New UAE Health Law Enters Into Effect

Posted in United Arab Emirates

Healthcare entities should immediately assess whether Federal Law No. 2 of 2019 applies to their practices.

By Brian A. Meenagh

On 6 February 2019, the President of the United Arab Emirates (UAE) in conjunction with the UAE Minister of Health and Prevention (the Minister) issued a new law on the use of information and communications technology (ICT) in health fields in the UAE. Federal Law No. 2 of 2019 (the Law) entered into effect in May 2019 and will likely affect the activities of a number of entities operating in the healthcare sector in the UAE, including healthcare service providers, life sciences companies, cloud service providers, healthcare IT systems suppliers, and medical insurance providers. Continue Reading

DIFC Issues New Direct Marketing and Electronic Communications Guidelines

Posted in United Arab Emirates

The DIFC guidelines provide practical guidance for DIFC-registered entities engaging in electronic direct marketing, including useful “dos” and “don’ts”.

By Brian A. Meenagh, Fiona M. Maclean, and Laura Holden

What Do DIFC-Registered Entities Need to Know?

In January 2019, the Commissioner for Data Protection for the Dubai International Financial Centre (DIFC) issued new Direct Marketing and Electronic Communications Guidelines, aimed at DIFC-registered entities that collect and maintain personal data for electronic direct marketing purposes.

The document provides practical guidance on the rules relating to the collection, maintenance, and use of personal data for electronic direct marketing purposes set out in the Data Protection Law, DIFC Law No.1 of 2007 (DP Law), which is based on the (now superseded) UK Data Protection Act 1998 and EU Data Privacy Directive 1996. However, the guidelines also take into account the latest direct marketing requirements under the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Directive 2002, providing practical examples of “do’s” and “don’ts” for entities to consider. The guidelines also appear to leverage provisions from the October 2018 draft of the EC’s new e-Privacy Regulation (ePR) which is currently anticipated to come into force in 2021. Continue Reading

UAE Free Zone Navigator

Posted in Emerging Companies, United Arab Emirates, Venture Capital


United Arab Emirates (UAE) free zones are attractive jurisdictions for early and growth-stage companies. Free zones are designed to encourage startups and foreign investors through simpler processes and procedures, permiting 100% foreign ownership. However, the more than 45 free zones in the UAE each have their own  rules and regulations, so choosing the right free zone can be a complicated decision.

Latham & Watkins, in partnership with VentureSouq, has developed the UAE Free Zone Navigator, an innovative online resource to help entrepreneurs, investors, and fast growth companies determine the most appropriate free trade zone when looking to establish a presence in the United Arab Emirates.

The UAE Free Zone Navigator compares 11 popular free zones across 19 industries, from e-commerce to gaming and augmented reality.

Click here to access the Navigator.



Dubai Health Authority Issues New Telehealth Regulations

Posted in Healthcare

International and local health providers in the UAE are increasingly looking to provide telemedicine services in the region. While the regulation of telemedicine remains inconsistent across the country, Dubai seems to be leading the way with significant regulatory developments in 2017.


Federal Regulatory Landscape

To market healthcare services in the UAE, a healthcare provider must establish a legal presence, hold a commercial licence to do business in the UAE (or in a free zone in the UAE), and possess the relevant healthcare provider licence. Until recently, the Abu Dhabi Health Authority (HAAD) was the only UAE health authority with a regulatory framework for telemedicine. While the Dubai Healthcare City Authority (DHCCA) has not yet implemented a telemedicine regulatory regime, the Dubai Health Authority (DHA) recently implemented regulations governing the provision of telehealth care services in Dubai.


Previously, the DHA did not permit the licensing of telemedicine, with the exception of teleradiology. However, the DHA issued new regulations (DHA Regulations) on 21 February 2017 (effective on the date of issuance), permitting the licensing of telehealth care services (including telemedicine). The DHA Regulations stipulate that any natural or legal person wishing to establish, operate, or provide telehealthcare services in Dubai must obtain a licence from the DHA. The DHA Regulations also expressly allow healthcare facilities to add telehealthcare services to their existing licences.

Abu Dhabi

HAAD implemented a sophisticated regulatory regime for telemedicine in 2013, under which it issued a telemedicine licence to the Abu Dhabi Telemedicine Centre. However, HAAD had suspended telemedicine licensing in Abu Dhabi for several months. Latham understands that HAAD recently lifted this suspension, as HAAD is currently accepting applications from parties interested in obtaining a telemedicine license.

A healthcare facility wishing to provide teleconsultation services from Abu Dhabi must be a HAAD-licensed healthcare facility specifically licenced to provide teleconsultation, or an existing HAAD-licenced facility authorised by HAAD to provide teleconsultation.

