Category: inBriefs

Dubai: Changes to the fines that can be applied by the Public Prosecutors’ Department

The Public Prosecutors’ Department in Dubai has the power to impose fines with respect to certain criminal misdemeanors and offences[i] without being required to refer the matter to a Court of Law. Such fines are issued under a Penal Order. This power stems from Dubai Law No. 1 of 2017, which authorises the Attorney General of Dubai to prescribe the offences and the corresponding fines which may be the subject of a Penal Order. On 1 October 2019 the Attorney General of Dubai issued Resolution No. 119 of 2019 (the Resolution) amending certain fines that could earlier be imposed under Penal Orders, and adding misdemeanors and offences which may be the subject of a Penal Order.  

 

The following fines are amended:

 

 

Misdemeanor or Offence Previous Fine Current Fine
Intentionally disturbing another through means of  telecommunication AED 5,000 AED 3,000
Publicly attributing to another person an incident susceptible of making the other person subject to punishment or exposing the other person to contempt AED 2,000 AED 5,000
Publicly disgracing the honour of another person AED 2,000 AED 3,000
Committing libel or slander over the telephone (which includes text, email, and other electronic messaging) AED 2,000 AED 3,000

 

 

The following misdemeanors and offences may now be punished under a Penal Order:

 

 

Misdemeanor or Offence Fine
Burning or causing to be burned any object belonging to a third party AED 3,000
Consuming food and beverages publicly during fasting hours of Ramadan AED 2,000
Compelling, inciting or assisting with publicly consuming food and beverages during the daytime of Ramadan AED 2,000 with closure of shop (where applicable)
Violating an order for closure of shop AED 3,000
Causing physical injury to another by fault (i.e. not by accident) AED 1,000
Using a car or a motorcycle without the authorisation or consent of its owner AED 1,000
Destroying any movable or immovable property belonging to another person AED 1,000
Wrongfully destroying a tree, crops or any plants belonging to another person AED 2,000
Harassing or torturing a domestic or tamed animal belonging to another person AED 1,000
Wrongfully injuring any animal or cattle belonging to another person AED   500
Staying illegally in the country for up to 90 days AED 1,000
Not obtaining a residency visa for a child during the legally prescribed time period AED 1,000
Assisting another to illegally stay in the country AED 1,000
Driving a vehicle in violation of an order preventing the person from driving AED 3,000
Driving a vehicle without a valid license AED 3,000
Removing the number plate of a vehicle without permission to use it on another vehicle AED 2,000
Failure to stop after causing a vehicle accident AED 2,000
Refusing to provide name or address to a police officer AED 1,000

 

[i] Under the UAE Penal Code, ‘Misdemeanors’ are crimes that are punishable by a fine, diyah and/or a term of imprisonment not exceeding three years. ’Offences’ are crimes that are punishable by a fine or by detention for a period not exceeding ten days.

Law 6 of 2019: on the ownership of common property in the Emirate of Dubai

What’s happened?

 

After much media coverage regarding the potential change in the law concerning properties owned in common in Dubai, Law 6 of 2019 was introduced on 4 September 2019 (the New Law).

 

The New Law is an important development for Dubai as most real estate is held by way of property owned in common. That is, a real estate development that has been subdivided into apartments, offices, retail units and/or common areas.

 

We expect that the New Law will have a positive impact on the real estate market in Dubai as increasingly disputes under the Previous Law (including those between unit owners and association managers) were effecting property values.

 

The New Law repeals Law 27 of 2007 Concerning Ownership of Jointly Owned Property in the Emirate of Dubai (the Previous Law). However, developers, management companies and owners committees have been given a six month transition period from 4 September to comply with the New Law.

 

In this InBrief we look at the major changes that will impact owners of units in Dubai.

 

New management system

 

Under the Previous Law all owners of units automatically became members of the owners association of their building when they purchased their unit. The owners association, through its board, was then entrusted with the management, operation, maintenance and repair of the common areas of the building, and they could delegate these responsibilities to an association manager to perform.

 

The New Law replaces this management system with a three tiered system set out in Article 18 as follows:

 

First Category – Major Projects:

 

For real estate projects that are considered to be major projects by the Director General of the Dubai Land Department (DLD), the New Law provides that the developer shall now be responsible for the management, operation, maintenance and repair of their common parts and the utility services (Article 18(a)(1)). The developer may appoint a management company to carry out these responsibilities on its behalf (Article 18(c)). The management company must be approved by the Real Estate Regulatory Agency (RERA) (Article 2).

 

An owners’ committee must be formed for each Major Project with its members selected by RERA which shall not exceed nine members (Article 18(a)(1)). The functions of the owners committee are set out in Article 24 and include:

 

  • verifying that the management company manages the common parts;
  • reviewing the annual budgets for the maintenance of the common property and making recommendations; and
  • receiving complaints from owners and submitting them to RERA if the management company fails to address them within 14 days of being notified.

If the developer is found to be incompetent or unable to manage the common property under this first category in a manner that ensures their sustainability and serviceability, the Executive Director of RERA may appoint a specialised management company to manage and operate the common property (Article 37).

 

Second Category: Hotel Projects:

 

For real estate projects that are licensed for use as a hotel establishment, the New Law provides that the developer shall appoint a hotel project management company approved by RERA to manage the common parts (Article 18(a)(2)).

 

If the hotel project management company wishes, an owners’ committee may be formed for each Hotel Project with its members selected by RERA which shall not exceed nine members. However, Article 18(a)(2) provides that even if an owners’ committee is formed, it is not entitled to interfere in the management of the hotel project or the common areas thereof.

 

If the hotel project management company is found to be incompetent or unable to manage the common property under this second category in a manner that ensures their sustainability and serviceability, the Executive Director of RERA may appoint a specialised management company to manage and operate the common property (Article 37).

 

Third Category: Real estate projects other than the major projects and hotel projects:

 

The common parts in these projects shall be managed by specialised management companies, which shall be selected and engaged by RERA in accordance with the controls and regulations set by a decision to be issued by the Director General in this regard (Article 18(a)(3).

 

An owners’ committee must be formed for each real estate project with its members selected by RERA which shall not exceed nine members (Article 18(a)(3)). The functions of the owners committee are set out in Article 24 and include:

 

  • verifying that the management company manages the common parts;
  • reviewing the annual budgets for the maintenance of the common property and making recommendations;
  • receiving complaints from owners and submitting them to RERA if the management company fails to address them within 14 days of being notified; and
  • importantly, this owners committee has the power to request RERA to replace the management company and provide RERA with advice on the selection and appointment of the new management company (Article 24(5)).

