Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
Welcome to the latest edition of Law Update titled “Rise of Generative AI.”
In this edition, we dive into the dynamic world of Technology, Media, and Telecommunications (TMT) across the Middle East and North Africa (MENA) region. TMT continues to play a vital role in positioning the region as an international business and social hub, driving significant growth and innovation.
Our focus in this Law Update is on the sector’s ongoing potential to advance and propel the region toward a more digital economy. We explore the benefits of embracing a digital transformation and how local authorities have responded by enhancing regulations to accommodate the evolving TMT landscape.
This edition covers a range of topics, including – the new Telecommunications & Information Technology Law in Saudi Arabia, the intricacies of trademarks in the Metaverse, and the legal challenges faced by the video game industry. Additionally, we take a regional perspective, discussing jurisdictions such as Kuwait, Saudi Arabia, UAE, Oman, and Bahrain to provide a comprehensive understanding of the TMT landscape.
We hope you thoroughly enjoy this packed issue of Law Update, filled with captivating articles that address key legal issues within a vital sector for the region.Read the full edition
As you may well be aware, the European Union (EU) has introduced new legislation on the protection of personal data – the General Data Protection Regulation (GDPR). The GDPR will come into effect on 25 May 2018, and businesses in Europe are frantically trying to get their houses in order, so that their processing of personal data relating to identifiable natural persons is compliant with the legal requirements.
Because of the expanded territorial scope of the GDPR, businesses based outside the EU – including businesses in the Middle East – will need to comply with the GDPR in some circumstances.
Which non-EU businesses are caught under the GDPR?
The GDPR applies to non-EU entities that are ‘controllers’ and ‘processors’ processing personal data of individuals who are in the EU, if the processing activities relate to:
GDPR’s indirect application to non-EU businesses
The GDPR provisions will also apply indirectly to non-EU businesses that have agreements under which they carry out data processing activities on behalf of an EU business. An EU data controller is expressly required by the GDPR to have a contract with a data processor – whether or not the processor is located in the EU – that stipulates certain prescribed matters.
Obligations on non-EU businesses in relation to international transfers
The GDPR restricts the transfer of personal data to recipients in countries outside the European Economic Area (EEA) unless particular conditions are met. The restrictions are intended to prevent the level of protection provided by the GDPR from being ‘watered down’ or undermined when personal data is transferred to other countries that do not offer the same level of protection to personal data.
The fines for non-compliance with the GDPR can be very significant, and depend on the specific article of the GDPR that has been breached. In addition to administrative fines, the supervisory authorities can also impose a range of corrective measures or sanctions. These include imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries. Separately, the GDPR also gives individuals the right to claim compensation directly from the controller or processor for damages suffered due to an infringement of the GDPR.
Appointment of an EU representative
In certain circumstances, there may even be an obligation on an entity operating outside the EU to appoint an EU representative to act as a point of contact for the EU personal data subjects and regulators on all issues relation to personal data processing.
What to do?
The GDPR is a complex area of legal compliance, with ramifications for all companies who have activities in the EU, irrespective of whether their operations are actually based within the EU or elsewhere.
By 25 May 2018 all non-EU businesses should have determined:
This does not mean it is too late to consider and address data protection compliance, including whether the GDPR applies to your business. If there is any likelihood that GDPR affects your business, we suggest that you address the risk as a matter of priority.
Al Tamimi & Company’s Technology, Media & Telecommunications practice regularly handles matters involving data protection compliance, data breach notifications, and other issues relating to the digital economy. For further information, please contact Stuart Davies or Nick O’Connell.
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.