Dubai Healthcare City

The DHCC initially appeared to be taking the lead in the region in developing telemedicine as the DHCCA had reportedly licensed at least one hybrid telemedicine establishment. However, Latham understands that the DHCCA is now no longer licensing telemedicine establishments in the DHCC until the UAE government issues federal regulations that specifically govern telemedicine in the country. Notwithstanding the foregoing, the DHCCA is currently accepting applications from parties interested in practicing telemedicine in the DHCCA to determine if the practice can be permitted under an existing license category in the DHCC. The DHCCA will review such applications on a case-by-case basis.

One of the key drawbacks in practicing telemedicine in the UAE at this time is that it is unlikely that any of the three regulators will allow a healthcare provider to prescribe medication for patients without an in-person consultation.

  • The HAAD Standards in Abu Dhabi strictly preclude licensed telemedicine practices in Abu Dhabi from prescribing medication.
  • The DHA Regulations appear to be more ambiguous on this point. While the DHA Regulations prohibit a physician from prescribing any medication before conducting a physical examination of the patient, the regulations also provide that the preparation of medical prescriptions falls within the scope of teleconsultation services. A conservative reading of the DHA Regulations would suggest that prescribing medications is only permissible after a physical examination.
  • Although there is no telemedicine regulatory framework in the DHCC, the hybrid telemedicine practice operating in the DHCC does not prescribe medication without an in-person consultation.

Entities looking to practise telemedicine in the UAE are advised to approach the relevant regulatory authorities and seek legal advice as soon as possible in order to ensure compliance with existing regulations.

Key Considerations for Middle East Entities Looking to Invest in US Technology Companies

Posted in Intellectual Property, Technology, United Arab Emirates, Venture Capital

Digital Media concept Wall of screens smart TV

Four of Latham & Watkins’ leading emerging company partners in Silicon Valley, Luke Bergstrom, Tad Freese, Jim Morrone and JD Marple, recently hosted a webinar titled “Achieving Successful Outcomes as a Non-US Company Investing in or Acquiring Technology Companies in Silicon Valley”. The webinar can be viewed here.

In this blog we have sought to draw out some of the key observations in the webinar that are relevant to Middle East entities considering investing in US technology companies.

Unique Challenges

While many of the factors that influence the ‘investment in’ or ‘acquisition of’ technology start-ups is common to other types of companies, technology start-ups present their own unique challenges and opportunities resulting from either the long term goals of the founders or the motivation of the potential investors.

When dealing with a technology start-up, stakeholders should keep in mind (i) the key assets of the start-up and the due diligence focus and (ii) the key investment considerations and factors required for structuring a successful outcome.

Key Assets and Due Diligence Focus

The key assets of a technology start-up include its intellectual property, founders, employees and key customer relationships.

Depending on which asset the start-up derives its key value from, any due diligence exercise undertaken with respect to an investment should focus on such assets with an aim to uncover red-flag issues.  More detailed due diligence exercises tend to be conducted in anticipation of full-blown acquisitions. Investors should also remember that start-ups will rarely have the required processes in place to provide timely and efficient responses to due diligence request lists. Instead, management calls often tend to be a useful tool in running the due diligence process.

An investor’s due diligence approach can also often colour how the founders and employees of the company envisage working with the investor and the investor should note this impact in determining and executing its approach to diligencing the relevant target.

Key Investment Considerations and Factors

Start-ups tend to be reliant on equity financing as debt finance is often not readily available. Founders will generally hold multiple fund raising rounds with each round providing capital sufficient for between 12 and 18 months and each new round of financing may involve new outside investors as well as the existing investors.

When investing in a technology start-up, it is important to identify the categories of existing shareholders as each will have different motivations that need to be considered as part of the investment process. For example:

  • The Venture Capitalist: Venture capitalists tend to have a short-term investment horizon seeking the highest return for the lowest investment. They also prefer a clean-exit with minimal post-closing obligations.
  • The Serial Entrepreneur/Founder: The founder is often the idea generator who dedicated time and commitment to the start-up. Serial entrepreneurs, however, often tend to move onto the ‘next big thing’, which can impact discussions relating to any applicable non-compete provisions.
  • Employees: Employees of the start-up are often concerned with issues such as the opportunities available to them in the new organisation structure (which may or may not focus on the developed technology), their role and their compensation structure.
  • Other Stockholders: Other stakeholders will be concerned with their return relative to their original investment and the types of obligations they are required to sign up to.

Along with identifying the categories of existing shareholders, it is also important to give consideration to those issues which most often necessitate negotiation between the parties.