 

If RERA finds that the management company is incompetent, inefficient or unable to manage the common property under this third category RERA shall appoint an alternative management company to manage the common property (Article 38).

 

Obligations of Master Developer

 

The Master Developer is required to manage and maintain the common facilities in the Master Project through a written agreement with a management company that has been approved by RERA (Article 19).

 

If the master developer is found to be incompetent or unable to manage the common property in a manner that ensures their sustainability and serviceability, the Executive Director of RERA may appoint a specialised management company to manage and operate the common property (Article 37).

 

Responsibility of Developer to rectify defects for ten years (Article 40)

 

Similar to the Previous Law, the Developer is still under an obligation to:

 

  • repair or correct any defects in the structural parts of the common property for a period of ten years from the date of the certificate of completion for the project; and
  • repair or replace defective fixtures in the common property for a period of one year from the date of handing over the unit to the owner. Fixtures are defined as including mechanical and electrical works, sanitary fittings, sewerage and others.

Removal of JOPD – New bylaws / building management system

 

Under the Previous Law, a Jointly Owned Property Declaration was required to be registered with RERA which governed the use of the common areas and units, and set out the duties and obligations of the owners, occupiers, and the developer.

 

The New Law has now removed the concept of a Jointly Owned Property Declaration and replaced it with the following: the “bylaws of the complex”, the “bylaws” and the “building management system”.

 

Bylaws of the complex

 

The bylaws of the complex are defined in Article 2 as “the terms and conditions governing the development and operation of the master project and the common properties and common facilities therein, including the planning and construction standards of the complex.”

 

Bylaws

 

The bylaws are defined in Article 2 as “the rules and provisions governing the owners’ committee, which shall be established and adopted in accordance with the provisions of this Law.”

 

The building management system

 

Prior to selling any units, the developer must establish a building management system for major projects and hotel projects which must be approved by RERA (Article 20).

 

The building management system is defined as “The document prepared in accordance with the regulations issued by the Department and recorded in the Common Property Register, which state the procedures for maintenance of the common parts, and the percentage of owners’ contribution in the costs related thereto, including the equipment and services existing in any part of another building”.

 

Legal effect of bylaws, bylaws of the complex and building management statement

 

These documents all form part of the title deed and must be complied with by every occupant, owner, owners committee and the developer of the project (Article 6).

 

Filing requirements

 

The developer must prepare and file the bylaws and the bylaws of the complex within 60 days from the date of the certificate of completion for the project.

 

However, the building management system shall not be filed by the developer – instead it will be filed by RERA.

 

Service charges 

 

Similar to the Previous Law, owners are required to pay to the management body his share of the service charge to cover the expenses of the management and maintenance of the common parts (Article 25(a)).

 

However, the management body may not collect any service charges unless they have obtained the prior approval of RERA to the budget allocated for the service charge (Article 27). RERA will appoint a legal auditing officer accredited by it for this purpose (Article 27).

 

Utilisation charges

 

For prefabricated, under construction buildings or vacant land plots, the Master Developer may collect a utilisation charge from the owner or sub-developer of such land, subject to the approval of RERA.

 

New common property register

 

A new “common property register” shall be established by the DLD which shall contain the following (Article 4):

 

1. “Land plots owned by the developers, on which the common properties shall be constructed;
2. units allocated for independent ownership in the common property sold by the developers, and the names of the owners of these units;
3. members of the owners’ committee;
4. building management system;
5. plans;
6. management body;
7. management contracts of the common property or the common parts;
8. area of common parts and private common parts and their percentage out of the area of units in the common property; and
9. areas owned by the developer in the common property.”

 

New dispute resolution mechanism

 

The Rental Dispute Settlement Centre in the Emirate of Dubai shall have exclusive jurisdiction to hear and settle all disputes and differences relating to the rights and obligations stipulated in the New Law, in accordance with the rules and procedures of the Rental Dispute Settlement Centre. ■

The private equity, venture capital, and start-up ecosystem in the UAE: recent developments

In the lead up to the Expo 2020, the UAE government has taken a number of measures to promote economic diversification, foster growth, and stimulate the region’s innovation environment. The government’s push to develop the private equity, venture capital, and start-up eco-system is a central component of this agenda. In this inBrief we summarize the recent developments implemented in the UAE that enhance the ease of doing business for private equity and venture capital funds as well as start-up companies.

 

New Regime for Fund Establishment and Management

 

Over the last three years, the UAE Securities and Commodities Authority (SCA) has issued two important laws concerning the regulation of private equity and venture capital funds in the UAE. They are, (1) SCA Board of Directors’ Chairman Decision No. (9/R.M) of 2016 and (2) SCA Administrative Decision No. (3/R.T) of 2017. Some of the key provisions of these laws include:

 

  • establishing local mutual funds and marketing and promoting of foreign funds to investors in the UAE;
  • conferring corporate personality on the fund and limitation of investor liability; and
  • defining “Venture Capital Fund” as well as the conditions for venture capital funds to satisfy.

 

Despite these positive laws, onshore funds tend to be uncommon in the UAE due to foreign ownership restrictions and regulatory requirements imposed by the SCA. Consequently, many private equity and venture capital funds are established in the economic free zones of the Dubai International Financial Centre (DIFC) and Abu Dhabi  Global Market (ADGM) (collectively, the Financial Free Zones), which are regulated respectively by the Dubai Financial Services Authority (DFSA) and the Financial Services Regulatory Authority (FSRA) (collectively the Offshore Regulators).

 

The Financial Free Zones permit fund managers located both within and outside the Financial Free Zones to establish funds within the Financial Free Zones through a range of fund vehicles that include investment companies, investment partnerships, and investment trust structures. The fund managers based in the Financial Free Zones also have the flexibility to establish and manage funds outside the Financial Free Zones. Firms authorised or licensed by the respective Offshore Regulators can also promote and sell both domestic and foreign funds in or from the Financial Free Zones. In addition, the SCA and the Financial Free Zones have recently begun implementing a passporting regime that will allow for the mutual promotion and oversight of domestic funds established in these respective jurisdictions.

 

Also, the Financial Free Zones have taken several steps to create a favourable regulatory environment for private equity and venture capital funds. For example, they apply a risk-based regulatory approach for their funds regime that includes exempt funds (which are funds available for professional clients) and qualified investor funds, which have less stringent requirements than exempt funds and are specifically targeted at sophisticated investors such as high net worth individuals and family offices. In addition, the FSRA has introduced a risk-proportionate regulatory framework for managers of venture capital funds, which among other things, exempts venture capital fund managers from base capital or expenditure-based capital requirements.

