Middle East Voice AI Regulations 2026: UAE, Saudi Arabia, Israel, and the GCC
Last updated on June 22, 2026
We build and advise on production AI systems. Bring your questions to a free intro call.
Talk to usThe Middle East is where Western voice-AI assumptions break. In the US a one-party recording is routine; across the Gulf, recording a call without every participant’s consent is a criminal offence punishable by jail, not a privacy fine. The “ship the data to our US cloud” reflex collides with hard data-localisation rules. The voiceprint feature you toggle on freely in Europe can require a regulator’s permit before processing in Oman or Egypt. And the EU’s “tell callers they are talking to AI” rule has only one black-letter equivalent in the whole region: a single Dubai free zone.
This guide maps the region for founders deploying voice agents: the UAE (three separate regimes in one country), Saudi Arabia (the largest and most actively enforced market), Israel (the most GDPR-aligned, with a recording twist), and the wider GCC plus Egypt and Jordan. It is the companion to the EU/EEA guide, the non-EU Europe guide, and the US founder’s guide.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Several penalty bands and effective dates below are drawn from law-firm summaries of laws published in Arabic; verify against official gazetted texts and local counsel before relying on exact figures, and note that several regimes only entered active enforcement in 2026.
How to read this guide: the four traps and the disclosure gap
There is no shared “floor” here the way the EU AI Act and GDPR cover Europe. Each country, and in the UAE each free zone, is its own regime. What unifies the region is a set of traps a US or EU founder underestimates:
- Recording is a crime, not a fine. Across the Gulf, recording without all-party consent triggers the penal or cybercrime code, with imprisonment and inadmissible recordings. Build an explicit consent gate into the call opening everywhere.
- Data localisation and transfer controls are real. Saudi Arabia restricts storing or transferring personal data abroad; the UAE mandates localisation for banking and health data; Oman and Egypt require regulator approval to transfer. The EU “standard contractual clauses and you are fine” reflex does not hold.
- A voiceprint is often a permit, not a checkbox. In Oman, Bahrain, Egypt, ADGM, and the Qatar free zone, processing biometric data needs advance regulator authorisation. The feature that powers voice authentication is a regulated activity to clear before launch.
- Deepfake consent and watermarking are becoming the norm. Saudi Arabia’s Deepfakes Guidelines already expect explicit consent for any cloned voice plus tamper-resistant watermarks.
The disclosure gap: no country here mandates an affirmative “you are speaking to an AI” disclosure in its general data law, except the DIFC free zone, whose Regulation 10 effectively requires it. The one other affirmative rule is sector-specific: Qatar’s central-bank AI Guideline expects financial firms to tell customers when they interact with an AI system. Everywhere else, transparency flows from general data-protection duties. And one functional requirement runs through the region: Arabic is not one language. Modern Standard Arabic, Gulf, Levantine, and Egyptian dialects, gender registers, and Sharia-compliance signalling in Islamic finance are operational necessities, not nice-to-haves.
The reference table
| Country | Data law + regulator | Recording consent | Voiceprint / biometric gate | Localisation / transfer |
|---|---|---|---|---|
| UAE (federal) | PDPL (Decree-Law 45/2021), UAE Data Office | All-party, criminal (Penal Code Art. 378 + Cybercrime Law) | Sensitive data; heightened rules pending regs | Banking and health localised; transfers need safeguards |
| UAE (DIFC) | DP Law No. 5/2020, Commissioner | All-party in practice | Special category; Regulation 10 AI duties | Adequacy or safeguards |
| UAE (ADGM) | DP Regulations 2021, Commissioner | All-party in practice | Special category, explicit consent | Adequacy or safeguards |
| Saudi Arabia | PDPL (M/19 2021), SDAIA / NDMO | All-party, criminal (Anti-Cyber Crime Law) | Sensitive; explicit consent + enhanced controls | Strong localisation; transfers need safeguards |
| Israel | PPL + Amendment 13, PPA | One-party (Wiretapping Law) | “Especially sensitive”; explicit consent | No hard localisation |
| Qatar | PDPPL 13/2016 + QFC regs | All-party, criminal (Penal Code Art. 333) | QFC sensitive; CDP prior permission | State permissive; QFC adequacy |
| Oman | PDPL (RD 6/2022), MTCIT | All-party, criminal | Sensitive; MTCIT permit required | Consent + adequate protection |
| Bahrain | PDPL 30/2018, PDPA | All-party, criminal | PDPA prior authorisation (Art. 15) | Cloud-friendly, no localisation |
| Kuwait | CITRA DPPR (telecom only) | All-party, criminal (Wiretap Law 9/2001) | Not specially named | Mostly liberalised since 2024 |
| Egypt | PDPL 151/2020, PDPC | Consent-based + telecom secrecy | Sensitive; PDPC licence | Adequacy + PDPC approval |
| Jordan | PDPL 24/2023, PDP Council | Consent-based + Penal Code Art. 384 | Sensitive (Art. 4) | No hard localisation |
United Arab Emirates
The UAE is three legal systems in one: the federal mainland, plus two financial free zones (DIFC and ADGM) with their own GDPR-grade laws. Which one applies depends on where your client is licensed, so jurisdiction selection is itself a compliance decision.
