Contributed By Eversheds Sutherland
The use of cloud computing is steadily increasing across the UAE and organisations of all sizes are moving to the cloud in order to facilitate digital transformation objectives.
At present, there are no comprehensive laws or regulations that govern the use of cloud computing and the legal framework consists of a patchwork of overarching legal requirements in respect of data protection and more stringent sector-specific requirements (where applicable).
Key sectors that operate under restrictions that could impact a move to the cloud include: the public sector and related private entities that form part of the critical infrastructure of the UAE; the banking sector; and the healthcare sector.
Taking each briefly in turn, the public sector is regulated at both a federal and emirate level. The National Electronic Security Authority (NESA) is a federal authority responsible for the national advancement of cybersecurity. To support this, NESA developed the UAE Information Assurance Standards (the IAS) which includes technical controls and information security requirements for cloud computing environments. All UAE government entities and other entities deemed critical to the national infrastructure are required to implement the IAS and private sector entities are encouraged to do the same. The IAS takes a risk-based approach and public entities are required to establish sound data security requirements for cloud environments, including appropriate due diligence, risk assessments, governance policies, incident response policies and, where possible, audits of security arrangements by cloud service providers.
At an emirate level, Abu Dhabi’s Smart Solutions and Services Authority (ADSSSA) is responsible for the governance and use of government data, securing the government’s IT systems, communications network and government data technology, as well as providing recommendation of standardised systems and implementation across all Abu Dhabi government entities. The ADSSSA (at the time known as ‘ADSIC’) Information Security Standards 2009 (as amended) includes specific requirements that any government information classified as ‘Restricted’ or above must not be hosted outside Abu Dhabi government data centres without approval from ADSSSA.
In Dubai, the comparable oversight function is fulfilled by the Dubai Electronic Security Center (DESC) and DESC has also issued information security rules that apply to emirate level public sector entities. DESC is currently working on a new framework and this will likely include a cloud certification standard. If launched, this should provide a much greater degree of certainty for regulated entities.
As previously mentioned, the banking industry is also subject to sector-specific requirements. These are not contained in a single comprehensive regime but relevant restrictions can be found in regulations dealing with outsourcing and the management of customer financial information. Similarly, the health sector has strict data localisation requirements for patient data.
At a more general level, the UAE does not have a comprehensive data protection regime and there are several laws that could be relevant to the use and transfer of personal data, including the general privacy safeguards contained in: the UAE Constitution; the Penal Code; the Civil Code; and the Cybercrime Law. Additionally, certain fee zones have developed their own data protection frameworks (notably the Dubai International Financial Centre, the Abu Dhabi Global Market and the Dubai Healthcare City).
In view of the above, a move to the cloud in the UAE is generally permitted but may require consideration of a number of regulatory regimes depending on the relevant entity’s operations within the jurisdiction.
The UAE has set ambitious targets to develop blockchain technology for practical use. The Dubai Blockchain Strategy launched in October 2016 and its aim is to become the first city fully powered by blockchain by 2020. To support this, the Dubai Future Foundation launched a global blockchain council (made up of 46 key players in the blockchain industry) to explore and discuss current and future applications of blockchain technology.
The public sector, often in collaboration with Smart Dubai (the technology arm that supervises the implementation of electronic and smart transformation in the Dubai government), has already announced several blockchain-driven initiatives. For example, the Department of Economic Development announced plans to develop a business registry platform using blockchain technology in mid-2018. The platform would be aimed at streamlining the process of establishing and operating a business in Dubai, as well as to ensure regulatory compliance and facilitate direct foreign investment. Similarly, the Dubai Land Department has already deployed blockchain technology in three initiatives (ownership verification, properly sales by developers and smart leasing process).
The judiciary are also taking steps to enable blockchain transformation and the Dubai International Financial Centre (DIFC) Courts have announced plans to develop the world’s first Court of the Blockchain. The preliminary work will explore cross-border enforcement of legal judgments through the blockchain and building dispute resolution mechanisms into the blockchain in order to facilitate commercial use.
