Laws and Regulations
The use of cloud computing is steadily increasing across the UAE and organisations of all sizes are moving to the cloud in order to facilitate digital transformation objectives.
In the UAE, there are no comprehensive laws or regulations that govern the use of cloud computing and the legal framework consists of a patchwork of legal requirements in respect of data protection and sector-specific data localisation requirements (where applicable).
In general, there are no restrictions preventing companies from using cloud solutions and 2019 saw the launch of several local data centres that should now allow regulated industries with sector-specific data localisation requirements to better access cloud solutions.
Regulations in Specific Industries
In the UAE, certain sectors are subject to data localisation requirements that have historically impacted their ability to move to the cloud. In particular there have been restrictions in relation to banking, telecommunications, healthcare and the public sector.
Taking each briefly in turn, the public sector is regulated at both a federal and emirate level. The National Electronic Security Authority (NESA) is a federal authority responsible for the national advancement of cybersecurity.
NESA developed the UAE Information Assurance Standards (IAS) which includes technical controls and information security requirements for cloud computing environments. All UAE government entities and other entities deemed critical to the national infrastructure are required to implement the IAS, and private sector entities are encouraged to do the same. The IAS takes a risk-based approach and public entities are required to establish sound data security requirements for cloud environments, including appropriate due diligence, risk assessments, governance policies, incident response policies and, where possible, audits of security arrangements by cloud service providers.
At an emirate level, Abu Dhabi Digital Authority (ADDA), formerly known as ADSSSA and ADSIC, is responsible for the governance and use of government data, securing the government’s IT systems, communications network and government data technology, as well as providing recommendation in relation to standardised systems and implementation across all Abu Dhabi government entities. In Dubai, the comparable oversight function is fulfilled by the Dubai Electronic Security Center (DESC) and DESC has also issued information security rules that apply to emirate level public sector entities.
In addition to the public sector, the telecommunication, banking and healthcare sectors are also subject to sector-specific requirements. These are not contained in a single comprehensive regime but relevant restrictions can be found in regulations dealing with outsourcing, confidentiality obligations, data localisation requirements and, occasionally, direct instructions from the relevant regulators.
Processing of Personal Data
At a more general level, the UAE does not have a comprehensive data protection regime and there are several laws that could be relevant to the use and transfer of personal data in the context of cloud computing (see Section 6 Key Data Protection Principles for further details).
The UAE has set ambitious targets to develop blockchain technology for practical use. The Emirates Blockchain Strategy was launched in April 2018 and aims to move 50% of government transactions to blockchain platforms by 2021. To support this goal, there are numerous Emirate-level initiatives, including the global blockchain council (made up of 46 key players in the blockchain industry) that was launched by the Dubai Future Foundation to explore current and future applications of blockchain technology.
In late 2019, the Dubai Blockchain Centre reported that they are involved in around 40 projects that were piloting novel applications in different sectors.
In terms of regulation, the fintech sector has been quick to adopt blockchain technology and, internationally, regulators have responded with specific guidelines and regulations addressing novel methods of fundraising and other applications of blockchain in a fintech context.
At a local level, the Abu Dhabi Global Market (ADGM) has specifically addressed cryptocurrencies and crypto-assets under the local regime with further legislative developments expected in 2020.
In late 2019, the UAE Securities and Commodities Authority (SCA) posted draft regulation for public consultation with a view of issuing new regulations to enable an onshore regime.
Outside of fintech, there are few laws that directly address blockchain technologies and the general laws, including those relating to privacy and e-commerce, will continue to apply.
Risk and Liability
It is generally advisable for clients to carefully consider whether their business falls within the scope of regulated activities (free zone or federal), especially if the blockchain technology is used for fintech ventures. There is no specific regulated activity covering blockchain in general, so the particular features and use of the technology would have to be considered on a case-by-case basis. Even if the use of the blockchain technology does not fall within any specific regulated activity (for instance, because it is not yet recognised) it could still raise questions of KYC, AML and, separately, data protection concerns.
The general principles of contractual liability and "acts causing harm" will apply and companies should, as always, be mindful of the legal position in relation to limitation of liability and indemnity provisions under UAE law.
There are no specific IP provisions dealing with blockchain per se, so the general IP laws will apply.
In June 2019, the DIFC published a draft data protection law for public consultation. In the context of blockchain technology, it is interesting to observe that the new law contemplates innovative technologies and goes some way towards addressing the difficulties that have been observed with the GDPR in Europe.