 

New Trends 

 

Several recent legislative developments have also collectively provided more opportunities for funds and regulators have sought to stimulate disruptive industries. For example, each of the DIFC and the ADGM established a FinTech regulatory sandbox to create a progressive regulatory environment for the growth of the FinTech industry in the UAE.

 

In addition, the new pledge law enables pledgees to perfect their security interest over movable assets. This law will substantially enhance and create certainty in commercial lending. As a result, start-ups lacking immovable property will find it easier to avail bank financing by pledging movable assets such as their receivables, raw materials, or future assets.

 

Finally, the UAE’s new bankruptcy law introduces a regime that allows for protection and reorganisation of distressed businesses. It offers some protection for issuers of dishonoured cheques for the duration of any preventive composition or restructuring procedure. In addition, the new law provides debtors with the ability to raise new finance during the preventive composition or restructuring process, with court approval. Together, these changes provide entrepreneurs with further confidence to take calculated risks and comfort banks/investors with exposure to such investments.

 

* * * *

The above positive changes will result in the establishment of new funds and attract more entrepreneurs and investors to the UAE. Ultimately, such policy reforms will cement the UAE’s position as the private equity, venture capital, and the start-up hub of the Middle East. ■

SCA issues guidelines for financial institutions on anti-money laundering

The past year has been a busy one for AML compliance in the UAE.

 

In October 2018, Federal Decree-Law 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (AML Law) came into force. It contained features recommended by the Financial Action Task Force (FATF), and brought UAE laws in line with international AML standards.

 

The AML Law was followed by the implementing regulations in January 2019, which have helped bring further clarity to the intended operation of the AML Law. The Implementing Regulations were issued on 28 January 2019 pursuant to Cabinet Resolution 10 of 2019 (AML Regulations).

 

In May 2019, the UAE Securities and Commodities Authority (the SCA) promulgated guidelines for financial institutions on Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (the AML Guidelines).

 

The AML Guidelines, resulting from a joint effort among the supervisory authorities of the UAE, set out the minimum expectations of the supervisory authorities regarding the factors that should be taken into consideration by financial institutions when identifying, assessing, and mitigating the risks of money-laundering, financing of terrorism, and financing of illegal organisations.

 

Do the AML Guidelines form part of the law?

 

The AML Guidelines do not constitute regulations or legislation. They are intended to be read together with the AML Law and Regulations as well as all other relevant Cabinet Resolutions and regulatory rulings currently in force in the UAE and the free zones. The AML Guidelines are not a replacement or substitution for any existing legal requirements or statutory obligations. The SCA has made it clear that, in the event of an inconsistency between the AML Guidelines and any legal or regulatory framework in place in the UAE, it is the latter that will prevail.

 

Who do the guidelines apply to?

 

As a starting point (with exceptions noted throughout the guidelines), the AML Guidelines apply to all financial institutions, and their directors, managers and employees, established or operating in the UAE or the UAE’s free zones, that establish or maintain business relationships with customers or engage in any of the financial activities or transactions or trade or business activities outlined in the AML Regulations.

 

Specifically, they are applicable to all such natural and legal persons in the following categories:

 

• banks, finance institutions, exchange houses, money service businesses (including monetary value transfer services);

• insurance companies, agencies, and brokers;

• securities and commodities brokers, dealers, advisors, investment managers; and

• other financial institutions not mentioned above.

 

The AML Guidelines define a financial institution as any person who conducts one or more financial activities or operations for or on behalf of a customer. The term business relationship is defined as any ongoing commercial or financial relationship established between financial institutions or designated non-financial businesses and professions (DNFBPs) and their customers in relation to activities or services provided by them.

 

What is contained in the AML Guidelines?

 

The AML Guidelines are organised into five parts, which consist of the following:

 

1. Part 1 – Overview: This includes background information of the UAE’s AML legislative and strategy framework including key provisions of the law and regulations affecting financial institutions;

 

2. Part 2 – Identification and assessment of money laundering and financing of terrorism risks;

 

3. Part 3 – Mitigation of money laundering and financing of terrorism risks;

 

4. Part 4 – AML and anti-terrorism financing (ATF) compliance administration and reporting requirements, including guidance on governance, suspicious transaction reporting and record keeping; and

 

5. Part 5 – Appendices including a glossary of terms and links to relevant portals.

 

The AML Guidelines have been prepared such that, where sufficiently clear guidance is provided in the AML Law and AML Regulations, no additional guidance is provided in the AML Guidelines. However, where the AML Law or AML Regulations do not specifically cover a topic but such topic is addressed implicitly or by reference to international practices, the AML Guidelines seek to provide guidance to bring some clarity to their intended application in the UAE.

 

How do the AML Guidelines interact with guidance from other supervisory authorities?

 

The AML Guidelines address some inconsistencies that may arise from the legal and regulatory framework currently in place, from previous laws or regulations, or from differences in regulatory requirements between the various supervisory authorities in the UAE. The AML Guidelines recommend, however, that for any unaddressed inconsistences between supervisory authorities, financial institutions should contact their relevant supervisory authority.

 

It appears that with the introduction of the AML Guidelines, other supervisory authorities may begin publishing guidelines of their own relating to AML and ATF compliance.

 

For example, on 30 June 2019, the Dubai Multi Commodities Centre (the DMCC) published its AML and ATF guidelines for financial institutions and DNFBPs. The DMCC’s guidelines are presented as the DMCC’s own interpretation of the AML Law and thus are not mandatory rules or regulations for entities operating in the DMCC. Rather, the DMCC makes it clear that it is the responsibility of all entities to review the AML Law and AML Regulations and determine the impact on their own business.

 

On 7 July 2019, the UAE Minister of Justice promulgated a number of resolutions introducing AML and ATF initiatives. The initiatives include:

 

• establishing a section for AML and ATF;

• issuing AML and ATF procedures for lawyers, notaries and independent legal professionals;

• establishing a Committee for managing frozen, seized and confiscated funds;

• issuing procedures dealing with situations where persons listed on the local terrorism lists use frozen funds;

• issuing guidance on the grievance mechanism for persons disputing listing on the local terrorism lists; and

• issuing procedures and conditions for requesting international judicial cooperation on the sharing of the proceeds of crime.

 

Conclusion

 

While not legally binding, the advent of AML and ATF guidance from the various supervisory authorities of the UAE is a welcome step for businesses in the UAE. It will allow entities subject to the AML Law and AML Regulations to understand how supervisory authorities may construe their obligations and to take the recommended practical steps to ensure they are in compliance with their obligations pursuant to the AML Law. ■

 

Proposed new DIFC data protection law

The DIFC Authority has proposed the enactment of legislation (the Proposed Law) to replace its current Data Protection Law, DIFC Law 1 of 2007 (as amended) (the Current Law).