Despite the impressive number of blockchain-enabled projects, there are few specific laws or regulations that deal with blockchain or distributed ledger technology as a distinct technology. However, this is likely to change soon. Currently, the Abu Dhabi Global Market (the ADGM – a financial free zone in Abu Dhabi) has issued specific regulation but only in the context of cryptocurrencies. The ADGM is an active member of R3, a leading financial innovation and technology firm that focuses on designing and applying distributed ledger technology solutions for the financial services industry and has also launched the first cross-border FinTech sandbox between Abu Dhabi and Singapore. Since 2017, the ADGM has actively published guidance on initial coin offerings and virtual currencies under the Financial Services and Markets Regulation and, in 2018, it published further guidance on the regulation of crypto asset activities in the ADGM.
We are aware that both emirate-specific and federal regulations are in the process of being developed to cover both blockchain (as a general technology) and specific regulations for cryptocurrency and other FinTech applications. For now, the general laws will apply.
Risk and Liability
It is generally advisable for clients to carefully consider whether their business falls within the scope of regulated activities (free zone or federal), especially if the blockchain technology is used for FinTech ventures. There is no specific regulated activity covering blockchain in general so the particular features and use of the technology would have to be considered on a case-by-case basis. Even if the use of the blockchain technology does not fall within any regulated activities (for instance, because it is not yet recognised) it could still raise questions of KYC, AML and, separately, data protection concerns.
The general principles of contractual liability and 'acts causing harm' will apply and companies should, as always, be mindful of the UAE law position in relation to limitation of liability and indemnity provisions.
There are no specific IP provisions dealing with blockchain per se, but the various general IP laws will apply.
The UAE does not have a comprehensive data protection regime (with the exception of certain free zones that operate under separate frameworks). As such, general privacy safeguards under the UAE Constitution, Civil Code, Penal Code and Cybercrime Law will apply. In addition, sectorial laws may impact the ability to utilise blockchain technology if data localisation requirements apply to certain categories of data thereby preventing international transfers.
General laws apply which will be more relevant when dealing with the public sector.
General laws apply. However, the DIFC Courts currently have a taskforce working on jurisdictional issues, so further guidance may be available soon.
In October 2017, the government of the UAE launched the 'UAE Strategy for Artificial Intelligence (AI)' with the goal of increasing government performance and promote innovation through investment in AI.
Since then, the government has taken several steps to facilitate the safe testing of new technologies including the announcement in late 2018 that laws are being developed to regulate self-driving cars and AI more generally. In order to keep up with the technological developments, a new RegLab was reportedly set to launch in January 2019 in order to provide a safe testing environment for new technologies and help establish future laws governing their use. In the meantime, the UAE Cabinet has been authorised to grant temporary licences for testing of innovative solutions that utilise future technology such as AI.
Until specific regulations have been developed, companies in the UAE would be well advised to consider and apply 'Smart Dubai’s AI Ethics Principles & Guidelines', which sets out best practice when dealing with emerging technologies. It also sets out four broad principles, guidelines and practical examples. The Smart Dubai website also hosts a toolkit that can be used by AI developers or operators to self-evaluate the ethics level of an AI system using Dubai’s AI Ethics Guidelines. These are also reflected in the 'Data Policy in the Fourth Industrial Revolution: Insights on personal data' (a paper by the world Economic Forum published in collaboration with the UAE Ministry of Cabinet Affairs and the Future). Another helpful resource may be the recently published European Commission’s draft ethics guidelines for trustworthy AI (published December 2018 and set to be finalised in March 2019), which provides an informative assessment list that could be used to complement the Smart Dubai guidelines until mandatory regulation is introduced in the UAE. The above-cited resources are not mandatory but they offer useful guidance on the likely direction of future regulation and, in the meantime, they offer some protection against civil liability in the event that an action was brought by in an individual, or group of individuals, under the general legal principles of UAE law.