The common areas of negotiation vary depending on whether the transaction is being treated as an investment or an acquisition.

In an investment, key areas of negotiation include:

  1. Governance Rights: Governance rights deal with an investor’s right to manage the company. Governance rights can exist in the form of board representation, observer rights or veto rights with respect to certain decisions.
  2. Transfer Rights: Transfer rights deal with an investor’s ability to transfer their shares in the company. For example, a minority investor may require tag-along rights pursuant to which if a majority investor sells their stake in the company, the purchaser will also need to make an offer to purchase the minority investor’s shares. Alternatively, a majority investor may have found a purchaser for his shares but the purchaser requires that as part of the sale, he also acquires the shares of the minority investors. Drag-along rights will enable the majority investor to ‘drag’ the minority investors into such sale.
  3. Rights relating to the Sale of the Company: These are similar to transfer rights and relate to an investor or founder’s ability to sell his shares in the company. For instance, some investors may require that the shares held by the founders of the company be subject to a right of first refusal whereby if the founder wants to sell his shares in the company, he must first go to the market and get a price for such shares and then allow the investor to step into the proposed purchaser’s position and purchase the shares at the agreed price. An alternative to such right is the right of first offer whereby before a shareholder can sell his shares to a third party, the shares must be offered to the existing shareholders of the company.

In an acquisition, key areas of negotiation include:

  1. Employee Incentive and Retention Mechanisms: These are types of management/key employee incentive schemes meant to incentivise key employees and management to remain with a business after an acquisition and can take the form of cash and/or equity payments.
  2. Purchase Price Structures and Formulations: A key negotiation point is how the purchase price will be structured and can include discussions around stock v cash payment to the founders, holdback and escrow arrangements.
  3. Indemnity Limitations: A full blown acquisition may involve the sellers providing certain indemnities in relation to the business which will result in negotiation around any caps and time limitations applying to such indemnities.
  4. Conditionality Provisions: A full blown acquisition may also be contingent on factors such as the accuracy of any representations made by the sellers, any material adverse effects on the business, any outstanding third party consents or other material factors unearthed during the due diligence process.

We also note that there are certain advantages of investing early in technology start-ups as opposed to making a full-blown acquisitions include (i) greater long term visibility over the team and product (e.g. access to reports, financial statements and board access); (ii) diversification of risk by betting on different companies in their infancy; (iii) early awareness of possible sale transactions; and (iv) the ability to act quickly prior to the final acquisition.

Why should Qatari, Saudi and UAE organizations care about the European Union’s new General Data Protection Regulation?

Posted in Employment, Intellectual Property, Technology

3d render.

The compliance world will change dramatically for a number of GCC organizations on 25 May 2018. In just over one year’s time GCC organizations that:

  1. have a branch, subsidiary or single representative in the European Union (“EU”);
  2. do not have a physical presence in the EU, but offer goods or services to data subjects in the EU; or
  3. neither have a physical presence in the EU nor offer goods or services to people in the EU, but monitor the online behavior of data subjects in the EU,

will have to ensure that they are complying with the European Union General Data Protection Regulation (“GDPR”). Failure to do so by 25 May 2018 will expose such entities to fines of up to 20 million euros of 4% of a corporate group’s total annual worldwide turnover, whichever is higher.

Who is likely to be affected?

Based on the test set out in the GDPR, the new regulations will likely apply to a significant number of entities in this region. Obvious examples include major airlines that fly to and from the EU, hotel and tourism operators who promote travel to the region to EU data subjects, regional banks and other financial service companies that have branches in the financial centres in the EU and online. Less obvious examples include e-commerce companies that are able to accept payments in euros and deliver to the EU and mobile apps that can be downloaded by users in the EU and which have access to a user’s contacts, photos or location data. All of these entities need to consider the fact that they may need to comply with the GDPR and be cognizant of the cost attached to the failure to do so.

What if an organization is affected?

If your organization is affected it has three main options:

  1. do nothing (not advisable);
  2. consider what it needs to do to make sure that it does not fall within the scope of the GDPR; or
  3. accept that it does need to comply with the GDPR and start taking steps to comply with the GDPR straight away.

With respect to option (2), if your organization does not have an establishment in the EU and does not need to target or monitor EU data subjects then simple things that it can do to mitigate the risk of needing to comply include making it very clear that your website or app does is not for use by EU users (e.g. including geo-blocking EU data subjects).