The new law includes language that could exempt a controller, in certain circumstances, from complying with obligations (for example, in relation to erasure of data) if it is not feasible to do so for technical reasons.
In a blockchain context, this could be applicable to immutable ledgers where data erasure would contradict the key feature of the technology. Although this exemption may be subject to further restriction, it is nevertheless encouraging to see that regulators are taking note of the obstacles created for emerging technologies by GDPR-style data protection regimes.
While it remains to be seen if these provisions will be included in the final version of the law, it could be a great boost for blockchain technology in areas that deal extensively with personal data such as for KYC and due diligence purposes.
General laws apply which will be more relevant when dealing with the public sector.
In terms of jurisdictional issues, general laws apply.
In legal terms, "big data" remains a rather fuzzy concept but it is commonly accepted that it includes (at least) the following characteristics: considerable volume (referring to the scale and size of data); variety of format (text, image, video, sound); mixed structure (the data can be both unstructured and structured); and velocity (the speed at which new data is generated).
On its own, big data has little intrinsic value: it is the operations performed on it – namely, quantitative analysis – that generates important insights. This can be done using machine learning or other methods (discussed below).
When working with big data, it is important that entities consider the extent to which they could be dealing with personal data that is protected under local data privacy laws, or categories of data subject to sectorial restrictions (such as banking/transactional data or government data).
There is no single definition of "machine learning" but, in simple terms, it is a process of getting a computer program to learn from data without relying on explicit programming. In other words, it learns over time in an autonomous fashion and this raises a number of interesting legal considerations.
For example, in machine learning the quality of data used to train the algorithm is incredibly important as any biases present in the data will quickly be "learned" and implemented by the algorithm. It is therefore quite possible to (inadvertently) produce algorithms with biases in respect of characteristics that are protected under discrimination laws simply by virtue of poor-quality checks on the training data. Quality checks and proper documentation are therefore essential when dealing with training data sets.
Another legal consideration is the autonomous nature of the learning process. When faced with consumer complaints or lawsuits, a company may be unable to justify how a decision was reached. Proper documentation and algorithmic audits may guard against excessive exposure in this regard until formal industry standards have been established.
Artificial Intelligence (AI)
In October 2017, the government of the UAE launched the UAE Strategy for Artificial Intelligence (AI) with the goal of increasing government performance and promoting innovation through investment in AI.
Since then, the government has taken several steps to facilitate the safe testing of new technologies, including the announcement in late 2019 that the Emirates Authority for Standardization and Metrology (ESMA) had completed the first draft of the standards and regulations for autonomous vehicles with publication of the final version expected in 2020.
In 2018, a federal decree was issued that authorises the Cabinet to issue interim licences for innovative projects (including but not limited to those utilising artificial intelligence) until more permanent legislation can be developed. Importantly, the Cabinet is tasked with setting the conditions, controls and procedures necessary for the safe implementation of the project. It also has the authority to exempt the project (on a temporary basis) from any federal legislation if this is required for the implementation.
Expanding on this decree, in 2019 the cabinet details of the licensing process for innovative projects and it also launched a new Legislation Lab tasked with proposing legislation for projects "of a future nature". It will be interesting to see how the Legislation Lab develops over 2020 and which technologies will be addressed.
Eversheds Sutherland is a member of the board of advisors to the Smart Dubai’s AI Ethics Committee; those looking for practical guidance on ethical AI may find it useful to consult the Smart Dubai AI Ethics Guidelines and associated toolkit.
Restrictions Affecting a Projects' Scope
In 2018, the Telecommunication Regulatory Authority (TRA) issued a new policy on Internet of Things (IoT) technology (henceforth, the Policy).
The purpose of the Policy is to enable the development of IoT services in a safe manner and it is intended to cover all industries (while acknowledging that ministries and regulators for specific industries may develop their own additional IoT specific guidance in co-ordination with the TRA). As such, the Policy can be considered as a first step rather than a comprehensive framework.
According to the Policy, IoT is defined as: “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies”. The purpose of the Policy is to develop IoT services in a safe and secure manner in line with the UAE vision to become a leading country in the development of IoT services.
Under to the Policy (i) individuals, (ii) companies, (iii) public authorities, licensees (as defined under the Telecom Law), IoT service providers, IoT users, and (iv) any other legal entity concerned with IoT are subject to the Policy.
