Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
Welcome to the latest edition of Law Update titled “Rise of Generative AI.”
In this edition, we dive into the dynamic world of Technology, Media, and Telecommunications (TMT) across the Middle East and North Africa (MENA) region. TMT continues to play a vital role in positioning the region as an international business and social hub, driving significant growth and innovation.
Our focus in this Law Update is on the sector’s ongoing potential to advance and propel the region toward a more digital economy. We explore the benefits of embracing a digital transformation and how local authorities have responded by enhancing regulations to accommodate the evolving TMT landscape.
This edition covers a range of topics, including – the new Telecommunications & Information Technology Law in Saudi Arabia, the intricacies of trademarks in the Metaverse, and the legal challenges faced by the video game industry. Additionally, we take a regional perspective, discussing jurisdictions such as Kuwait, Saudi Arabia, UAE, Oman, and Bahrain to provide a comprehensive understanding of the TMT landscape.
We hope you thoroughly enjoy this packed issue of Law Update, filled with captivating articles that address key legal issues within a vital sector for the region.Read the full edition
Nick O' Connell
The Data Protection Law 2007 (DIFC Law No. 1 of 2007), was recently amended by the Data Protection Law Amendment Law 2012 (DIFC Law No. 5 of 2012), which became effective on 20 December 2012. The ‘new’ Data Protection Law amends the ‘old’ Data Protection Law, which prescribed rules and regulations regarding the collection, handling, disclosure and use of personal data in the DIFC, the rights of individuals to whom the personal data relates, and the role of the DIFC Authority with regard to data protection. The amended Data Protection Law retains the international best practice standards found in the 2007 law, and is broadly consistent with the 1995 EU Data Protection Directive. It is designed to balance the legitimate needs of businesses and organizations to process personal information with the importance of upholding an individual’s right to privacy.
Besides miscellaneous amendments aimed at improving drafting and clarity, the key changes in the amendedData Protection Law can be summarised as follows:
Duty to notify changes: A Data Controller must notify the Commissioner of Data Protection of any changes to the particulars of the Data Controller’s notification to the Commissioner. Failure to notify the Commissioner of such changes as soon as possible – and in any event within 14 days from the date upon which the particulars becomes inaccurate or incomplete – is a contravention of the law.
Delegation powers of the Commissioner of Data Protection: The Commissioner may delegate functions and powers to officers and employees of the Dubai International Financial Centre Authority.
General contravention and administrative imposition of fines: The proposed changes set out provisions relating to contraventions of the law and the administrative imposition of fines.
As part of the set-up process in the DIFC, an entity is required to notify the DIFC’s Commissioner of Data Protection if it intends to process personal information. This notification has to be updated when the entity’s commercial licence is renewed, or if at any time the entity changes the way in which it will process personal information. The apparent absence of this requirement from the amended Data Protection Law is one aspect that would have benefitted from more detailed consideration.
An entity that wishes to process ‘Sensitive Personal Data’ (being personal information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life), or that wishes to transfer personal information outside the DIFC to a jurisdiction that is not recognised by the DIFC as offering an adequate level of protection to personal information, needs to seek a permit from the Commissioner of Data Protection.
It remains to be seen whether the amendments to the DIFC Data Protection Law indicates that the Commissioner of Data Protection is going to become more active in policing the data protection compliance of entities operating in the DIFC.
Interestingly, in January this year, the European Commission published its proposal for a new Data Protection Regulation. The EU’s current rules, which the DIFC Data Protection Law emulates to some degree, are about 17 years old, and the revision is intended, to some extent, to ‘future proof’ the EU’s data protection regime. It will be interesting to see if further changes to the DIFC Data Protection Law will be considered once new European rules make it through the European legislative process.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data protection issues in the Middle East, including in on-shore Dubai and free zones such as DIFC. For any data protection related queries, please contact Nick O’Connell (firstname.lastname@example.org).
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.