Federal mainland
Jurisdiction stack: the PDPL (Federal Decree-Law No. 45 of 2021), in force since 2 Jan 2022, regulated by the UAE Data Office. Personal data expressly includes a person’s voice and image. The catch: the PDPL’s Executive Regulations were still not published as of mid-2026, so the federal regime is on the books but lightly enforced, with the real action in the free zones and the criminal code.
Where it bites:
- Recording is criminal and all-party. Penal Code Article 378 and the Cybercrime Law (Federal Decree-Law No. 34 of 2021, Article 44) criminalise recording or intercepting conversations without consent, with penalties of AED 150,000 to 500,000 and imprisonment. Get explicit, recorded consent at the top of every call.
- Sector localisation. Banking data is subject to Central Bank localisation rules and health data to MOHAP localisation under the ICT Health Law, and the telecoms regulator (TDRA) adds data-classification and transfer restrictions in its own domain.
DIFC: the region’s only AI-specific rulebook
Jurisdiction stack: the DIFC Data Protection Law No. 5 of 2020, enforced by the Commissioner of Data Protection, with fines up to USD 100,000 per violation and (since July 2025 amendments) a direct right of action in the DIFC Courts.
Where it bites: DIFC Regulation 10 (enacted 1 Sept 2023) governs processing personal data through autonomous and semi-autonomous systems, which is to say AI, and is the closest thing in the region to a mandatory AI-disclosure rule. For voice agents it requires telling users at initial use that non-human automated processing is occurring, explaining the design principles and safeguards, and citing the external standards relied on. High-risk processing triggers DPIAs, certification, and Commissioner consultation. General certification guidance is landing in 2026.
ADGM
Jurisdiction stack: the Abu Dhabi Global Market Data Protection Regulations 2021, enforced by its own Commissioner. Biometric data used for identification is Special Category data requiring explicit consent, and the fine ceiling is high (reported up to around USD 28 million per offence).
The AI posture: the UAE has no standalone federal AI statute yet, but it is the regional AI leader: the National Strategy for AI 2031, the world’s first Minister of State for AI (2017), the non-binding UAE Charter for the Development and Use of AI (July 2024), and the Falcon model family (TII Abu Dhabi), including Falcon Arabic for in-jurisdiction, Arabic-native deployment. In November 2025 the UAE Cybersecurity Council issued public warnings on AI voice and appearance cloning, signalling regulatory direction.
Saudi Arabia
The largest market in the region and the most aggressively enforced, with the heaviest localisation rules.
Jurisdiction stack: the PDPL (Royal Decree M/19 of 2021, amended 2023), in force since 14 Sept 2023 with the compliance deadline passed (14 Sept 2024). Regulator: SDAIA, with the NDMO as its data arm. Unlike the UAE federal regime, Saudi Arabia’s framework is fully operational: the Implementing Regulations were published in September 2023, and the Data Transfer Regulations followed in 2024.
Where it bites:
- Voiceprints are top-tier sensitive data. Voice recordings are explicitly personal data, and biometric voiceprints are sensitive data requiring explicit consent and enhanced controls; cross-border transfer relies on adequacy or approved safeguards plus a risk assessment.
- Data localisation is the big trap. The PDPL and Transfer Regulations require sensitive personal data to stay in the Kingdom unless exempted, and restrict transfers abroad. The adequacy-country list SDAIA was meant to publish was still not out in 2026, so transfers lean on approved safeguards, explicit consent, and a mandatory risk assessment. The CST cloud framework keeps government data in-country.
- Recording is criminal. Unauthorised recording is an offence under the Anti-Cyber Crime Law (2007): up to one year and SAR 500,000.