 

The Proposed Law is the subject of Consultation Paper 6 of 2019, which is presently posted on the DIFC website for public comments to be provided by 18 August 2019.

 

The intention behind the Proposed Law is to align the Current Law with the General Data Protection Regulation (GDPR), to reflect the latest technology, privacy and security law developments, and adapt the same to the unique requirements of the DIFC. As GDPR has international application and has become the de facto global standard for data privacy, the Proposed Law is expected to provide consistency and familiarity for businesses in the DIFC that operate on an international scale.

 

Some noteworthy aspects of the Proposed Law are as follows:

 

1. Data Subject Rights. In addition to the right to access, rectify and erase personal data and the right to object to Processing which exist under the Current Law, there are new rights introduced in the Proposed Law that are as follows:

 

– right to withdraw consent to processing of personal data (Processing);

– right to the restriction of Processing;

– right to know the recipients of the personal data;

– right to data portability (i.e., right of a Data Subject to receive its personal data from a Controller in a structured, commonly used and machine-readable format);

– right to not be subject to automated decision making (including profiling) which produces legal effects concerning, or significantly affects, the Data Subject. Examples of automated decision making include online credit applications and online recruitment tools; and

– right to non-discrimination against a Data Subject for exercising any of the Data Subject rights.

 

Controllers must make available a minimum of two methods (e.g., by phone, email or online form) by which the Data Subject can contact the Controller to exercise any of the Data Subject rights. Such methods should not be onerous.

 

2. Apportionment of liability between Controllers and Processors. The Proposed Law (like the Current Law) stipulates that if a Data Subject suffers material or non-material damage by reason of any contravention of the Proposed Law, it will be entitled to compensation.

 

Unlike the Current Law, the Proposed Law stipulates when the Controller and the Processor are held liable for the damages caused.

 

– A Controller involved in Processing which infringes the Proposed Law shall be liable for damages caused.

– Processors will be liable where it has not complied with the obligations specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller.

– Where multiple Controller(s) or Processor(s) are involved in the Processing and where each is responsible for any damage caused by the Processing, each shall be held jointly and severally liable for the entire damage.

 

3. Information to be provided to Data Subjects. The Proposed Law has increased the number of items of information to be submitted to the Data Subjects when personal data is collected. The information that must also be provided to the Data Subjects includes (among others):

 

– contact details of the Data Protection Officer (if applicable);

– reference to the appropriate safeguards in the event personal data is transferred to a third country or international organisation;

– the existence of the Data Subject’s right to withdraw consent to the Processing;

– clarification of the legitimate interest or compliance obligations (for which the personal data is being collected);

– recipients of the personal data; and

– any other information to guarantee fair and transparent Processing vis-à-vis the Data Subject, which include (among others):

 the period of which the personal data will be stored;

 existence of the other Data Subject rights (set out in point 1 above) as well as the right to lodge a complaint with the Commissioner of Data Protection (the Commissioner); and

 whether Processing will restrict or prevent the Data Subject from exercising any of the Data Subject rights.

 

The Proposed Law also specifies that the information must be provided to the Data Subject in writing, including where appropriate by electronic means.

 

4. Consent to Processing. Controllers must be mindful of the requirements in the Proposed Law to ensure that consent to Processing has been obtained from the Data Subject. Consent under the Proposed Law means clear and unambiguous consent after clear disclosure of every purpose for which the personal data will be collected, processed and used.

 

5. Requirements for Legitimate and Lawful Processing. The Proposed Law continues the Current Law’s requirement for Legitimate Processing (now re-phrased as “Legitimate and Lawful” Processing under the Proposed Law). Personal data must still be processed fairly and transparently vis-à-vis the Data Subject, be limited to the purpose for which it is collected, and must also be accurate (requiring that it be updated via erasure or rectification without undue delay, where necessary).

 

The Proposed Law additionally requires that:

 

– it would not suffice that Controllers are processing personal data in accordance with the Proposed Law; Controllers would also need to demonstrate such compliance (including to the Commissioner); and

– personal data must now be kept secure and protected against unauthorised or unlawful Processing and against loss, destruction or damage using appropriate technical or organisational measures.

 

6. Legitimate Interests. “Legitimate interest” remains one of the grounds under which personal data can be collected. “Legitimate Interests” continue to remain undefined;  however, the Proposed Law does introduce two situations which are considered as a “legitimate interest”:

 

– transferring personal data within a group of undertakings for internal administrative purposes; and

– processing personal data as strictly necessary and proportionate to ensure network and information security, and to prevent fraud.

 

The Proposed Law also introduces restrictions on the use of “legitimate interests” as grounds for Processing. Public authorities cannot rely on such grounds to collect personal data. Furthermore, Controllers who wish to rely on this basis must conduct a careful assessment as to whether a Data Subject can reasonably expect at the time and context to the collection of personal data.

 

7. Organisational measures to be put in place for DIFC entities. Certain documents and measures would need to be put in place by DIFC entities:

 

– technical and organisational measures that ensure personal data is processed in accordance with the Proposed Law and protect the Data Subject’s personal data;

– a written data protection policy proportionate to the processing activities;

– a policy and process for securely and  permanently deleting personal data;

– a written record in electronic format of the Processing activities; and

– a written contract in compliance with the Proposed Law (i) between a Controller and a Processor, (ii) between Controllers, and (iii) between a Processor and a sub-Processor. If Processing activity is commenced without such agreement, they would be in breach under the Proposed Law.

 

In addition, a DIFC entity transferring personal data to a jurisdiction that lacks an adequate level of protection must take appropriate safeguards. For a discussion of these appropriate safeguards, see point 10, below.

 

8. High Risk Processing Activities. The Proposed Law introduces the concept of “High Risk Processing Activities,” which is Processing where one or more of the following applies:

 

– new technologies are being deployed which may increase the risk to Data Subjects or render it more difficult for Data Subjects to exercise their rights; or

– a considerable amount of personal data will be Processed where such Processing is likely to result in a high risk to the Data Subject (on account of the sensitivity of the Personal Data); or

– the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons (such as profiling), on which decisions are based to produce legal effects on, or significantly affect, the natural person; or

– a non-trivial amount of Special Categories of Personal Data (currently called “Sensitive Personal Data” under the Current Law) is to be Processed.

 

There are additional obligations that arise for DIFC entities carrying on such activities. These include (among others):

 

– the appointment of a Data Protection Officer (to assist the Controller and Processor  in monitoring the compliance with the Proposed Law); and

– submission of assessments to the Commissioner (namely the Annual Assessment and Data Protection Impact Assessments).

