The new legislation extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

By Brian A. Meenagh and Avinash Balendran

With its recent implementation of a new consumer protection law, the United Arab Emirates has taken a significant step forward in protecting the rights of consumers. The new legislation — Federal Law No. (15) of 2020 (the New CPL) — entered into force on 16 November 2020, repealing Federal Law No. (24) of 2006. In particular, the New CPL extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

One stand-out provision in the New CPL is Article 4(5), which places an obligation on Entities (as defined below) to protect “consumers’ privacy and data security”. Article 4(5) also implies that Entities should not use consumer data for “the purposes of promotion or marketing”.

The updates are part of SAMA’s efforts to promote an innovation-based financial technology ecosystem in the KSA.

By Salman Al-Sudairi, Brian A. Meenagh, and Homam Khoshaim

Last month, the Saudi Arabian Monetary Authority (SAMA) issued an update to the recently implemented Payment Services Provider Regulations (PSPR), which was introduced in January 2020 to regulate Payment Services Providers (PSPs) operating in the Kingdom of Saudi Arabia (KSA). The PSPR provides a clear path for PSPs to obtain SAMA-issued licenses to provide payment services in the KSA. Notably, the PSPR applies concepts implemented by the European Union’s Payment Services Directive (PSD2). This should remove some of the friction involved in international PSPs launching operations in the KSA by allowing them to apply the same business models and operating processes already applied in the jurisdictions in which they operate.

By Christopher Lester and Connie Leung

The Prescribed Company Regulations offer a more flexible incorporation and permitted purposes regime than its predecessor, the Special Purpose Company Regulations.

Prescribed Companies are a type of corporate vehicle available in the Dubai International Financial Centre (DIFC), the financial free zone of the Emirate of Dubai, United Arab Emirates (UAE). Prescribed Companies are categorised as Private Companies under the DIFC Companies Law No. 5 of 2018 (the Companies Law), but are exempted from certain

Navigating the impact of the pandemic on technology contracting in preparation for a post-COVID-19 world.

By Brian Meenagh and Alexander Hendry*

A recent Latham.London blog post recommended five steps that customers should take when procuring technology and related services in light of COVID-19 and future pandemics. This blog post examines five additional considerations for customers based in the Middle East.

As a starting point, the recommendations in the Latham.London post still apply, and Middle East customers should:

  1. Have an open discussion with the vendor about the potential service impacts of COVID-19
  2. Structure the service in the most resilient way possible
  3. Consider whether internal (or other third-party) solutions can fill any gaps
  4. Make clear which party will bear any remaining risk of service disruption
  5. Ensure that the output of discussions about “risk” flows through to the fee arrangement

In addition, Middle East customers should consider the following.

Understanding bankruptcy laws in the UAE and DIFC in the context of COVID-19-related financial pressures.

By Nomaan A. Raja and Aly Kassam

COVID-19 has already caused wide-scale disruption to numerous industries both locally and globally. Whilst efforts are underway to stop the spread and impact of COVID-19, the financial and social impact of the virus will be felt for many months to come. As companies come to terms with working from home arrangements and the new landscape in which they

UAE Federal Cabinet approves Positive List of activities eligible for up to 100% foreign ownership.

By Christopher Lester and Connie Leung

WAM, the Emirates News Agency, reported on 2 July 2019 (the WAM Report) that the UAE Federal Cabinet has approved 122 economic activities across 13 sectors that will be eligible for up to 100% foreign investment (the July 2019 Cabinet Decision). This approval is the latest development in the UAE’s move towards encouraging foreign direct investment in priority sectors

Healthcare entities should immediately assess whether Federal Law No. 2 of 2019 applies to their practices.

By Brian A. Meenagh

On 6 February 2019, the President of the United Arab Emirates (UAE) in conjunction with the UAE Minister of Health and Prevention (the Minister) issued a new law on the use of information and communications technology (ICT) in health fields in the UAE. Federal Law No. 2 of 2019 (the Law) entered into effect in May 2019 and will likely affect the activities of a number of entities operating in the healthcare sector in the UAE, including healthcare service providers, life sciences companies, cloud service providers, healthcare IT systems suppliers, and medical insurance providers.

The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”.

By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden

What Do DIFC-Registered Entities Need to Know?

In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing and Electronic Communications Guidelines, aimed at DIFC-registered entities that collect and maintain personal data for electronic direct marketing purposes.

The document provides practical guidance on the rules relating to the collection, maintenance, and use of personal data for electronic direct marketing purposes set out in the Data Protection Law, DIFC Law No.1 of 2007 (DP Law), which is based on the (now superseded) UK Data Protection Act 1998 and EU Data Privacy Directive 1996. However, the guidelines also take into account the latest direct marketing requirements under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Directive 2002, providing practical examples of “do’s” and “don’ts” for entities to consider. The guidelines also appear to leverage provisions from the October 2018 draft of the EC’s new e-Privacy Regulation (ePR) which is currently anticipated to come into force in 2021.

By Brian Meenagh

On October 26, 2015, Raja Al Mazrouei, the Commissioner for Data Protection for the Dubai International Financial Centre (the DIFC), issued guidance on the adequacy of US Safe Harbor for the purpose of exporting personal data from the DIFC. The guidance is significant for organisations that transfer personal data from the DIFC to the US and such organisations should urgently review the basis upon which they transfer personal data from the DIFC to the US to ensure that they continue to comply with the DIFC Data Protection Law (No 1 of 2007).

The guidance follows the decision of the European Court of Justice (the ECJ) in Case C-362/14 – Maximillian Schrems v Data Protection Commissioner that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid.

The key message from the guidance is that:

“the invalidation of the Adequacy Decision by the ECJ provides cause for the Commissioner to reconsider the adequacy status previously afforded under the Law to US Safe Harbor Recipients. However, the Commissioner also understands that there are ongoing negotiations between Europe and US authorities towards an improved Safe Harbor framework and that these negotiations are well advanced.