Data protection and privacy in mobile and online environments Guidelines for international best practice

David Yates

Although these are not directly applicable to businesses operating in the Middle East, respecting the privacy of customers in accordance with industry best practice is likely to enhance trust and may go some way toward ‘future proofing’ businesses in the event that international trends relating to data protection and privacy are picked up by law makers in this region.

ICC UK Cookie Guide

The International Chamber of Commerce (United Kingdom) published in April 2012 its “ICC UK Cookie Guide”. A copy can be found at the ICC’s website at:

A cookie is basically a message given to a web browser by a web server to assist the server in monitoring the browser’s activities. UK law now requires website operators to ask for a website user’s permission when placing certain kinds of cookie on their devices for the first time.  Where consent is required, it should be informed consent.  There is no similar law in the UAE or in other Middle Eastern countries.  Despite this, many of our clients operate as part of corporate groups who do operate websites in the UK and in other countries where informed consent in relation to placing of cookies is required.  Further, in the absence of direct regulation of the practice in this jurisdiction, an organization can distinguish itself from its competitors by offering users of websites protection of their privacy in relation to the use of cookies.

The ICC UK Cookie Guide is a tool to help website operators obtain informed consent from their visitors.  The guide separates cookies into four categories:

• strictly necessary cookies,
• performance cookies,
• functionality cookies, and
• targeting or advertising cookies.

The guide builds upon the Information Commissioner Office’s recent publication on suggested methods for obtaining consent:

• obtaining consent in the course of acceptance of website terms and conditions;
• settings-led consent; feature-led consent;
• function-led consent; and
• notice and choice mechanisms such as sensitively deployed pop ups or header bars.

GSM Association’s Privacy Design Guidelines for Mobile Application Development

The GSM Association ( has recently published its “Mobile and Privacy – Privacy Design Guidelines for Mobile Application Development”.  A copy can be viewed at

What is valuable about these guidelines, in our view, is that they recognize that even if mobile phone applications provide useful services for mobile phone users, if these applications fail to meet the privacy expectations of users this will undermine users’ confidence and trust in mobile application organizations and the wider mobile ecosystem.

We have consistently maintained that in the absence of comprehensive data protection regulations in the UAE and in other Middle Eastern countries, commercial organizations nonetheless need to respect the privacy of their customers in accordance with industry best practice in order to create an environment of trusted customer relationships.  The threat to an individual’s privacy in the online and mobile environments is a very public issue which is likely restricting the extent to which ordinary people take advantage of extraordinary new technologies in their every day lives.

The guidelines encourage the development, delivery and operation of mobile applications that help users understand what personal information a mobile application may access, collect and use; what the information will be used for, and why, and how users may exercise choice and control over this use.

Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data protection and privacy in the mobile and online environments, as well as in respect of the impact of other technological developments on our clients’ businesses. For further information, please contact David Yates at