 

9. Cessation of Processing. The Proposed Law introduces rules on when the Controller must cease the Processing and how personal data must be handled thenceforth.

 

Where the basis for Processing ceases to exist or the Controller is required to cease Processing via the exercise of Data Subject rights, the Controller is required to ensure that personal data is securely and permanently deleted, or where this is not possible, archived in a manner such that the data is “put beyond further use.” The exception to this rule is where such personal data is necessary for the establishment or defense of legal claims, or to be retained in accordance with applicable laws.

 

“Put beyond further use” means that:

 

– the Controller must not use the personal data to inform any decision in relation to the Data Subject or in a manner that affects the Data Subject in any way;

– no party (other than the Controller) has access to the personal data;

– personal data is protected by appropriate technical and organisational security; and

– the Controller has in place a strategy for the permanent deletion of personal data, if or when this becomes possible.

 

10. Transferring personal data to a jurisdiction lacking an adequate level of protection. Unlike in the Current Law, the Commissioner no longer grants a permit or written authorisation to transfer personal data to such jurisdiction. The Proposed Law provides an updated list of conditions, one of which must be satisfied in order to transfer personal data to such jurisdiction:

 

– appropriate safeguards must be put in place, which must be in one of the following forms (among others):

 

 a code of conduct (approved by the Commissioner) together with binding enforceable commitments of the Controller to apply the appropriate safeguards;

 a certification mechanism (approved by the Commissioner) together with binding enforceable commitments of the Controller to apply the appropriate safeguards;

 a legally binding and enforceable instrument;

 data protection procedures and policies applicable to Group entities, (referred to “Binding Corporate Rules” in the Proposed Law), which may be approved by the Commissioner (but is not mandatory).

 

– one of the specific derogations listed in the Proposed Law apply. Such derogations are substantially similar to the transfer conditions set out in the Current Law. This includes (among others) the transfer is necessary for the performance of a contract or public interest, or that the Data Subject consented to the transfer.

– the transfer satisfies the conditions of “limited circumstances,” which is that it is a one-time transfer that concerns only a limited number of Data Subjects, is necessary on the grounds of legitimate interests, and where the Controller has provided suitable safeguards with respect to the protection of personal data. In this situation, the Controller must inform the Commissioner of this transfer.

 

11. Transferring personal data to a governmental authority outside of DIFC. The Proposed Law introduces guidelines that must be followed in order for the Controllers to disclose and transfer personal data, outside the DIFC, to a governmental authority (the Requesting Authority). Controllers must:

 

– exercise reasonable caution and diligence to determine the validity and proportionality of the request for personal data;

– ensure that any disclosure of personal data is made solely for the purpose of meeting the objectives identified;

– assess the impact of the proposed transfer in light of the potential risks to the Data Subject’s rights;

– implement measures to minimize such risks; and

– where possible, obtain appropriate and written assurances from the Requesting Authority that it will respect the rights and freedoms of the Data Subjects.

 

Failing any of the above, the Controller should not disclose or transfer personal data to the Requesting Authority.

 

12. Rectification and erasure notification. Controllers must notify each recipient to whom the personal data is disclosed when personal data is rectified, erased or subject to restricted processing.

 

13. Personal Data Breach. This is a new feature in the Proposed Law. If there is a Personal Data Breach that compromises a Data Subject’s confidentiality, security or privacy, the Controller must notify the breach to the Commissioner. When the Personal Data Breach is likely to result in high risk to the Data Subject’s confidentiality, security or privacy, the Controller must also communicate the Personal Data Breach to the Data Subjects. ■

 

FDI – a “positive” development

On 23 September 2018, enactment of the new federal law on foreign direct investment — Federal Decree-Law 19 of 2018 (the FDI Law) — introduced the possibility of majority foreign ownership in UAE companies. While the FDI Law set out a “negative list” of 13 sectors (including insurance, water and electricity, land and airport services, and retail medicine) where existing foreign ownership restrictions would continue to apply, it also referred to a “positive list” that the UAE Cabinet would promulgate to identify economic sectors and activities where up to 100% foreign ownership would be allowed.

 

Ending speculation, the Cabinet has now acted. The Prime Minister issued a statement on 2 July 2019 announcing the Cabinet’s approval of a positive list of 122 economic activities in sectors such as agriculture, manufacturing, renewable energy, electronic commerce, transportation, arts, construction, and entertainment. The positive list (copy attached) was shortly afterwards published in the local press.

 

The list of 122 economic activities is divided into 51 industrial activities, 52 service activities and 19 agricultural activities. While allowing up to 100% foreign ownership, the positive list does not do this unconditionally. On the contrary, the positive list imposes additional requirements such as minimum capital requirements on some activities, obligations to employ advanced technology on other activities, and requirements to contribute to the Emiratisation of the workforce on others. For many business and service activities, existing restrictions and qualifications are expressly retained.

 

Removal of ownership restrictions is not an end in itself, but is a means to attract FDI that will support the nation’s overall development objectives. It is expected that the licensing authorities in each Emirate will ultimately determine the permitted foreign ownership percentages for specific projects. ■

 

Expanded real estate ownership in Abu Dhabi

In the most significant change in real estate law in over a decade, Abu Dhabi has expanded eligibility for real estate ownership to several new categories of persons. This was introduced by Abu Dhabi Law 13 of 2019, which amended the prior statute, Abu Dhabi Law 19 of 2005. The amendment was enacted on 16 April 2019 and took effect on the same day. This is expected to boost real estate demand.

 

The following categories of persons are now eligible to own real estate in the Emirate of Abu Dhabi:

 

• Public shareholding companies in which non-nationals own no more than 49 per cent. Under the 2005 statute, companies with any foreign shareholding were eligible only for long-term leases, Musataha rights, or rights of usufruct in respect of real estate in the special investment areas.

 

• Non-nationals, whether natural or legal persons, may now acquire full ownership rights (often referred to as “freehold”) to real estate within the investment areas, and they may sell, mortgage and otherwise dispose of the same. Under the 2005 statute, freehold ownership in the investment areas was restricted to UAE nationals and nationals of other GCC member states.

 

• Nationals and their equivalents, whether natural or legal persons. The meaning of this reference to “their equivalents” is unclear, but it could possibly mean that national treatment will be extended to nationals of other GCC member states.

 

• Anyone in whose regard a decision is issued by the Crown Prince or the Chairman of the Executive Council.

