Saudi Arabia: Overview of the Amended PDPL and Key Differences to the GDPR

By Latham & Watkins on July 26, 2023 Posted in Saudi Arabia

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.

By Brian A. Meenagh and Lucy Tucker

An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.

The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.

DIFC Proposes to Amend Data Protection Rules to Regulate Use of AI

By Latham & Watkins on May 5, 2023 Posted in United Arab Emirates

The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence.

By Brian A. Meenagh, Ksenia Koroleva, and Lucy Tucker

On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection Regulations (the Regulations) for a 30-day public consultation.

The Consultation Paper acknowledges that AI systems are important and useful but carry risks to personal data processing. The DIFC’s proposed approach urges all companies using AI systems to adopt and reinforce technical and organisational means to protect personal data when using AI.

Ready for Takeoff: A Look at the Space Sector in the Middle East

By Latham & Watkins on February 27, 2023 Posted in Kuwait, Project Development and Finance, Qatar, Saudi Arabia, Technology, United Arab Emirates

The Middle East’s rapidly advancing space sector has seen a slew of landmark achievements in the last few years.

By Alexander Hendry

In 2014, the UAE established the UAE Space Agency to oversee and grow its space sector, and it has since successfully completed numerous projects. In July 2020, it became the fifth country in the world to launch a probe to Mars, and in December 2022, the UAE-built Rashid Rover was launched on a path to the moon. Emirati astronaut Hazza Al Mansouri was the first person from the UAE in space, and Emirati astronaut Sultan Al Neyadi will soon embark on a six-month mission to the International Space Station. The Mohammed bin Rashid Space Centre has launched four satellites, and UAE-based satellite company Yahsat currently manages a fleet of five satellites and provides services in more than 150 countries. In 2022, the UAE established an US$817 million fund to support its space sector, including the development of a constellation of advanced radar imaging satellites.

Dubai Virtual Assets Regulation Authority Enacts New Regime to Regulate Virtual Assets

By Latham & Watkins on February 16, 2023 Posted in Fintech

The new regime specifies licensing and reporting requirements for a range of activities related to virtual assets in the Emirate of Dubai.

By Brian A. Meenagh, Matthew Rodwell, and Ksenia Koroleva

On February 7, 2023, the Dubai Virtual Assets Regulation Authority (VARA) adopted the Virtual Assets and Related Activities Regulations 2023 (the Regulations) together with four compulsory and seven activity-specific rulebooks.

VARA adopted these Regulations further to Dubai Law No. 4 of March 11, 2022 on the Regulation of Virtual Assets in the Emirate of Dubai (the Law) (for more information, see Latham’s blog post).

The Law granted VARA powers to regulate activities relating to virtual assets in the Emirate of Dubai (excluding the Dubai International Financial Center (DIFC); DIFC has its own regime regulating virtual assets — see Latham’s blog post).

The Law laid down key definitions (such as the definitions of virtual assets (VAs) and distributed ledger technology (DLT)), and provided a broad list of activities requiring a license. The Law entitled VARA to adopt regulations for all relevant activities and VAs.

Dubai Financial Services Authority Issues New Regime to Regulate Crypto Tokens

By Latham & Watkins on November 17, 2022 Posted in Fintech

The regime introduces rules on various crypto tokens, including cryptocurrencies and stablecoins, in the Dubai International Financial Centre.

By Brian A. Meenagh, Matthew Rodwell, and Ksenia Koroleva

On November 1, 2022, the Dubai Financial Services Authority (DFSA) crypto token regulatory regime came into effect.

The rules expand upon the DFSA framework for regulating investment tokens established in 2021 (the 2021 Rules). The Dubai International Financial Centre (DIFC) regime defines a token as a cryptographically secured digital representation of value, rights, or obligations which may be issued, transferred, and stored electronically, using distributed ledger technology (DLT) or other similar technology. The 2021 Rules only regulated investment tokens, which comprised security tokens and derivative tokens (in essence, tokenized equivalents of conventional securities and derivatives, respectively) (the Investment Tokens). Pursuant to the 2021 Rules, persons carrying out certain activities with Investment Tokens (e.g., issuing, offering, holding, promoting, dealing, advising, brokering) need to obtain approval from the DFSA and comply with certain obligations.