In legal terms, 'big data' remains a rather fuzzy concept but it is commonly accepted that it includes (at least) the following characteristics: considerable volume (referring to the scale and size of data); variety of format (ie, it can be text, image, video, sound); mixed structure (the data can be both unstructured and structured); and velocity (the speed at which new data is generated).
On its own, big data has little intrinsic value and it is the operations performed on it – namely, quantitative analysis – that generates important insights. This can be done using AI, algorithmic computing, machine learning or other methods (discussed below).
When working with big data, it is important that entities consider the extent to which they could be dealing with personal data which is protected under local data privacy laws or categories of data subject to sectorial restrictions (such as banking/transactional data or government data).
There is no single definition of machine learning but, in simple terms, it is a process of getting computers to learn from data without relying on explicit programming (ie, it learns over time in an autonomous fashion). This raises a number of interesting legal considerations.
For example, in machine learning the quality of data used to train the algorithm is incredibly important as any biases present in the data will quickly be 'learned' and implemented by the algorithm. It is therefore quite possible to (inadvertently) produce algorithms with biases in respect of ethnicity, gender or religion (all of which are protected under UAE law) simply by virtue of poor quality checks on the 'training data'. Quality checks and proper documentation are therefore essential when dealing with training data sets.
Another legal consideration is the autonomous nature of the learning process. When faced with consumer complaints or lawsuits, a company may be unable to justify how a decision was reached. Proper documentation policies and algorithmic audits may guard against excessive exposure in this regard until formal industry standards have been established.
In addition to the above there are numerous legal considerations in relation to AI ranging from liability issues, IP, control and accountability and transparency. Fundamentally, with the exception of AI in the healthcare industry, there are currently no laws, regulations or policies that govern the use of AI in the UAE and any existing compliance or other obligations to clients will remain unaltered and responsibility will lie with the implementing entity.
In the UAE, general AI regulations and regulation in respect of autonomous vehicles have been announced and are expected to be published in the near to medium future.
Pursuant to the Telecommunication Regulatory Authority Decision 17 of 2018, an Internet of Things (IoT) Policy was formally approved in the UAE and the Telecommunications Regulatory Authority (TRA) was mandated with the implementation of the policy (the 'Policy').
The purpose of the Policy is to enable the development of IoT services in a safe manner and it is intended to cover all industries (while acknowledging that ministries and regulators for specific industries may develop their own additional IoT specific guidance in co-ordination with the TRA). Therefore, the Policy can be considered as a first step rather than a comprehensive framework.
The Policy covers key requirements for IoT implementation, including the following.
General Requirements for RTTE Devices Providing IoT Services
Any Radio and Telecommunications Terminal Equipment (RTTE) device that provides IoT Services (as defined in the Policy) must meet prevailing Type Approval Regulations (see Telecommunications Apparatus Type Approval Regulation dated 5 April 2007). In addition, the Policy specifies additional requirements specific to IoT Service-enabled devices which include:
IoT Service Providers (as defined in the Policy) must register with the TRA in order to obtain an IoT Service Provider Registration Certificate. Any applicants are required to have a local presence or official representative within the UAE. The process for applying is set out in the IoT regulatory procedures document. There is currently no set procedure for providing IoT connectivity networks and any entity that is considering such services should approach the TRA directly for a case-by-case assessment.
Failure to comply with the Policy (including the registration requirements) may be penalised by the TRA in accordance with the penalties set out in the Telecommunications Law and/or other relevant regulation, including temporary or permanent suspension of the services.
Data Management and Protection
Within the context of IoT services, the TRA has developed specific data management and privacy requirements. These requirements are adopted from the EU General Data Protection Regulation 2016/679 (GDPR), albeit the Policy notes that these references are for guidance only and that UAE law shall prevail in any area of conflict. Furthermore, public authorities will retain the right to process data within the purview of the legislative powers provided to them and appear exempt from the stricter requirements set out in the Policy.