 

It remains the case that a holder of a right of usufruct or Musataha in excess of 10 years may dispose thereof without the permission of the owner, including granting a mortgage; in contrast, the owner may grant a mortgage only after obtaining the consent of the holder of the usufruct right or Musataha. ■

Dubai Development Authority – UBO requirements

The Dubai Development Authority (DDA) (previously known as the Dubai Technology and Media Free Zone Authority (TECOM) and the Dubai Creative Clusters Authority (DCCA)) is the regulator of entities licensed to conduct business in Dubai Internet City, Dubai Media City, Dubai Knowledge Park, Dubai Outsource City, and other clusters regulated by the DDA.

 

The Federal Cabinet Decision 10 of 2019 on the Implementing Regulation of Federal Decree-Law 20 of 2018 on the Criminalisation of Money Laundering and Combating the Financing of Terrorism and the Financing of Unlawful Organisations (the Cabinet Decision) requires licensing authorities such as the DDA to identify the ultimate beneficial owners (UBOs) of businesses (Free Zone Entities) licensed by them. In response to this requirement, the DDA recently issued its Circular 323 regarding UBOs.

 

The DDA now requires all free zone companies (i.e. FZ-LLCs) and parent companies of branches licensed by the DDA to disclose details of their UBOs. A template of a form in which the details are required to be disclosed has been issued by the DDA (the UBO Declaration Form).

 

Definition of a UBO

 

As per the DDA’s Circular 323, any individual who ultimately owns or controls 25 per cent or more of a Free Zone Entity, whether directly as a shareholder, or indirectly via control of companies, other entities or structures that control the Free Zone Entity, is an UBO. This definition of the UBO is broad enough to cover trust arrangements.

 

UBO information

 

The following information of a UBO is required to be disclosed to the DDA:

 

(i) Full name

(ii) Name of the company

(iii) Date of birth

(iv) Nationality

(v) Passport number

(vi) Detailed residential address

(vii) Percentage (%) shares in the free zone company/parent company of a branch licensed by the DDA

 

Note that the DDA may require submission of a passport copy, proof of residential address and other documents of a UBO.

 

Exception from providing UBO information

 

In case a Free Zone Entity is a subsidiary or a branch of: (i) a company listed on a stock exchange; (ii) a government or government owned entity; or (iii) an entity registered and licensed in the UAE (outside the DDA’s jurisdiction), the UBO information is not required to be submitted to the DDA. In such a case, the UBO Declaration Form is required to be submitted to the DDA stating that the Free Zone Entity satisfies one of the above conditions.

 

Deadlines

 

As per the DDA’s Circular 323, existing Free Zone Entities will be required to submit the UBO Declaration Form as part of their license renewal process at the next renewal date. New entities will be required to submit the UBO Declaration Form as part of the incorporation/licensing process.

 

If there are any changes in the UBOs of a Free Zone Entity, such a Free Zone Entity is required to notify the DDA of the changes.

 

Other licensing authorities in the UAE

 

Apart from the DDA, many other free zones/licensing authorities in the UAE such as Dubai International Financial Centre, Abu Dhabi Global Market and Dubai Multi Commodities Centre already require submission of details of ultimate beneficial owners. It is likely that more and more free zones/licensing authorities will issue similar requirements in due course. ■

New economic substance regulations in the UAE

A previous inBrief dated 30 April 2019 discussed a law recently enacted in the BVI, the Economic Substance (Companies and Limited Partnerships) Act, 2018, which introduced economic substance requirements in the BVI. This article will discuss a similar measure recently promulgated in the UAE.

 

UAE Cabinet Resolution 31 of 2019 Concerning Economic Substance Regulations (the UAE Economic Substance Regulations or the Regulations) was published in the Official Gazette on 30 April 2019 and came into effect the same day.

 

Background

 

The European Union’s Code of Conduct Group (a group responsible for EU’s taxation policy) maintains a blacklist of non-cooperative jurisdictions for tax purposes. In order to avoid being placed on such blacklist (or to attempt to get removed from the blacklist), jurisdictions such as the BVI, the Isle of Man, and the Cayman Islands, among others, have introduced legislation requiring entities established in such jurisdictions to demonstrate economic substance in their respective jurisdictions. The UAE was added to the blacklist in March of 2019, and the UAE Economic Substance Regulations were apparently promulgated in response to this development.

 

Relevant Activities

 

The UAE Economic Substance Regulations apply to any Licensee, which is defined to mean any natural or juridical person licensed by the competent licensing authorities in the UAE to carry out a Relevant Activity in the UAE, including in free zones and financial free zones. The Regulations identify nine Relevant Activities:

 

• Banking Businesses

• Insurance Businesses

• Investment Fund Management

• Lease-Finance Businesses

• Headquarters Businesses

• Shipping Businesses

• Holding Company Businesses

• Intellectual Property Businesses

• Distribution and Service Center Businesses

Economic Substance Test

 

Under the Regulations, a Licensee engaged in a Regulated Activity must meet an Economic Substance Test in relation to each Relevant Activity carried on by such Licensee. This includes but is not limited to demonstrating that its State Core Income-Generating Activities are carried out in the UAE. The activities that constitute State Core Income-Generating Activities vary for each of the nine Relevant Activities.1

 

Under Article 6(2) of the Regulations, a Licensee meets the Economic Substance Test if it satisfies the following criteria:

 

(a) If the Licensee conducts State Core Income-Generating Activity in the State.

(b) If the Licensee is directed and managed in the State in relation to that activity.

(c) Having regard to the level of Relevant Activity, if there is an adequate2 number of qualified full-time employees in relation to that activity who are physically present in the State (whether or not employed by the Licensee or by another entity and whether on temporary or long-term contracts), or adequate level of expenditure on outsourcing to third party service providers, whose activities, employees, expenditure, and premises are in the State, and these activities, employees, expenditures and premises are adequate for carrying out the Relevant Activity being outsourced.

(d) If there is adequate operating expenditure incurred by it in the State, or adequate level of expenditure on outsourcing to third party service providers whose activities, employees, expenditure and premises are in the State, and these activities, employees, expenditures and premises are adequate for carrying out the Relevant Activity being outsourced.

(e) If there are adequate physical assets in the State or adequate level of expenditure on outsourcing to third party service providers in the State, for the activities of the Licensee.

(f) In the case of State Core Income-Generating Activity carried out for the relevant Licensee by another entity, if it is able to monitor and control the carrying out of that activity by the other entity.

Under Article 6(4), a Holding Company that derives its income from dividends and capital gains only is subject to a less stringent Economic Substance Test whereby such test is satisfied if the Licensee complies with all requirements to submit documents, records and information to the Regulatory Authority and has adequate employees and premises for holding and managing a Holding Company Business.

 

Regulatory Authority & Competent Authority

 

The Regulations stipulate that a Regulatory Authority will be delegated to regulate Relevant Activities in accordance with the Regulations. Such Regulatory Authority has not yet been identified. The Regulations stipulate that the Regulatory Authority will be appointed by the Cabinet pursuant to a further resolution.

