Add to Cart: New E-Commerce Law in Saudi Arabia

In the April 2018 edition of Law Update (The Riyal Deal: Regulation of e-Commerce in Saudi Arabia), we wrote about draft e-commerce regulations in Saudi Arabia. We are now able to report that Saudi Arabia’s E-Commerce Law 2019 (Royal Decree No. M/126 dated 07/11/1440H; 10 July 2019) has recently been published.

The Law, which will be administered by the Ministry of Commerce & Investment (‘MOCI’), comes into effect in late October 2019, 90 days following its publication in the Official Gazette on 24 July 2019. The associated Regulations are expected to follow shortly thereafter. Where the Law and its Regulations make no special provision, the Electronic Transactions Law, and other laws and regulations, will be relevant.

The Law applies to e-commerce service providers, being merchants/traders registered in the Saudi Commercial Register, as well as other e-commerce practitioners (both in the Kingdom and elsewhere), who are not registered in the Saudi Commercial Register. Specifically, e-commerce practitioners who are located outside the Kingdom, but who offer goods and services to customers based in the Kingdom, are subject to the Law.

The Law focuses on customer-protection related considerations. Pursuant to the Law, consumers can be natural persons or corporate entities, so the Law should be understood as applying to ‘customers’ in both B2C and B2B e-commerce transactions.

Minimum Details

The Law anticipates that the Regulations will set out specific information on the details that e-stores must display to customers. (An e-store is not necessarily a platform through which a transaction can be concluded; the term extends to platforms that offer or advertise goods and services). At a minimum, an e-store must display the name and address of the e-commerce service provider, and, if applicable, its Commercial Registration number. The e-store must also display means of contacting the e-commerce service provider, such as an email address and contact number.

The Law requires e-commerce service providers to provide customers with clear contractual terms and conditions. At a minimum, and subject to any further details required to be specified pursuant to the Regulations, the following must be addressed:

• information on the e-commerce service provider (presumably including the name and address of the e-commerce service provider, and, if applicable, its Commercial Registration number);
• the basic characteristics of the subject goods or services, and information on any warranties;
• total price, including all fees, taxes or additional amounts relating to delivery, if any; and
• the procedure by which the contract will be concluded, as well as information on payment and delivery/performance.

Where an e-commerce service provider practises a regulated activity/profession, the service provider is required to provide further information, including the identity of the relevant regulator, and details of its licence/permit under that regulator.

E-commerce service providers are required to submit to the customer an invoice showing the itemised cost of the purchase of the goods / services, fees, taxes, additional costs related to delivery (if any), and the total cost. The invoice should also show the date and time of delivery, and any other details that may be required (e.g. to comply with tax law or regulations). Further details may also be required pursuant to the Regulations.

Advertising

The Law provides that digital advertising by e-commerce service providers will constitute supplementary contractual terms that are binding on the parties. It will be interesting to see what this means in practice.

The Law contemplates certain minimum requirements for digital advertising by e-commerce service providers. At a minimum, and subject to any further details required to be specified pursuant to the Regulations, the following must be addressed:

• information on the e-commerce service provider (presumably including the name and address of the e-commerce service provider, and, if applicable, its Commercial Registration number);
• name of the subject goods or services; and
• means of contacting the e-commerce service provider.

Where an e-commerce provider fails to include such information in a digital advertisement, and MOCI directs the e-commerce service provider to reflect such information, then – without prejudice to other penalties that may be applied, this request must be addressed within one day of such notification.

Digital advertising by e-commerce service providers cannot include misleading or deceptive statements, or statements that may mislead or deceive customers. It is not permitted to use third party trade marks without authorisation of the trade mark owner. (Both these restrictions are obvious, and can also be found in other laws.) If MOCI directs an e-commerce service provider to amend or remove such content, and without prejudice to other penalties that may be applied, this must be addressed within one day of such notification.

Customer Rights to Correct Errors and to Terminate

The Law contemplates the Regulations specifying a period in which customers will be entitled to correct any error that may have occurred in the course of an electronic transaction.