The Policy contains the following principles of data storage:
In addition, the Policy includes requirements to establish technical measures towards enabling inspection of the data by relevant public authorities in the UAE and compliance with interception/monitoring of data by law enforcement agencies. Encryption standards must meet requirements of the UAE authorities and, if higher levels of encryption are to be utilised, approval must be sought from the TRA.
Even when they are stated to be subject to local law, contracts for the provision of IT services in the UAE often reflect the standard terms of one of the parties or the terms of corresponding UK or US IT contracts. However, there are several points to be borne in mind in relation to IT contracts in the UAE.
Storage/Hosting of Data Outside the UAE
The DIFC, Dubai Healthcare City and ADGM free zones have data protection regimes which closely follow the pre-GDPR EU model. As such, they include a prohibition on the transfer of data except to jurisdictions which offer equivalent protection.
In some sectors, additional requirements apply. For example, the banking sector in the UAE is regulated by the Central Bank, and customers of such regulated industries may not have their data stored in the cloud without the regulated company obtaining the necessary consents from the applicable authority first.
The transfer by an author (including an author of software) of all future copyright works, or more than five such works, is null and void under UAE law. If the parties intend that the customer will own all the rights in the software produced by the supplier under the agreement, the parties will therefore need to draft a clause which is more sophisticated than the relatively simple transfer of all future copyright which may be adequate in a UK IT contract.
Exclusion of Liability
Exclusion and limitation of liability feature prominently in IT contracts. Liability for personal injury, death and for tort cannot be excluded under UAE law. Moreover, liability in contract cannot be excluded if the liability arises from 'harmful acts'. The meaning of this term is not settled but would include gross negligence, wilful default and unlawful acts. In practice, it is possible that an exclusion of liability for faults, inaccuracy of data etc would be unenforceable. A cap on liability may therefore be better from the supplier’s point of view than an exclusion. However, UAE courts tend in general to limit compensation to direct losses. If exclusions of indirect and consequential loss are included in a contract it is possible in practice that such losses would not be awarded against a party in breach.
Limitation of Liability
UAE law permits limitation of liability (as opposed to exclusion of liability) in business-to-business contracts. However, the UAE courts reserve the right to adjust any contractual liability cap if the amount agreed in the contract is less than the actual damages suffered by the injured party. The courts may therefore order that any cap is increased to be equal to the amount of damages suffered. Any such cap is, however, a starting point; if the claimant seeks to increase it he or she must show loss which shows that that is justified.
Indemnities are commonly used in UAE contracts. However, they do not have a fixed meaning and are generally interpreted against the party seeking to rely on them. Accordingly, indemnities should be drafted as clearly as possible. There is still a risk that broad indemnities will not be upheld. An indemnity for a matter which is of a criminal nature or strict liability, or a liability which cannot be excluded, may of course not be enforceable as a matter of public policy in any event.
The UAE does not operate under a comprehensive European-style data protection regime and there is no national data protection regulator.
Instead, there are overreaching privacy safeguards set out in various laws (including the UAE Constitution and the UAE Penal Code, among others). These laws provide a basic foundation for data protection that have then been developed further by either sectorial laws or, in some instances, completely separate regimes such as the data protection framework’s operated free zones, such as the Dubai International Financial Centre (the DIFC), the Abu Dhabi Global Market (the ADGM) and Dubai Healthcare City (DHCC).
In view of the above, companies should give careful consideration to the applicable regime and ensure that they understand the data protection rules that they will be subject to. Common features include a desire to protect the private information of individuals by requiring consent to process or transfer personal data but the scope of data protected, as well as the steps required to achieve compliance, vary across the different laws.
Concepts such as 'data controller' and 'data processor' only exist in some laws and are not universally applicable across the UAE.