- Enforcement is live. SDAIA’s committees issued 48 decisions in the first enforcement year (2025–2026), explicitly hitting marketing messages sent without prior consent. General violations draw fines up to SAR 5 million; unlawful disclosure of sensitive data with intent to harm reaches two years and SAR 3 million.
The AI posture: SDAIA has published AI Ethics Principles (2023), Generative AI Guidelines (2024, separate public and government editions), and Deepfakes Guidelines (2024). The Deepfakes Guidelines are the regional benchmark for voice cloning: they expect visible tamper-resistant watermarks, embedded digital watermarks, explicit consent before using anyone’s voice or likeness with auditable records, and consent-management to remove a likeness from training data. Finance adds SAMA’s strong-authentication mandates.
Israel
The most GDPR-aligned and AI-aware privacy regime in the region, with one counter-intuitive twist on recording.
Jurisdiction stack: the Protection of Privacy Law (1981), overhauled by Amendment 13, in force since 14 Aug 2025, enforced by the Privacy Protection Authority. Amendment 13 broadened “personal data,” created a category of “information of especially high sensitivity” covering biometric and genetic data, and mandated data protection officers. The Privacy Protection Authority has separately issued guidance on how the law applies to AI systems.
Where it bites:
- Recording is one-party, the regional outlier. A participant may record a call they are part of without notifying the other party; the crime is recording a conversation you are not party to (the Wiretapping Law). This is more permissive than the Gulf, but Amendment 13’s consent and disclosure duties still apply, and a voiceprint is “especially sensitive” data needing explicit consent.
- Penalties scale with turnover. Amendment 13 introduced fines reaching millions of shekels, capped at 5% of annual turnover for large entities.
- Deepfakes. No dedicated statute yet, but regulators state that using a person’s face or voiceprint in a deepfake without explicit consent violates privacy law; Israel also has a standalone Biometric Database Law.
The AI posture: Israel’s “Responsible Innovation” policy (Dec 2023) is risk-based, sectoral, and non-binding, favouring soft regulation and international alignment over a horizontal AI act.
Qatar, Oman, and Egypt
- Qatar. A dual regime: the state PDPPL (Law No. 13 of 2016), the first comprehensive GCC data law, regulated by the National Data Privacy Office within the NCSA, plus the stricter QFC Data Protection Regulations 2021 in the financial free zone. Recording is criminal under Penal Code Article 333 (up to two years and/or a fine). The QFC treats biometric data as sensitive and the state law requires prior CDP permission for special-nature data. Enforcement is now active: the QFC imposed a USD 150,000 fine in October 2024.
- Oman. The PDPL (Royal Decree No. 6/2022) became fully enforceable on 5 Feb 2026, regulated by the MTCIT with Executive Regulations in place. Biometric data is sensitive under Article 5 and processing requires an MTCIT permit (a 45-day review where silence means rejection), a hard gate for voice authentication. Unlawful cross-border transfer carries the region’s steepest band, OMR 100,000 to 500,000, with 72-hour breach notification.
- Egypt. The PDPL (Law No. 151 of 2020) sat dormant for years until its Executive Regulations issued in November 2025, with hard enforcement beginning 1 Nov 2026. Regulator: the PDPC. The new regime makes licences mandatory for processing sensitive data, cross-border transfers, and electronic direct marketing, the core of outbound voice. Biometric data is sensitive and needs explicit consent, and on some readings a PDPC licence; treat voiceprints conservatively.
Bahrain, Kuwait, and Jordan
- Bahrain. The PDPL (Law No. 30 of 2018), regulated by the PDPA. Recording is all-party and criminal. Biometric processing needs PDPA prior authorisation under Article 15. Bahrain is cloud-friendly with no localisation mandate and a Data Embassy Law, and a draft criminal deepfake bill appeared in November 2025. Penalties run up to BD 20,000 (individuals) or BD 40,000 (corporates) under the PDPL.
- Kuwait. The regional outlier with no comprehensive data law: a patchwork led by the CITRA Data Privacy Protection Regulation, originally issued in 2021 and narrowed by Decision 26/2024 to bind only CITRA-licensed telecom and ISP operators. Recording without consent is criminal under the Wiretap Law (Law 9/2001), up to two years. Voiceprints are not specially named, so treat them as ordinary personal data, conservatively.