UAE Central Bank Issues Guidance on Anti-Money Laundering Risks in the Payment Sector

By Latham & Watkins on August 25, 2022 Posted in Banking and Finance, Regulatory, United Arab Emirates

The guidance is part of the rapidly evolving rules on anti-money laundering and aims to promote UAE as a jurisdiction compliant with best practices.

By Brian Meenagh, Ksenia Koroleva, and Matthew Rodwell

On August 1, 2022, the UAE Central Bank (CBUAE) issued the Guidance for Licensed Financial Institutions on the Risks Relating to Payments.[1]

The guidance was issued to implement the requirements of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations. It sets out the CBUAE’s expectations as to the appropriate compliance measures to be adopted within payments ecosystems. The guidance is not intended to amend or replace existing CBUAE requirements and should be read in conjunction with the CBUAE’s existing rules[2] and guidance materials[3]. Continue Reading

UAE Publishes First Federal Data Protection Law

By Latham & Watkins on December 14, 2021 Posted in Regulatory, United Arab Emirates

Organisations subject to the law should carry out a gap analysis of their current compliance position against the new requirements.

By Brian A. Meenagh, Alexander Hendry, and Lucy Tucker

The United Arab Emirates (UAE) has issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the Data Protection Law), alongside a law establishing the new UAE Data Office (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).

The issuance of the Data Protection Law follows a trend of new data protection laws in the Middle East, including a data protection law in Saudi Arabia that will come into force on 23 March 2022. Continue Reading

UAE Decision on Health Data Law Provides Clarity

By Latham & Watkins on August 30, 2021 Posted in Healthcare, United Arab Emirates

The decision will likely provide comfort to businesses operating in the healthcare sector both in the UAE and globally.

By Brian A. Meenagh and Avinash Balendran

On 28 April 2021 the United Arab Emirates (UAE) federal government issued Ministerial Decision No. 51 of 2021 (the Decision) to clarify when health information may be stored or transferred outside of the UAE. The Decision should pave the way for many domestic and overseas healthcare service providers to continue processing, storing, and transferring health information outside of the UAE.

The Decision reiterates the default position established in 2019 that health information must be kept within the UAE unless such activity has been approved by a decision of the health authority or the UAE Minister of Health and Prevention. Crucially, however, the Decision provides a series of exemptions to that default position.

To see a table of the exemptions, read Latham’s Client Alert.

UAE’s New Consumer Protection Law: An End to Direct Marketing?

By Latham & Watkins on March 24, 2021 Posted in Regulatory

The new legislation extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

By Brian A. Meenagh and Avinash Balendran

With its recent implementation of a new consumer protection law, the United Arab Emirates has taken a significant step forward in protecting the rights of consumers. The new legislation — Federal Law No. (15) of 2020 (the New CPL) — entered into force on 16 November 2020, repealing Federal Law No. (24) of 2006. In particular, the New CPL extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

One stand-out provision in the New CPL is Article 4(5), which places an obligation on Entities (as defined below) to protect “consumers’ privacy and data security”. Article 4(5) also implies that Entities should not use consumer data for “the purposes of promotion or marketing”. Continue Reading

SAMA Updates Payment Services Provider Licensing Regime in the KSA

By Latham & Watkins on September 3, 2020 Posted in Regulatory, Saudi Arabia

The updates are part of SAMA’s efforts to promote an innovation-based financial technology ecosystem in the KSA.

By Salman Al-Sudairi, Brian A. Meenagh, and Homam Khoshaim

Last month, the Saudi Arabian Monetary Authority (SAMA) issued an update to the recently implemented Payment Services Provider Regulations (PSPR), which was introduced in January 2020 to regulate Payment Services Providers (PSPs) operating in the Kingdom of Saudi Arabia (KSA). The PSPR provides a clear path for PSPs to obtain SAMA-issued licenses to provide payment services in the KSA. Notably, the PSPR applies concepts implemented by the European Union’s Payment Services Directive (PSD2). This should remove some of the friction involved in international PSPs launching operations in the KSA by allowing them to apply the same business models and operating processes already applied in the jurisdictions in which they operate. Continue Reading