 

The Regulations designate the UAE Ministry of Finance as the Competent Authority. The role of the Competent Authority is different from that of the Regulatory Authority. The Regulations stipulate that the Competent Authority shall issue guidance on how the Economic Substance Test may be met. The Competent Authority is also responsible for determining the form of certain reports to be filed by a Licensee pursuant to the Regulations. Each Licensee will report to the Regulatory Authority who in turn will share certain information with the Competent Authority.

 

Reporting Requirements

 

A Licensee engaged in a Regulated Activity has two periodic reporting requirements under the Regulations. Under Article 8(1) of the Regulations, a Licensee shall notify the Regulatory Authority annually of the following:

 

(a) Whether or not it is carrying on a Relevant Activity.

(b) If the Licensee is carrying on a Relevant Activity, whether or not all or any part of the Licensee’s gross income in relation to the Relevant Activity is subject to tax in a jurisdiction outside of the State; in all cases such Licensee shall provide the Regulatory Authority with all information and documentation required to be submitted by it pursuant to this Resolution or any further guidance or decision issued pursuant to this Resolution.

(c)  The date of the end of its Financial Year.

Under Article 8(2) of the Regulations, the foregoing annual filing shall be made at the time specified by the Regulatory Authority and in the manner approved by the Regulatory Authority. As noted above, the Regulatory Authority has not yet been identified, so the filing deadline is currently unknown.

Article 8(3) of the Regulations states that: “A Licensee that is carrying on a Relevant Activity and is required to satisfy the Economic Substance Test shall, no later than twelve (12) months after the last day of the end of each Financial Year of the Licensee, prepare and submit to the Regulatory Authority a report which report shall be submitted by the Regulatory Authority to the Competent Authority.” Article 8(4) stipulates that such report shall be in the form approved by the Competent Authority and shall include the following information with respect to the Licensee:

(a) The type of Relevant Activity conducted by it.

(b) The amount and type of relevant income in respect of the Relevant Activity.

(c) The amount and type of operating expenses and assets in respect of the Relevant Activity.

(d) The location of the place of business and, if applicable, plant, property or equipment used for the Relevant Activity of the Licensee in the State.

(e) The number of full-time employees with qualifications and the number of personnel who are responsible for carrying on the Licensee’s Relevant Activity.

(f) Information showing the State Core Income-Generating Activity in respect of the Relevant Activity that has been conducted.

(g) A declaration as to whether or not the Licensee satisfies the Economic Substance Test.

(h) In the case of a Relevant Activity being an Intellectual Property Business, a declaration as to whether or not it is a high risk intellectual property business. If the Licensee declares that it is a high risk intellectual property business, the Licensee shall provide the information under paragraph (i) to refute a determination made by the Regulatory Authority under Clause 3 of Article 7 of this Resolution.  

(i) In the case of a Licensee that is carrying on a high risk intellectual property business, the following additional information must be provided:

i. Information demonstrating that the Licensee does and historically has exercised a high degree of control over the development, exploitation, maintenance, enhancement and protection of the intellectual property assets by an adequate number of full-time employees, with the necessary qualifications, who permanently reside and perform their activities in the State.

ii. Business plan showing the reasons for holding the ownership in the Intellectual Property Asset in the State.

iii. Employee information, including level of experience, type of contracts, qualifications and duration of employment with the Licensee.

iv. Evidence that decision making is taking place within the State.

(j) Where a Relevant Activity is outsourced by a Licensee, the Licensee must demonstrate the following:

i. The Relevant Activity that is outsourced is a Core Income-Generating Activity being carried out in the State.

ii. The Licensee has adequate supervision of the Relevant Activity outsourced.

iii. The Licensee shall submit to the Regulatory Authority a report containing information in relation to the level of resources employed by the third party service provider to which the Relevant Activity is being outsourced, demonstrating that the service provider’s activities, employees, operating expenditures and premises in the State are adequate in relation to the level of the outsourced Relevant Activity.

 

The Regulatory Authority may require a Licensee to provide such additional information, documents or other records as shall be reasonably required in order to make a determination as to whether the Economic Substance Test has been met.

 

Penalties

 

Failing to meet the Economic Substance Test carries an administrative penalty of a fine between AED 10,000 and AED 50,000 in any Financial Year. Failing to meet the Economic Substance Test again the following Financial Year carries a fine of not less than AED 50,000 and not more than AED 300,000.

 

Failure to provide information required under Article 8 of the Regulations (i.e., the reporting requirements discussed above), or providing inaccurate information, carries a fine between AED 10,000 and AED 50,000.

 

Implications

 

Historically, jurisdictions such as BVI and the Cayman Islands have been major destinations for shelf companies (companies with little or no physical or economic presence in the jurisdiction of incorporation). The UAE has not been not been a major hub for shelf companies because, with limited exceptions (such as Jebel Ali offshore companies), businesses in the UAE are required to have physical offices and licenses to do business locally. Moreover, the UAE authorities have historically cooperated willingly with foreign official investigations into tax evasion, money laundering, and other offenses, and furthermore have implemented significant domestic measures. To us, it therefore appears that the European Union’s pressure on the UAE to implement economic substance legislation was misdirected. In any event, it will not have the same impact in the UAE as it will in countries that have been major hubs for offshore shelf companies.

 

Nonetheless, for Licensees that were originally established in the UAE to hold assets in other jurisdictions without a significant economic presence in the UAE, the Economic Substance Regulations will have significant ramifications. Compliance with the Regulations may require substantial restructuring of business operations.

 

Next Steps

 

All businesses licensed in the UAE should carry out an assessment to determine if they are subject to the Economic Substance Regulations and businesses that are subject to such Regulations should begin taking steps to ensure compliance. The timetable for compliance is currently unknown given that the Regulatory Authority has not yet been appointed but it would be prudent to start taking steps to comply as soon as possible. ■

*****
1 The definition of State Core Income-Generating Activities for each of the nine Relevant Activities is set out in Article 5 of the Regulations.
2 The Regulations stipulate that the Guidance to be issued by the Competent Authority may include guidance regarding the meaning of “adequate”.

New UAE regulatory policy for the Internet of Things

Along with the prediction that the continued growth of the Internet of Things (IoT) will transform our everyday lives and how we do business, we can also anticipate that the increased number of connected devices will bring about additional challenges, including greater security and privacy-related risks. In light of these challenges, the UAE Telecommunications Regulatory Authority (the TRA) has recently laid the groundwork for regulating IoT by introducing a regulatory policy (the IoT Policy) and a set of regulatory procedures (IoT Procedures) that give the TRA control and oversight over IoT services in the UAE while also setting forth some data protection-related principles. It is important that those that provide IoT services to the UAE market understand their obligations under the TRA’s IoT Policy going forward.