Customers will have typical rights to terminate contracts in an e-commerce transaction, such as where the goods are faulty, etc. Additionally, there are two general scenarios in which customers have a right to terminate a contract concluded with an e-commerce service provider. These can be understood broadly as a ‘cooling off period’ right to terminate ‘without cause’; and a right to terminate in the event of a delay in delivery of the goods or services.

The ‘cooling off period’ right to terminate provides customers with a right to terminate within seven days from the date the subject goods are delivered, or the date of contracting to provide the subject service. This right to terminate is without prejudice to any statutory or contractual warranties, and is subject to the customer not having used the goods or benefitted from the services.

There are certain circumstances in which a customer cannot avail themselves of this right to terminate. These include:

• where the transaction relates to goods subject to the customers own specifications (except where there is a defect or non-conformity with such specifications);
• the transaction relates to physical media (e.g. videotapes, disks, CDs) that the customer has used;
• the transaction relates to newspapers, magazines, publications and books;
• the transaction relates to services for accommodation, transportation or catering;
• the goods the subject of the transaction are damaged as a result of the customer’s own acts or inaction;
• the transaction relates to purchase of software online (except where there is a defect or non-conformity in the software that affects its ability to be downloaded).

The right to terminate in the event of delayed delivery of goods or services can be understood as a right to terminate the contract if delivery or performance is delayed by more than fifteen days from the agreed date for such performance or delivery. This right does not apply in cases of failure to deliver in time due to ‘force majeure’ (which is not defined), or where the parties have subsequently agreed on a different delivery timeline. The Law also requires e-commerce service providers to notify customers of anticipated delays or difficulties that may affect delivery or performance.

Personal Data Protection in an E-commerce Context

Each E-Commerce service provider is required to take necessary actions and measures to protect customers’ personal data and electronic communications in its control, including in the control of its agents/processors.

Subject to other legal requirements, e-commerce service providers can only retain such personal data and electronic communications for such period as is required given the nature of the transaction, or such other period as the parties may agree.

E-commerce service providers may only use such personal data and electronic communications for authorised/permitted purposes. The consent of the customer, or some other legal basis, is required in order for the e-commerce service provider to disclose such personal data or communications to any third party.

Enforcement and Penalties

The Law permits MOCI to block access to an e-store in the event of violation of the Law or Regulations, and to refer the matter to a Committee that will be established under the Law to consider violations and impose penalties. The Law specifies timeframes in which MOCI and the Committee are required to take action, including (as applicable) issuing decisions on the alleged violation.

Besides blocking access to the e-store, in whole or in part, either temporarily or permanently, the following penalties are available, without prejudice to any more severe penalties specified in any other law:

• a warning;
• publication of the details of the violation in an appropriate local newspaper at the violator’s expense;
• temporary or permanent suspension of the violator’s Commercial Registration; and
• a fine of not more than SAR1,000,000 (about USD 270,000).

When considering the appropriate penalty, the Committee will consider the seriousness of the violation (including any damage to others), whether the violation is a recurrence, and the size of the violator’s enterprise. The Law provides a right of appeal to the Administrative Court.

Other

The Law goes into some detail setting out information on the deemed domicile of the various types of e-commerce service providers, although it does not include any information on the impact of the respective domicile on transactions that are subject to the Law.

There is mention of MOCI being responsible for overseeing the e-commerce sector, and issuing further regulations to enhance e-commerce in Saudi Arabia and protect the integrity of e-commerce transactions. In this context, there is specific reference to entities responsible for licensing e-stores, and to platforms that act as intermediaries between e-commerce service providers and the customers. It is unclear what MOCI has in mind in this regard.

Conclusion

The Law provides greater clarity for e-commerce service providers. Its application to both locally licensed e-commerce service providers and Saudi-based individuals acting as e-commerce service providers, as well as foreign e-commerce service providers selling into Saudi Arabia, is significant. We expect that, once the Regulations are issued, there will be greater clarity on how the Law is likely to operate in practice.

Al Tamimi & Company’s Technology, Media & Telecommunication team regularly advises on e-commerce related issues in Saudi Arabia and across the Middle East. For further information, please contact Nick O’Connell (n.oconnell@tamimi.com).