Recognizing new realities in decentralization, the regulations aim to provide market players with governance flexibility within distributed ledger technology foundations.

By Stuart Davis, Brian Meenagh, Andrew Moyle, and Ksenia Koroleva

On October 2, 2023, the Board of Directors of Abu Dhabi Global Market (ADGM), a financial free zone in the United Arab Emirates (UAE), enacted the Distributed Ledger Technology Foundations Regulations 2023 (Regulations). The Regulations were published on November 1, 2023.

Latham & Watkins has advised ADGM in drafting the Regulations. The Regulations were developed following extensive benchmarking across a number of peer jurisdictions and incorporate stakeholder feedback from ADGM’s April 2023 consultation paper. The adoption of the Regulations is part of the strategy to promote ADGM as a global center for digital assets.

The Regulations recognize the suitability of common law foundation structures for projects related to digital assets, and aim to allow maximum flexibility for the sector with respect to governance.

The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.

By Brian A. Meenagh and Lucy Tucker

An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.

The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.

The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence.

By Brian A. MeenaghKsenia Koroleva, and Lucy Tucker 

On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection Regulations (the Regulations) for a 30-day public consultation.

The Consultation Paper acknowledges that AI systems are important and useful but carry risks to personal data processing. The DIFC’s proposed approach urges all companies using AI systems to adopt and reinforce technical and organisational means to protect personal data when using AI.

The Middle East’s rapidly advancing space sector has seen a slew of landmark achievements in the last few years.

By Alexander Hendry

In 2014, the UAE established the UAE Space Agency to oversee and grow its space sector, and it has since successfully completed numerous projects. In July 2020, it became the fifth country in the world to launch a probe to Mars, and in December 2022, the UAE-built Rashid Rover was launched on a path to the moon. Emirati astronaut Hazza Al Mansouri was the first person from the UAE in space, and Emirati astronaut Sultan Al Neyadi will soon embark on a six-month mission to the International Space Station. The Mohammed bin Rashid Space Centre has launched four satellites, and UAE-based satellite company Yahsat currently manages a fleet of five satellites and provides services in more than 150 countries. In 2022, the UAE established an US$817 million fund to support its space sector, including the development of a constellation of advanced radar imaging satellites.

The new regime specifies licensing and reporting requirements for a range of activities related to virtual assets in the Emirate of Dubai.

By Brian A. Meenagh, Matthew Rodwell, and Ksenia Koroleva

On February 7, 2023, the Dubai Virtual Assets Regulation Authority (VARA) adopted the Virtual Assets and Related Activities Regulations 2023 (the Regulations) together with four compulsory and seven activity-specific rulebooks.

VARA adopted these Regulations further to Dubai Law No. 4 of March 11, 2022 on the Regulation of Virtual Assets in the Emirate of Dubai (the Law) (for more information, see Latham’s blog post).

The Law granted VARA powers to regulate activities relating to virtual assets in the Emirate of Dubai (excluding the Dubai International Financial Center (DIFC); DIFC has its own regime regulating virtual assets — see Latham’s blog post).

The Law laid down key definitions (such as the definitions of virtual assets (VAs) and distributed ledger technology (DLT)), and provided a broad list of activities requiring a license. The Law entitled VARA to adopt regulations for all relevant activities and VAs.

The regime introduces rules on various crypto tokens, including cryptocurrencies and stablecoins, in the Dubai International Financial Centre.

By Brian A. Meenagh, Matthew Rodwell, and Ksenia Koroleva

On November 1, 2022, the Dubai Financial Services Authority (DFSA) crypto token regulatory regime came into effect.

The rules expand upon the DFSA framework for regulating investment tokens established in 2021 (the 2021 Rules). The Dubai International Financial Centre (DIFC) regime defines a token as a cryptographically secured digital representation of value, rights, or obligations which may be issued, transferred, and stored electronically, using distributed ledger technology (DLT) or other similar technology. The 2021 Rules only regulated investment tokens, which comprised security tokens and derivative tokens (in essence, tokenized equivalents of conventional securities and derivatives, respectively) (the Investment Tokens). Pursuant to the 2021 Rules, persons carrying out certain activities with Investment Tokens (e.g., issuing, offering, holding, promoting, dealing, advising, brokering) need to obtain approval from the DFSA and comply with certain obligations.

The guidance is part of the rapidly evolving rules on anti-money laundering and aims to promote UAE as a jurisdiction compliant with best practices.

By Brian Meenagh, Ksenia Koroleva, and Matthew Rodwell

On August 1, 2022, the UAE Central Bank (CBUAE) issued the Guidance for Licensed Financial Institutions on the Risks Relating to Payments.[1]

The guidance was issued to implement the requirements of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations. It sets out the CBUAE’s expectations as to the appropriate compliance measures to be adopted within payments ecosystems. The guidance is not intended to amend or replace existing CBUAE requirements and should be read in conjunction with the CBUAE’s existing rules[2] and guidance materials[3].

Organisations subject to the law should carry out a gap analysis of their current compliance position against the new requirements.

By Brian A. Meenagh, Alexander Hendry, and Lucy Tucker

The United Arab Emirates (UAE) has issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the Data Protection Law), alongside a law establishing the new UAE Data Office (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).

The issuance of the Data Protection Law follows a trend of new data protection laws in the Middle East, including a data protection law in Saudi Arabia that will come into force on 23 March 2022.

The decision will likely provide comfort to businesses operating in the healthcare sector both in the UAE and globally.

By Brian A. Meenagh and Avinash Balendran

On 28 April 2021 the United Arab Emirates (UAE) federal government issued Ministerial Decision No. 51 of 2021 (the Decision) to clarify when health information may be stored or transferred outside of the UAE. The Decision should pave the way for many domestic and overseas healthcare service providers to continue processing, storing, and transferring

The new legislation extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

By Brian A. Meenagh and Avinash Balendran

With its recent implementation of a new consumer protection law, the United Arab Emirates has taken a significant step forward in protecting the rights of consumers. The new legislation — Federal Law No. (15) of 2020 (the New CPL) — entered into force on 16 November 2020, repealing Federal Law No. (24) of 2006. In particular, the New CPL extends both the protections available to consumers, as well as the obligations applicable to e-commerce retailers.

One stand-out provision in the New CPL is Article 4(5), which places an obligation on Entities (as defined below) to protect “consumers’ privacy and data security”. Article 4(5) also implies that Entities should not use consumer data for “the purposes of promotion or marketing”.