The Policy clearly defines the functions and facilities that are caught be the definition of IoT and therefore subject to regulatory oversight.
It is important to note that a breach of the provisions, or the related TRA regulations, may result in the suspension of IoT services (temporarily or permanently).
Examples of acts/activities that could constitute a breach under the Policy include:
The TRA has also issued guidance on the procedures for registering as an IoT service provider. The IoT service provider is under an obligation to submit an IoT service registration request as soon as it has the information necessary to complete the IoT service registration request form and related documents.
At the time of issuance, a grace period of one year was granted to IoT service providers to ensure compliance with this new regulatory framework.
Any Radio and Telecommunications Terminal Equipment (RTTE) device that provides IoT Services (as defined in the Policy) must meet prevailing Type Approval Regulations (see Telecommunications Apparatus Type Approval Regulation dated 5 April 2007). In addition, the Policy specifies additional requirements specific to IoT service-enabled devices which include:
IoT Service Providers (as defined in the Policy) must register with the TRA in order to obtain an IoT Service Provider Registration Certificate. Applicants are required to have a local presence or official representative within the UAE. The process for applying is set out in the IoT regulatory procedures document. There is currently no set procedure for providing IoT connectivity networks and any entity that is considering such services should approach the TRA directly on a case-by-case assessment.
Failure to comply with the Policy (including the registration requirements) may be penalised by the TRA in accordance with the penalties set out in the Telecommunications Law and/or other relevant regulation, including temporary or permanent suspension of the services.
Data Management and Protection
In addition to introducing the registration requirements, the Policy also includes a number of compliance requirements (with a focus on data processing). An IoT service provider must ensure that:
In relation to data storage and data localisation, the classification of the data will determine the specific compliance requirements. In accordance with the local classification requirement, the following applies:
In the UAE, it is not uncommon to see IT service agreements that are subject to local law and jurisdiction but clearly based on either UK or US templates. As more fully articulated below, such an approach could expose both parties to significant risk as there are several provisions of UAE law that may conflict, or be unaccounted for, in an agreement drafted under foreign laws.
Storage/Hosting of Data Outside the UAE
In the UAE, there are regulations that apply to specific industries (such as the banking and health sectors) that contain specific requirements in relation to data localisation (ie, where the data is hosted). See Section 1 Cloud Computing for further details.
The DIFC and ADGM free zones have data protection regimes which closely follow the pre-GDPR EU model. As such, they include a prohibition on the transfer of data except to jurisdictions that offer equivalent protection.
See Section 6 Data Protection for further details.
Under UAE copyright laws, the transfer by an author (including an author of software) of all future copyright works, or more than five such works, is null and void under UAE law. If the parties intend that the customer will own all the rights in the software produced by the supplier under the agreement, the parties will therefore need to draft a clause which is more sophisticated than the relatively simple transfer of all future copyright which may be adequate in a UK IT contract.
Exclusion of Liability
Exclusion and limitation of liability feature prominently in IT contracts.
Liability for personal injury, death and for tort cannot be excluded under UAE law and any attempt to do so will be deemed void if a dispute is escalated to the UAE courts.
Moreover, liability in contract cannot be excluded if the liability arises from "harmful acts". The meaning of this term is not settled but it would include gross negligence, wilful default and unlawful acts. In practice, it is possible that an exclusion of liability for faults, inaccuracy of data etc would be unenforceable.
A cap on liability may therefore be better from the supplier’s point of view than an exclusion.
However, UAE courts tend in general to limit compensation to direct losses. If exclusions of indirect and consequential loss are included in a contract it is possible in practice that such losses would not be awarded against a party in breach.
Limitation of Liability
UAE law permits limitation of liability (as opposed to exclusion of liability) in business-to-business contracts. However, the UAE courts reserve the right to adjust any contractual liability cap if the amount agreed in the contract is less than the actual damages suffered by the injured party. The courts may therefore order that a cap is increased to be equal to the amount of damages suffered. Any such cap is, however, a starting point; if the claimant seeks to increase it he or she must show loss which shows that that is justified.
Indemnities are commonly used in UAE contracts. However, they do not have a fixed meaning and are generally interpreted against the party seeking to rely on them. Accordingly, indemnities should be drafted as clearly as possible. There is still a risk that broad indemnities will not be upheld. An indemnity for a matter which is of a criminal nature or strict liability, or a liability which cannot be excluded, may not be enforceable as a matter of public policy in any event. However, it is highly recommended that indemnities in contracts are specific and related to specific issues.