- Jordan. The PDPL (Law No. 24 of 2023), in force since March 2024 and now past its grace period, regulated by the Personal Data Protection Council within MoDEE. Biometric data is sensitive (Article 4). Penalties run JOD 1,000 to 10,000, with continuing-violation fines capped at 3% of prior-year revenue, plus malicious AI impersonation caught by the Cybercrime Law (No. 17 of 2023).
Sector overlays: where the sector regulator outranks the data law
In a regulated sector, the general data law is the floor and the sector regulator sets the binding ceiling: pre-approval gates, data localisation, mandatory authentication, and retention duties the PDPLs alone do not impose.
Saudi Arabia: SAMA pre-approval and in-Kingdom data
For financial voice agents, SAMA is stricter than the PDPL. Material outsourcing needs SAMA’s written no-objection before you contract (submitted 15 to 30 business days ahead), cloud hosting is in-Kingdom in principle with offshore needing explicit approval (Cyber Security Framework §3.4.3), customer authentication must meet multi-factor standards, and records are kept a minimum of 10 years. Separately, a voice agent that interconnects with the Saudi phone network needs a CST virtual-voice-services permit or a licensed operator; unlicensed telecom provision is fined up to SAR 25 million. A health triage agent is regulated medical-device software under the SFDA.
UAE: the strictest health-data wall in the region
The UAE ICT Health Law (Federal Law No. 2 of 2019) is the hardest sector rule in this guide. Article 13 sets an absolute default ban on storing, processing, or transferring UAE health data outside the country, and “health information” expressly includes audio and recorded data, so a health voice agent’s call recordings and transcripts cannot legally leave the UAE; retention runs 25 years. The federal PDPL’s transfer mechanisms do not help, because the PDPL carves health data out. In finance, the Central Bank requires consumer and payment data to be stored in the UAE, requires its non-objection before material outsourcing, and under Federal Decree-Law No. 6 of 2025 can fine up to AED 1 billion. Voice over IP must run through a TDRA-licensed operator.
Israel and Qatar
Israel’s Bank of Israel directives govern IT and cyber risk (Directive 364) and e-banking authentication (Directive 367), where remote account opening needs prior Banking Supervision approval, a direct hook for a voice or video onboarding agent. Qatar’s central bank requires pre-approval for material cloud arrangements and, through its AI Guideline (Sept 2024), expects financial firms to disclose AI interaction, obtain consent, and keep human oversight.
| Obligation | The stricter sector rule (vs the general data law) |
|---|---|
| Health-data localisation | UAE Federal Law 2/2019 (absolute offshore ban, 25-yr retention) |
| Financial-data localisation | UAE Central Bank (consumer and payment data in-UAE); Saudi SAMA cloud (in-Kingdom) |
| Regulator pre-approval of outsourcing or cloud | Saudi SAMA, UAE Central Bank, Qatar QCB, Bank of Israel |
| Customer authentication | Saudi SAMA (MFA); Israel Directive 367 (prior approval for remote onboarding) |
| Record retention | Saudi SAMA (10 years); UAE consumer data (5 years); UAE health data (25 years) |
| AI-specific disclosure | DIFC Regulation 10; Qatar QCB AI Guideline (finance) |
The “ship it to our US or EU cloud” architecture is unlawful for UAE health data. Federal Law No. 2 of 2019, Article 13 bans storing or transferring health data outside the UAE without health-authority approval, “health information” includes call recordings and transcripts, and the retention period is 25 years. The federal PDPL cannot rescue you, because it carves health data out. A health voice agent serving the UAE needs in-country storage by design, not as a configuration option.
Compliance Framework for the Middle East
1. Pick the jurisdiction before the architecture
In the UAE especially, federal, DIFC, and ADGM impose different duties. Decide where your client is licensed first, because DIFC Regulation 10 (AI disclosure, DPIAs) and ADGM’s explicit-consent biometric rule do not apply to a mainland deployment, and vice versa.
2. Build a criminal-grade consent gate
In the Gulf, an unconsented recording is a crime with inadmissible evidence. Open every call with an explicit, recorded all-party consent step. Israel is the lone one-party exception, but its consent and disclosure duties still apply.
3. Clear the voiceprint permit before launch
In Oman, Bahrain, Egypt, ADGM, and the Qatar free zone, biometric processing needs advance regulator authorisation. Treat voice authentication as a permit-gated feature with lead time, not a configuration toggle.
4. Map data residency before you store anything
Saudi Arabia and the UAE (banking, health) restrict where personal data can live, and Saudi Arabia’s adequacy list is unpublished. Default to in-region storage for sensitive data, and budget for a transfer risk assessment and explicit consent where transfer is unavoidable.