Core Rules include:
Most data protection obligations only apply in respect of individuals. However, there are certain sectorial laws that apply to classes of data (such as transactional data which can belong to either an individual or a company or to categories of data produced by the public sector). The relevant legal framework should be considered and the specific laws consulted prior to adopting a blanket approach to data processing in respect of individuals or companies.
The general processing of data is not ordinarily subject to legal/regulatory oversight or specific requirements. However, there are several notable exceptions to this and certain sectorial laws apply to classes of data (such as transactional data or to categories of data produced by the public sector). In addition, any statistical data that relates to the emirate of Dubai is also subject to separate regulations.
The relevant legal framework should be considered and the specific laws consulted prior to adopting a blanket approach to data processing in respect of individuals or companies.
The general rule is that processing of personal data requires consent. The nature of extent of the consent is subject to different criteria depending on the applicable legal framework. Furthermore, some laws contain data residency requirement restricting transfers outside the UAE for certain categories of data (which may or may not be personal data); other laws require assurances as to the adequacy of data protection standards if data is to be transferred out of the jurisdiction.
Company computer resources provided by an employer for the use of their employees remain the property of the employer. The starting point is that the employer can control use (eg, by blocking websites and not permitting personal use) and monitor activity on its systems.
Where the employee has not expressly consented to the monitoring of their use of the computer resources, there are mixed views among lawyers regarding the extent of monitoring that can be undertaken by the employer.
For this reason it is sensible to adopt an IT Usage policy which details the rights of the employer to limit and/or withdraw use of the computer resources and to monitor usage including the websites that have been visited and the contents of e-mails sent via the computer e-mail system.
Ideally, an employee would expressly consent to the policy but in the absence of this, so long as the company can demonstrate the employee has been made aware of the policy and received a copy of it, then it should be upheld. If such a policy is in place, it should be carefully drafted since the company must abide by its terms.
If the company does not have such an IT Usage policy, then monitoring and investigation of web traffic and e-mails is subject to compliance with UAE Labour Law and individuals’ privacy right under the UAE constitution.
In all cases it is recommended that the following is kept in mind:
When reviewing e-mails and IT equipment in the course of an investigation, employers should additionally bear in mind that:
DIFC, ADGM and Dubai Healthcare City Free Zones have their own data protection laws that must also be complied with where applicable and if the company is based in any of these locations separate advice should be obtained.
A licence is required from the Telecommunications Regulatory Authority (TRA or Authority) to provide a telecommunications network (wired or wireless) and the connectivity services required for related products to be used by end users. The TRA determines the form and substance of each licence granted and may include in such licences any conditions that it requires.
In addition, the technologies that fall within the scope of UAE telecommunications rules require licensing and/or type approval from the TRA. The TRA website provides a summary of those technologies.
The TRA has exclusive competence in issuing all authorisations in relation to Telecommunications Apparatus (apparatus made or adapted for use in transmitting, receiving or conveying any of the Telecommunications Services through a Telecommunications Network) comprised in or intended for use in connection with a Telecommunications Network (a system comprising one or more items of apparatus or means of communication medium for broadcasting, transmission, switching or receiving of Telecommunications Services, by means of electric, magnetic, electro-magnetic, electro-chemical or electro-mechanical energy and any other means of communication medium) or in the provision of a Telecommunications Service (the service of transmitting, broadcasting, switching or receiving by means of a Telecommunications Network of any of the following:
No person is permitted to use, sell, offer for sale or connect to any Telecommunications Network any Telecommunications Apparatus that has not been approved by the Authority. The Authority has enacted specific Type Approval Regulations (Telecommunications Apparatus Type Approval, version 1, dated 5 April 2007), which set out in more detail the process for obtaining Type Approval in the UAE.