Rules and Restrictions
The general laws governing commercial agreements will apply and sector-specific data regulations may also be applicable depending on the circumstances.
Core Rules Regarding Data Protection
The UAE does not currently operate under a comprehensive federal data protection regime and there is no national data protection regulator. Instead, the financial free zones have their own regimes and the onshore position consists of overreaching privacy safeguards set out in various laws that provide a basic framework of rights.
Companies operating in the UAE should therefore give careful consideration to the applicable regime and ensure that they understand the data protection rules that they will be subject to.
Concepts such as "data controller" and "data processor" only exist in some laws and are not universally applicable across the UAE.
The core rules under the onshore regime include the UAE Constitution, the Penal Code, and the Cybercrime Law.
The specific sectorial laws include: the new federal heartcare data law; the Telecommunication Regulatory Authority Policies (such as the IoT Policy); financial sector regulations by the UAE Central Bank, Insurance Authority and the Securities and Commodities Authority (such as the Stored Values and Electronic Payment Regulations).
In addition, public sector regulations – such as the Dubai Electronic Security Centre (DESC) policies, the Abu Dhabi Digital Authority (ADDA) or the National Electronic Security Authority (NESA) – may have provisions that touch upon data protection.
In the financial free zones, the relevant laws are:
Draft laws are as follows.
Distinction Between Companies/Individuals
Most data protection obligations only apply to data in respect of individuals. However, there are certain sectorial laws that apply to classes of data (such as transactional data which can belong to either an individual or a company, or to categories of data produced by the public sector).
The relevant legal framework should be considered and the specific laws consulted prior to adopting a blanket approach to data processing in respect of individuals or companies in the UAE.
General Processing of Data
The general processing of data is not ordinarily subject to legal/regulatory oversight or specific requirements. However, there are several notable exceptions to this and certain sectorial laws apply to classes of data (such as transactional data or to categories of data produced by the public sector). In addition, any statistical data that relates to the emirate of Dubai is also subject to separate regulations.
The relevant legal framework should be considered and the specific laws consulted prior to adopting a blanket approach to data processing in respect of individuals or companies.
Processing of Personal Data
Both the DIFC and ADGM have European-style data protection laws that set out the legal grounds for processing personal data. The general rule onshore is more limited and generally only requires consent. The nature and extent of consent will depend on the circumstances but should always be obtained prior to transferring any personal data to a third party or outside the UAE.
Furthermore, some laws contain data residency requirement restricting transfers outside the UAE for certain categories of data (which may or may not be personal data); other laws require assurances as to the adequacy of data protection standards if data is to be transferred out of the jurisdiction.
Employees' Restrictions on Computer Use
Company computer resources provided by an employer for the use of their employees remain the property of the employer. The starting point is that the employer can control use (eg, by blocking websites and not permitting personal use) and monitor activity on its systems.
Where the employee has not expressly consented to the monitoring of their use of the computer resources, there are mixed views among lawyers regarding the extent of monitoring that can be undertaken by the employer.
For this reason it is sensible to adopt an IT usage policy which details the rights of the employer to limit and/or withdraw use of the computer resources and to monitor usage including the websites that have been visited and the contents of emails sent via the computer email system.
Ideally, an employee would expressly consent to the policy but in the absence of this, so long as the company can demonstrate the employee has been made aware of the policy and received a copy of it, then it should be upheld. If such a policy is in place, it should be carefully drafted since the company must abide by its terms.
If the company does not have such an IT usage policy, then monitoring and investigation of web traffic and emails is subject to compliance with UAE Labour Law and individuals’ privacy rights under the UAE constitution.
In all cases it is recommended that the following is kept in mind.
When reviewing emails and IT equipment in the course of an investigation, employers should additionally bear in mind that:
DIFC, ADGM and Dubai Healthcare City Free Zones have their own data protection laws that must also be complied with where applicable and if the company is based in any of these locations separate advice should be obtained.
Technologies within Local Telecommunications Rules
A licence is required from both the relevant companies registrar in the UAE and the Telecommunications Regulatory Authority (TRA or the Authority) to provide a telecommunications network (wired or wireless) and the connectivity services required for related products to be used by end-users.
The TRA determines the form and substance of each licence granted and may include in such licences any conditions that it requires.
In addition, the technologies that fall within the scope of UAE telecommunications rules require licensing from the relevant companies registrar and/or type approval from the TRA. The TRA website provides a summary of those technologies.