With respect to option (3), if you have not started the process of ensuring compliance by now, then there is a lot to do, but you still have until 25 May 2018 to do it. Our detailed client alert [Europe counts down to the General Data Protection Regulation] provides useful guidance on the compliance process, but in summary, an organization will need to:

  1. monitor business to consumer business practices, including conducting a data protection audit, examining the legal basis on which it processes personal data and updating its privacy policies;
  2. monitor internal business practices, including reviewing and updating agreements with data processors, implementing processes for adoption of pseudoanonymization and privacy by design and considering the legal basis on which it transfers personal data between jurisdictions;
  3. establish compliant accountability processes, including processes for record keeping, appointment of a data protection officer or EU representative and dealing with data subjects; and
  4. invest in infrastructure, including establishing robust security processes and procedures for notifying regulatory authorities and data subjects of a data breach depending on its severity and impact on data subjects.

What next for GCC organizations that wish to comply with the GDPR?

Please read our previous client alert (see above) and for an initial understanding of what organizations should be doing by way of compliance. If your organizations requires further assistance then our Data Privacy and Information Law team can help you prepare for the heightened compliance burden by 25 May 2018. We have developed a standard set of tools, policies and checklists and can tailor support for organizations at all levels – from start-up companies to complex multinationals. We can very quickly provide clients the tools they need to manage compliance internally, e.g.:

  • GDPR checklists
  • framework GDPR policies
  • template intra-group data transfer agreements
  • GDPR compliant processing clauses/ agreements for appointing service providers
  • excel templates to gather information on records of processing
  • framework policies for implementing privacy by design
  • framework privacy impact assessments

We can also project manage clients GDPR compliance programs, including diligence existing agreements with data processors, update contract templates to ensure they meet GDPR requirements and implement compliance audits and remediation programs. Please get in touch if we can be of any assistance or if you wish to simply discuss this topic further.

The Legal Landscape for Drones in the UAE

Posted in Regulatory, Technology, United Arab Emirates

The use of “unmanned aerial systems” or “drones” for commercial, government and consumer purposes has significantly increased in recent years across the globe. In the UAE, the office of H.H.Drones_002_sngleColClr Sheikh Mohammed Bin Rashid Al Maktoum, Prime Minister and Ruler of Dubai, introduced the Drones for Good Award at the Government Summit held in Dubai in February 2014 to promote the development of drone technology in the consumer market in the UAE.

This post explores the applicable federal and emirate-specific regulations, as well as the various concerns surrounding the use of drones (for commercial, government and consumer purposes).

Regulation at the Federal Level

At the federal level, the main pieces of legislation applicable to the use of drones in the UAE are Federal Resolution No. 2 of 2015 regarding Light Air Sports Practice Regulations (Federal Law) and the Civil Aviation Regulation (CAR) Part VIII Subpart 10 on the Operation of Unmanned Aerial Systems within the UAE (UAS Regulations), and at the emirate level, the Dubai Law No. 7 of 2015 on Airspace Security and Safety in the Emirate of Dubai (Dubai Law). Continue Reading

The Legal Status of Bitcoin in the United Arab Emirates

Posted in Banking and Finance, Regulatory, Technology, United Arab Emirates


This is the first in a series of articles considering legal issues relating to bitcoin, cryptocurrencies and blockchain in the UAE. In this article we focus on the legal status of bitcoin and address the question of whether bitcoin is banned in the UAE. In part two we will consider the case for regulating bitcoin and cryptocurrencies and in part three we will consider legal issues relating to the adoption of blockchain technology by public and private entities in the UAE.

Recent developments in the payments regulatory environment in the UAE have turned a spotlight on the legal status of bitcoin and other cryptocurrencies in UAE. On 1 January 2017, the UAE Central Bank published the “Regulatory Framework For Stored Values and Electronic Payment Systems” (see also United Arab Emirates – the New Digital Payments Regulatory Landscape).The focus of the Regulations was “to facilitate robust adoption of digital payments across the UAE in a secure manner,” but the Regulations contained the following statement which initially caused some concern among the cryptocurrency community in the UAE:

“D.7.3. Provisions for Virtual Currencies – All Virtual Currencies (and any transactions thereof) are prohibited”

On its own terms, this statement was open to one possible interpretation as banning bitcoin and all other cryptocurrencies in the UAE. On 1 February 2017, the Governor of the UAE central bank, His Excellency Mubarak Rashed Khamis Al Mansouri, issued a statement to Gulf News saying that “these regulations do not cover ‘virtual currency’” and “these regulations do not apply to bitcoin or other cryptocurrencies, currency exchanges, or underlying technology such as Blockchain.” He further added that virtual currencies are under review by the Central Bank and new regulations will be issued as appropriate. This, and the report from the Dubai Supreme Legislation Committee in November 2016 that it was considering “the present and future of the legislative and legal frameworks related to cryptocurrency known as Bitcoin” is a very welcome signal that the UAE is seeking to develop mature regulatory environment for the use of bitcoin and other cryptocurrencies and we eagerly await further guidance from the UAE authorities on this subject.