5. Treat synthetic voice as consent-plus-watermark
Saudi Arabia’s Deepfakes Guidelines (explicit consent, tamper-resistant watermarks, auditable consent records) are the regional bar for any cloned voice. Build consent-of-likeness and provenance marking now if your product clones voices.
6. Engineer for Arabic, not “Arabic”
Dialect coverage (Gulf, Levantine, Egyptian), gender registers, and Sharia-compliance signalling in finance are functional requirements. Regulators increasingly expect Arabic-native, in-jurisdiction models for government, finance, and telecom work.
Regulatory Horizon (Next 12 Months)
| Development | Status | Practical preparation |
|---|---|---|
| UAE PDPL Executive Regulations | Still unpublished mid-2026 | Watch for biometric and transfer detail; the criminal recording rule already binds |
| DIFC Regulation 10 certification | General guidance landing 2026 | Prepare AI-processing notices and DPIAs for DIFC deployments |
| Oman PDPL enforcement | Live since 5 Feb 2026 | Secure the MTCIT biometric permit before any voice-auth launch |
| Egypt PDPL enforcement | Hard enforcement from 1 Nov 2026 | Obtain PDPC licences for marketing and sensitive-data processing |
| Saudi adequacy list | Still unpublished | Default to in-Kingdom storage; use safeguards plus consent for transfers |
| Bahrain deepfake bill | Draft, Nov 2025 | Prepare voice-clone consent and labelling if it passes |
Conclusion
The Middle East does not reward the US or EU compliance playbook. The recording rule that is a fine in Europe is a criminal offence across the Gulf. The data that flows freely under EU adequacy may be forbidden to leave Saudi Arabia. The voiceprint feature that needs only a lawful basis in London needs a regulator’s permit in Muscat. And the one affirmative AI-disclosure rule in the region lives inside a single Dubai free zone.
The two markets that justify real engineering effort are Saudi Arabia (largest, most enforced, localisation-heavy, with the region’s clearest deepfake bar) and the UAE (the commercial hub, where jurisdiction selection across federal, DIFC, and ADGM is the first compliance decision you make). Israel is the most GDPR-familiar entry point, with a one-party recording rule that is the regional exception. Get the criminal consent gate, the voiceprint permit, and data residency right, build for real Arabic, and the region becomes navigable rather than hostile.
Frequently Asked Questions
No. Across the UAE, Saudi Arabia, Qatar, Bahrain, Oman, and Kuwait, recording a conversation without all parties’ consent is a criminal offence under the penal or cybercrime code, with imprisonment and inadmissible recordings, not merely a privacy fine. Build an explicit, recorded all-party consent step into the start of every call. Israel is the regional exception, with one-party consent.
Often, yes. In Oman (an MTCIT permit), Bahrain (PDPA authorisation under Article 15), Egypt (a PDPC licence), ADGM, and the Qatar financial free zone, processing biometric data such as a voiceprint requires advance regulator authorisation. Treat voice authentication as a permit-gated feature with lead time, not a configuration toggle.
Only the DIFC free zone in Dubai, via Regulation 10, which requires telling users at initial use that non-human automated processing is occurring. No other jurisdiction in the region mandates an affirmative AI-disclosure as black-letter law; elsewhere transparency flows from general data-protection duties. If you serve EU residents, the EU AI Act Article 50 disclosure also reaches you extraterritorially.
Not always. Saudi Arabia restricts sensitive personal data to in-Kingdom storage and has not published an adequacy list, and the UAE mandates localisation for banking and health data. Oman and Egypt require regulator approval for cross-border transfers. Default to in-region storage for sensitive data and run a transfer risk assessment where moving it abroad is unavoidable.
Saudi Arabia’s SDAIA Deepfakes Guidelines (2024) set the regional bar: explicit consent before using anyone’s voice or likeness with auditable records, visible tamper-resistant watermarks plus embedded digital watermarks, and consent-management to remove a likeness from training data. They are advisory but backed by the PDPL and the Anti-Cyber Crime Law.
Saudi Arabia and the UAE. Saudi Arabia is the largest and most actively enforced market (48 SDAIA enforcement decisions in its first enforcement year) with strict localisation and the clearest deepfake rules. The UAE is the commercial hub, where choosing among the federal, DIFC, and ADGM regimes is the first compliance decision. Israel is the most GDPR-familiar entry point, with the regional one-party recording exception.