The TRA has exclusive competence in issuing all authorisations in relation to telecommunications matters.
No person is permitted to use, sell, offer for sale or connect to any telecommunications network a telecommunications apparatus (as defined in the law) that has not been approved by the Authority. The Authority has enacted specific type approval regulations (Telecommunications Apparatus Type Approval, version 1, dated 5 April 2007), which set out in more detail the process for obtaining type approval in the UAE.
Telecoms equipment employing wireless transmission in the frequency range 9 kHz to 3,000 GHz and/or telecommunications apparatus directly connected to or intended to be directly connected to a public telecommunications network is required to be registered with the Authority prior to use, sale, offer for sale or connection in the UAE (except for equipment purchased outside the UAE and imported personally for an entity’s own use). Only a dealer, importer or manufacturer of such telecoms equipment registered with the TRA is permitted to apply for the registration of such telecoms equipment with the Authority and the registered dealer is required to have a valid trade licence for the equipment concerned.
The registered dealer is responsible for ensuring that telecommunications apparatus is suitable for the purpose for which it is supplied and that it operates in accordance with the claims made in relation to it, and for registering the equipment with the TRA unless the equipment has previously been registered. Governmental entities are exempt from obtaining the approval of the TRA in respect of equipment used or to be used by governmental entities.
A frequency authorisation is similarly required to use radio frequencies in the UAE and all authorised users are required to comply with the Radiocommunications Policy, which is available on the TRA website.
The establishment and use of wireless transmission stations and the installation and use of any wireless transmission is prohibited unless permitted by a radio spectrum authorisation issued by the TRA.
In addition, the TRA has issued ancillary regulations, such as the Consumer Protection Regulations, which provide for a consumer dispute resolution procedure and a resolution dealing with spam emails.
In practice, early engagement with the TRA is advisable to understand the specific steps required in relation to the launch of any product or technology in the telecoms sector. It is prudent to assume that every product which falls within the telecoms rules will require some form of prior consent or approval from the TRA.
Under the 2017 Cabinet Resolution concerning Media Content (the 2017 Regulations), the vast majority of digital media (including e-books, music streaming services, and on-demand film and TV) are now within scope of national content laws and subject to censorship and pre-approval by the National Media Council (NMC).
At this stage, it is unclear if the regulations will have extraterritorial effect on entities based outside of the UAE that offering services within the jurisdiction. However, the NMC, as well as other government authorities, reserve the right to block any site which is deemed to breach local requirements and regulations.
Traditional media content and digital media content, including television shows and film, are regulated under the Electronic Media Regulations (published in 2018 under the umbrella of the 2017 Regulations).
These regulations are intended to apply to "all electronic media activities" carried out in the UAE, both onshore and free zone-based entities, including but not limited to advertisement and promotion, publishing, new sites and sites selling or otherwise dealing in print, video and audio materials. They include a list of four activity types which the NMC considers to be "electronic media activities" and in respect of which an Electronic Media Licence will be needed to be obtained. This is in addition to the licence to be obtained by the relevant companies registrar. The four types are:
It also addresses personal websites, blogs and social media platforms and exempts school and government websites.
Other important regulations include the following.
Online Video Channels
In addition to the above requirements, entities should carefully consider:
Legal Requirements Governing the Use of Encryption
Unless explicitly authorised by the TRA, it is not permitted to use encryption techniques for the purpose of obscuring the meaning in relation to content of radio communications or the transmission, emission or reception of electromagnetic energy by Radio Frequency spectrum. (NB: "radio frequency" means radiated electromagnetic energy measured in Hz or cycles per second).
As a result, a Frequency Spectrum Authorisation granted by the TRA does not accord any privacy rights to end-users, except in relation to diplomatic official correspondence as defined in Article 27 of the Vienna Convention on Diplomatic Relations (1961). A supplier of wireless or telecoms products which use radio frequency therefore needs to ensure that, if any elements of the products include encryption, there is an explicit authorisation from the TRA for the use of that encryption. If there is no such authorisation, the products should not contain any form of encryption.
Encryption may be of particular concern to the authorities if, for example, relevant information or data is hosted outside the UAE. It is unclear whether the TRA would in practice pursue a manufacturer or supplier which merely provides such products to an importer or service provider in the UAE if there were a contravention of this requirement, but this could be possible under the broad language used in the Radiocommunication Policy.