 

What is IoT?

 

When we speak of IoT, we generally refer to the network of everyday physical objects or devices connected to the Internet, which are able to communicate with other devices and collect and exchange data through software, embedded electronics, sensors and other forms of hardware. These devices can be consumer-based, such as wearables, cars, speakers, and smart home devices and appliances, as well as industry-based objects, such as intelligent medical devices, security systems, and machinery and robots used in factories.

 

In the IoT Policy, IoT is broadly defined as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) Things based on existing and evolving interoperable information and communication technologies”.

 

Who is Subject to the IoT Policy?

 

The IoT Policy is applicable to all individuals, companies, public authorities, and other legal entities concerned with IoT within the UAE. This includes IoT Service Providers that are located in the UAE as well as foreign-based IoT Service Providers providing services remotely to the UAE market.

 

The TRA defines an IoT Service Provider as any individual, company or public authority that “provides an IoT Service to users (including individuals, businesses and the government) that will comprise the provision of IoT-related service/solutions”. In addition, an IoT Service is considered to be any “set of functions and facilities offered to a user by an IoT Service Provider”, other than IoT-specific Connectivity (which is generally the type of activity that is provided by a network service provider). The TRA’s wide-reaching definition of IoT Service Provider and IoT Service would likely capture traditional IT providers offering IoT related services or solutions to businesses located in the UAE as well as foreign companies bringing IoT related products to the market, such as cars and smart home devices and appliances.

 

Requirements under the IoT Policy

 

The following are some of the principal requirements under the IoT Policy:

 

Registration and Local Presence. All IoT Service Providers must register with the TRA and obtain a registration certificate. To obtain a registration certificate, the IoT Service Provider is required to have a local presence or an appointed representative physically present in the UAE to be responsible for communicating with the TRA and law enforcement agencies. It also must have registered its IoT Service with the TRA pursuant to the IoT Procedures.

 

Mission Critical IoT Service. If an IoT Service is characterised as Mission Critical (i.e., any service that if it fails, may result in an adverse impact on the health of individuals, public convenience or safety or national security), then the IoT Service Provider is required to meet additional requirements stipulated by the TRA, including maintenance of subscriber information.

 

Soft SIMS. The TRA requires prior approval for the use of Soft SIMs. A Soft SIM refers to a collection of software applications and data that perform all of the functionality of a SIM card, but does not reside in any kind of secure storage. Rather, the Soft SIM is stored in the memory and processor of the communication device.

 

Type Approval. Any Radio and Telecommunications Terminal Equipment (RTTE) as defined in the TRA’s type approval policy that is to be sold, offered for sale or connected to any Telecommunication Apparatus within the UAE, requires a type approval from the TRA. In addition, if the RTTE collects any data or information or is capable of providing IoT Service, then it must also meet additional requirements set forth in the IoT Policy.

 

IoT-specific Connectivity. Any person that intends to provide IoT-specific Connectivity must contact the TRA to obtain a license, and the TRA will conduct a case-by-case assessment to consider whether awarding such a license is necessary subject to the Telecommunications Law (Federal Decree Law 3 of 2003) and the licensing regime in place at the time.

 

Data Protection 

 

In addressing data protection, the IoT Policy focuses on data storage and the location of stored data. It should be noted that while drafting these provisions on data protection, we can see that the TRA has looked to existing international standards as well as Dubai’s own policies as many of the data protection-related terms and principles contained in the policy have been adopted from the General Data Protection Regulation (EU) 2016/679 (the GDPR) and the Dubai Data Manual published by Smart Dubai in 2016.

 

Data Storage. IoT Service Providers must adhere to the following principles:

 

• Purpose Limitation – Data must be collected for specified, explicit and legitimate purposes only and cannot be further processed in a manner that is incompatible with these purposes.

 

• Data Minimisation – Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

 

• Storage Limitation – Data must be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the data is processed.

 

Data Localisation. Essentially, data must be classified based on the potential impact that will be caused in the event of a confidentiality breach or uncontrolled disclosure, and where data is to be stored depends on its classification. The TRA has set out four categories of classification, Open, Confidential, Sensitive, and Secret. Each of these classifications is defined in the IoT Policy and has been adopted from the Dubai Data Manual.

 

Data that is considered Secret, Sensitive or Confidential for individuals and businesses must be primarily stored within the UAE. However, this type of data may be stored outside of the UAE provided that the destination country meets or exceeds the UAE’s data security and user protection policies and regulations. Personal Data (as defined in the GDPR) will be classified as Secret Data for individuals. If any data is classified as Secret, Sensitive or Confidential Data for the government, then it must always be stored in the UAE. Finally, data that is classified as Open Data for individuals, businesses or the government may be stored in the UAE or abroad.

 

Compliance with the IoT Policy

 

Although the IoT Policy and IoT Procedures have only recently been made available to the public, they have been in effect since 22 March 2018 and 6 March 2019, respectively. In addition, the one-year transition period set out in the IoT Policy has elapsed. Therefore, unless an additional grace period is given, IoT Service Providers must immediately begin compliance with this new regulatory framework. Otherwise, noncompliance may result in the temporary or permanent suspension of services and may be considered as a breach of the Telecommunications Law, which could result in the imposition of fines and/or imprisonment.

 

Further Thoughts

 

The practical implications of the IoT Policy and IoT Procedures that are immediately obvious are the requirements that relate to data protection noted above. While the UAE (outside of the DIFC and ADGM) has not yet adopted a data protection law, the IoT Policy and Procedures have the effect of adopting certain key elements of a modern data protection regime and making them applicable to IoT Service Providers. This could be construed to apply to anyone who collects data remotely, if a liberal view is taken, as it could be difficult to draw a line between devices that collect and transmit data which do qualify as IoT devices, versus that which still collect and transmit data (like a mobile phone) which do not qualify as IoT devices. It may be that all such devices effectively are treated as IoT devices, and the result will be that different data protection regimes apply in the UAE depending on whether the data was transmitted by a device as opposed to collected directly or with pen and paper. We anticipate that this inequality of treatment under the law will be a transient phase as the UAE moves uniformly towards a consistent data protection regime, but businesses and advisors will need to be aware of this dichotomy in the meantime. It is easy to speculate that there may also be TRA approval required for importation of IoT devices too, to enable them to maintain a record or registry of IoT devices operating in the UAE.

 

We will provide further updates as this important area of regulation evolves.■