In the interim, the question remains – what is the current legal status of bitcoin in the UAE?

Bitcoin – a currency or a commodity?

A threshold question in considering the legal status of bitcoin is whether it is classified in a jurisdiction as a commodity (like gold) or a currency (like dirhams or US dollars). There is no clear international consensus on this question at the moment – in the US, bitcoin has been treated as a commodity by the Commodity Futures Trading Commission and in the European Court of Justice, bitcoin has been treated as a currency for VAT purposes. Why does this matter? It matters for a number of reasons:

  • From a regulatory authority perspective, if bitcoin is treated as a commodity it would fall under the regulatory remit of the UAE Securities and Commodity Authority, whereas if treated as a currency, it would fall under the regulatory authority of the UAE Central Bank.
  • From a tax perspective, if bitcoin is a commodity, it may be subject to a sales tax such as VAT, whereas if it is a currency then it would not be subject to such taxation. While this is not currently an issue in the UAE, it may become an important issue once VAT is introduced in 2018.
  • From a property rights perspective, if bitcoin is a commodity then it is a form of property over which specific title can be asserted and transferred, whereas if bitcoin is a currency then a bitcoin simply represents a claim to the value represented by the bitcoin, but not a form of property in and of itself. This distinction may seem unimportant on the surface but raises significant issues with respect to how bitcoins should be treated for in matters of trustee obligations, intestacy, sales of goods and bankruptcy and insolvency.
  • UAE authorities have yet to issue formal guidance on the whether they view bitcoin as a currency or a commodity, but it is arguable that the new Regulations, while not prohibiting bitcoin outright, do operate to prohibit the use of bitcoin as a form of currency in the UAE for payments or money remittances and by default the only use case of bitcoin that is not currently prohibited under UAE law is trading bitcoin as a commodity. This position may change – as noted above the UAE Central Bank and Dubai Supreme Legislative Committee are considering the legal status of bitcoin and may issue regulations in which bitcoin is clearly treated as a form of currency and permitted to be used as such in the UAE. Until that happens, businesses that treat bitcoin as a currency that can be used as a form of payment in the UAE or currency remittances from the UAE should proceed cautiously and seek further guidance as to whether or not their services are affected (or prohibited) by the current draft of the new Regulations.

What about blockchain? Is it treated the same way as bitcoin and cryptocurrencies?

It is very important to make a distinction between blockchain as an enterprise and social technology and bitcoin as simply one use case, albeit the most successful use case to date, of that technology. At a very basic level, a blockchain is a distributed ledger that records bitcoin transactions and is akin to an electronic database ledger used by financial services organizations to record fiat currency transactions. We will discuss the laws applicable to the use of blockchain by a public or private sector entity in a future article, but in terms of asking whether or not blockchain is permitted in the UAE, it would appear that there are no laws that prohibit the use of blockchain as an alternative to a more traditional database ledger.

Where next for bitcoin and blockchain in the UAE?

Bitcoin and blockchain appear to be on the radar of the UAE Government and the UAE Central Bank. The above report from the Dubai Supreme Legislation Committee notes that the UAE, “should be among the first in the region and the world to establish a legislative framework and a financial and organisational structure for this technology.” This would be a welcome development and in the next article we will set out the case for regulating bitcoin and cryptocurrencies and outline some possible approaches to creating a regulatory environment that protects confidence in the UAE’s financial systems, protects the consumer, supports the UAE’s smart government initiatives and drives innovation and growth in the fintech, payments and blockchain sectors.

United Arab Emirates – the New Digital Payments Regulatory Landscape

Posted in Banking and Finance, Technology, United Arab Emirates
Car Conveyor- 3d rendering.


New Regulations balance innovation in the payments sector with safety, security and maintaining the public’s trust in the UAE payment ecosystem.

After a long period of consultation, on 1 January 2017 the Central Bank in the United Arab Emirates (UAE) issued the Regulatory Framework for Stored Values and Electronic Payment Systems (Electronic Payment Regulation). The Electronic Payment Regulation’s key message is that all eligible participating institutions (whether they are banks, payment networks, telecommunications companies, government entities or non-issuing commercial entities) must maintain necessary licenses as well as governance and operational controls to ensure the integrity of the payments system and provide a minimum level of consumer protection and clarity on consumer rights.


To read more, please click here to view our recent Client Alert.