Telecoms equipment employing wireless transmission in the frequency range 9 kHz to 3,000 GHz and/or Telecommunications Apparatus directly connected to or intended to be directly connected to a Public Telecommunications Network is required to be registered with the Authority prior to use, sale, offer for sale or connection in the UAE (except for equipment purchased outside the UAE and imported personally for an entity’s own use). Only a dealer, importer or manufacturer of such telecoms equipment registered with the TRA is permitted to apply for the registration of such telecoms equipment with the Authority and the registered dealer is required to have a valid trade licence for the equipment concerned.
The registered dealer is responsible for ensuring that Telecommunications Apparatus is suitable for the purpose for which it is supplied and that it operates in accordance with the claims made in relation to it, and for registering the equipment with the TRA unless the equipment has previously been registered. Governmental entities are exempt from obtaining the approval of the TRA in respect of Telecommunications Apparatus used or to be used by governmental entities.
A Frequency Authorisation is required to use radio frequencies in the UAE and all authorised users are required to comply with the Radiocommunications Policy, which is available on the TRA website.
The establishment and use of wireless transmission stations and the installation and use of any wireless transmission is prohibited unless permitted by a radio spectrum authorisation issued by the TRA.
In addition, the TRA has issued ancillary regulations, such as the Consumer Protection Regulations, which provide for a consumer dispute resolution procedure and a resolution dealing with spam e-mails.
In practice, early engagement with the TRA is advisable to understand the specific steps required in relation to the launch of any product or technology in the telecoms sector. It is prudent to assume that every product which falls within the telecoms rules will require some form of prior consent or approval from the TRA.
Despite the fact that the UAE Cabinet issued Resolution No (23) of 2017 Concerning Media Content (the '2017 Regulations'), which came into force at the end of August 2017 and provides that the vast array of digital media offered by OTT providers in the UAE (such as e-books, music streaming services, and on-demand film and TV) are now within scope of national content laws and subject to censorship and pre-approval by the National Media Council (NMC), the current applicable legislations do not address the issue of enforcement against offshore OTT/media providers who deliver digital content to UAE-based customers via the Internet (ie, Netflix).
There might be some discussions to regulate the services delivered by offshore OTT platforms in the UAE in the future; however, at this stage OTT platforms are not fully regulated in the UAE, so the main requirements for providing audiovisual services for OTT platforms are not applicable.
Traditional media content and digital media content, including television shows and film, are regulated in the UAE by the following:
The four types are:
It also addresses personal websites, blogs and social media platforms and exempts school and government websites.
The 2017 Regulations
Issues To Be Considered under the Electronic Media Regulations
Objectives of Regulating the Electronic Media Activities
The media regulation that is organised in accordance with the provisions of the Electronic Media Regulations is aimed at the following:
According to information received following a recent meeting held by Eversheds Sutherland UAE and the NMC management, the Electronic Media Regulations will not be imposed on companies based outside the UAE irrespective of whether such companies are targeting the UAE market-audience or not (namely, OTT platforms). Having said that the authorities in the UAE have full discretion to block any websites or accounts they deem illegal.
Unless explicitly authorised by the TRA, it is not permitted to use encryption techniques for the purpose of obscuring the meaning in relation to content of radio communications or the transmission, emission or reception of electromagnetic energy by Radio Frequency spectrum. ('Radio Frequency' means radiated electromagnetic energy measured in Hz or cycles/sec).
As a result, a Frequency Spectrum Authorisation granted by the TRA does not accord any privacy rights to end users (except in relation to diplomatic official correspondence as defined in Article 27 of the Vienna Convention on Diplomatic Relations (1961)). A supplier of wireless or telecoms products which use Radio Frequency therefore needs to ensure that, if any elements of the products include encryption, there is an explicit authorisation from the TRA for the use of that encryption. If there is no such authorisation, the products should not contain any form of encryption. Encryption may be of particular concern to the authorities if, for example, relevant information or data is hosted outside the UAE. It is unclear whether the TRA would in practice pursue a manufacturer or supplier which merely provides such products to an importer or service provider in the UAE if there were a contravention of this requirement, but this could be possible under the broad language used in the Radiocommunication Policy.
No response provided.