, Customs and Port Security (ICP) and the Ministry of Human Resources and Emiratisation (MoHRE). The platform scores applications against live labour-market data, generates an eligibility score within seconds, and flags cases that need human review.

This is not a law that regulates you. It is the government using AI on the candidates you are placing. The MoHRE platform changes processing time for qualifying applications from the old 5-to-10 business day baseline to near-instant approval where the file matches the auto-approval criteria. For agencies, that is a workflow change. Placements that used to wait two weeks for a permit decision now resolve in hours when the AI auto-approves, and take longer when the AI flags a case for human review.

The practical implication is that your placement timeline planning needs to account for two outcomes per application: auto-approval (fast) and human-review queue (slower than before, because the human queue now contains the cases the AI flagged). Agencies that have not updated their client-facing SLAs to reflect this are quietly under-promising on the wins and over-promising on the misses.

The extraterritorial laws that follow you

Even with no UAE AI Act, you are not in a regulatory bubble. The EU AI Act has extraterritorial reach. A Dubai agency sourcing for a German client is caught by the EU regime the moment the AI output is used in the EU. The same logic catches you if you place into Korea (the AI Basic Act applies), into Ontario (the disclosure rule applies for the posting), or into NYC (Local Law 144 applies to NYC-resident candidates).

This is the same trap that caught Dubai agencies five years ago with GDPR. Most of them thought it did not apply because they were not in Europe. It did. We covered the principle in our GDPR guide. The AI Act regimes worldwide are following the same extraterritorial logic. If your placements touch a regulated jurisdiction, the rules of that jurisdiction follow the placement.

For a Dubai agency with a typical GCC plus UK plus continental Europe client book, that means you are realistically subject to a stack of foreign rules even though the UAE itself has not legislated on AI yet. The full picture across every jurisdiction is in the parent guide.

What I see Dubai agencies getting wrong

Assuming "no AI Act" means "no rules". The federal PDPL, the DIFC DP Law, the ADGM regulations, the UAE Labour Law and the extraterritorial laws of every market you place into all apply. The absence of a Dubai-specific AI Act is not a permission slip.

Forgetting the free zones. Agencies registered in mainland Dubai often treat free zone data rules as someone else's problem. They are not. If your candidate works in DIFC, or your client has a DIFC entity, or your data is hosted on infrastructure within the DIFC perimeter, the DIFC DP Law catches you. Same with ADGM.

Ignoring the WPS and MOHRE knock-on. The UAE's new AI work permit screening will reshape your placement timeline data. The agencies that win the next two years will be the ones who understand which roles auto-approve and which fall to the human queue. The agencies that lose will be the ones still quoting old timelines. The UAE compliance side of this is covered in our WPS and MOHRE guide.

Marketing AI features without honest disclosure. "AI-powered recruitment" on your homepage is fine. Using AI to screen candidates without telling them is the kind of behaviour that creates problems even where it is not yet illegal. The reputational cost in a market as connected as Dubai is high. Be the agency that tells candidates what is happening.

What I am telling our customers

The UAE will eventually publish more AI-specific regulation. The National AI Strategy 2031 is explicit about that ambition. The honest question is not "if" but "when and how prescriptive". My read is that the UAE's regulatory style is going to favour principles-based guidance from existing regulators rather than a horizontal Act, similar to the UK position. That means the PDPL, the federal Labour Law, and DIFC and ADGM regimes will get sharper as they encounter more AI cases.

For now, the lack of a dedicated AI Act is a window. Use it to get your house in order before specific obligations arrive. The agencies that already do bias monitoring, candidate disclosure, and proper data retention will adapt to any future Act overnight. The agencies that have done none of it will scramble.

The AI features inside Recruitly, including matching, parsing, and outreach personalisation, are documented on the AI product page. We publish what each feature does so agencies can include it in their candidate disclosures without having to reverse-engineer the tool.

What to do this quarter

Audit your AI stack against the PDPL. Every tool that processes candidate data needs a lawful basis. Document it. Most agencies are using "legitimate interest" by default; that is fine, but write it down.

Check your free zone exposure. If you work in DIFC or ADGM, or if your data sits inside one, the DP regime there is stricter than the federal PDPL. Get a clear answer on which regime your operations fall under. Your hosting provider can usually tell you in five minutes.

Update your placement timelines. The MoHRE AI screening changed the shape of work permit approvals from May 2026. If your client SLAs were drafted before that, they are out of date.

Add AI disclosure to your candidate-facing process. The UAE will not require it today. Half your candidates will value it anyway. Free trust-building costs nothing, and the agencies that get ahead of an obligation always have an easier time when the obligation finally arrives.

If there is one thing I have learned running Recruitly from Dubai for the last few years, it is that the UAE moves quickly when it decides to move. The absence of an AI Act today is a snapshot, not a permanent state. Get the basics right and you will be ready for whatever shape the eventual rules take.