-
Is there a single regulatory regime that governs software?
There is no single regulatory regime which governs software in the UAE.
In fact, the regulations with respect to software are fragmented across different sectors. These sectors primarily include financial institutions, data protection, virtual assets, health-tech, consumer rights and intellectual property.
-
How are proprietary rights in software and associated materials protected?
In the UAE, software and associated materials are granted protection under the copyright laws. The Federal Decree-Law no. (38) of 2021 (“UAE Copyright Law”) on Copyrights and Neighbouring Rights among other subjects, applies to “smart applications, computer programmes and applications, databases” which arguably includes software and its associated materials.
Furthermore, according to Article 4 (2) of the UAE Copyright Law, if software or any other copyrightable work is not officially registered, it doesn’t mean that the legal protections and rights provided by the law disappear. The Federal Decree still protects the work as intended, regardless of whether it’s registered or not.
Article 12 of the UAE Copyright Law explicitly targets software, and states that any licensing of economic rights with respect to software and its associated material will only be considered valid under the Federal Decree if it’s done via contractual means.
It is imperative to note that Article 40 and Article 41 of the UAE Copyright Law only prohibit/penalise the use of a copyrightable software, if it is used without permission from the original author, or such copyrightable work is downloaded or stored without the permission of the original author.
-
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
Given that a software and its associated materials are protected under the copyright regime, Article 28 of the UAE Copyright Law states that unless otherwise agreed if the author of the software creates the work for another individual, then the work belongs to that individual in whose favour the work has been made.
Consequently, in this situation, the software would belong to the customer in whose favour the work has been made.
-
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
The Federal Decree-Law No. (34) of 2021 on Countering Rumors and Cybercrimes (“Cyber Law”) criminalises any act which involves hacking, infringement, interception, destruction, leakage, unauthorised dissemination or unauthorised storage of data. Hence, if any individual uses a software to commit any of the above acts it would be penalised under the Cyber Law.
-
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
The Federal Law No. 15 of 2020 on Consumer Protection (“Consumer Protection Law”) defines “Good” as “Every natural, industrial, agricultural, animal, transformative, intellectual, or technical product, including the raw materials of the substances and components of the product.” By virtue of the above definition, it can be inferred that software and its associated materials would fall within the definition of “Good” as stated under the Consumer Protection Law. Articles 11-13 of the Consumer Protection Law state the various obligations that the software supplier would have to fulfil if there is a defect in their product:
- If it is found that the software can cause harm to the consumer, then the supplier of such software must report it to the Ministry of Economy or any other competent authority. Such report should comprise of the potential damages which might be caused by the Software and the ways to prevent the same.
- In the event of a malfunction the supplier would have to repair, replace or refund the price of the software.
- If the malfunction occurs three times from the date of which the consumer has purchased the software in a way that it substantially impairs the functionality of the software, the supplier shall replace the software at no cost to the consumer.
-
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
While there are no specific laws directly governing the relationship between software vendors and customers, certain regulations do apply to financial institutions, virtual asset service providers (“VASP”), and health tech providers when they utilize software and cloud services.
The Central Bank of UAE’s has issued Guidelines for Financial Institutions Adopting Enabling Technologies to promote safety, enhance transparency, and reduce systemic risks. These rules apply to all financial institutions which are regulated by the Central Bank of UAE (CBUAE), Securities and Commodities Authority (SCA), Dubai Financial Services Authority (DFSA) of the Dubai International Financial Centre (DIFC) and the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM). They specifically address the use of Application Programming Interfaces and Cloud Computing technologies emphasising on the need for a comprehensive governance structure, structured monitoring, auditability and regular assessments.
All VASPs licensed by the Virtual Assets Regulatory Authority (“VARA”) need to comply with the Technology and Information Rulebook issued by VARA. The Technology and Information Rulebook mandates that VASP’s maintain a well-rounded governance structure; develop a risk assessment framework proportionate to their scale, complexity and diversity of operations; put in place a stringent technology governance mechanism which includes all the appropriate governance and system control policies.
In May 2023, the UAE Cyber Security Council issued the National Cloud Computing Policy that outlines principles for secure cloud computing, provides guidance to the cloud ecosystem, and sets requirements for cloud security. It aims to protect both Cloud Service Providers (CSPs) and consumers while avoiding negative impacts on investment and sector growth. The policy emphasises the need for a governance framework, risk management, third party and supply chain security and independent testing for consumers of cloud services. The policy also has a dedicated section with respect to data security practices to be followed by CSP’s which includes formulating a robust data governance policy which elaborates on classification; handling, labelling and lifecycle management of data, data encryption and location awareness of data.
The Federal Law No. (2) of 2019, Concerning the Use of the Information and Communications Technology in Health Fields places additional obligations on the use of “Information and Communications Technology” in the field of health, such as:
- Maintaining strict confidentiality with respect to health data
- Ensure the validity and security of health data
- Facilitate easy access and availability of health data to authorised personnel
-
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
Software vendor liability caps are frequently included in software transactions within the UAE. Determining a standard level of liability cap can be challenging due to various factors, such as the bargaining power of the parties and the specifics of the transaction structure. Generally, software liability caps range anywhere between the total contract value or the annual subscription fee of the software.
-
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
In most cases (a) confidentiality breaches, (b) data protection breaches (c) data security breaches (d) IPR infringement claims and (g) wilful or deliberate breaches are typically excluded from the liability cap. However, except for (g) wilful and deliberate breaches, a software vendor would push for all the aforementioned areas of liability to either fall under the general cap or a separate enhanced liability cap.
-
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used? Is an equivalent service offered for cloud-based software?
The practice of holding software source code in escrow is not widely adopted in the UAE, but it has gained popularity in recent years. Escrow services for software source code are primarily used to safeguard critical business software. In software licensing transactions, these escrow services protect the interests of both the licensee and the licensor. By placing the software in escrow, the licensee is relieved of liability in case of hacking, theft, or corruption of the software. Simultaneously, the bespoke software being provided by the licensor is stored under state-of-the-art security and surveillance measures.
One of the notable companies providing software escrow services in the UAE is Escode and it also offers specialised services for cloud-based software solutions.
-
Are there any export controls that apply to software transactions?
The Federal Decree Law No. (43) of 2021 on the Goods Subject to Non-Proliferation governs export controls on commodities in the UAE. The term “goods” includes materials, systems, equipment, components, software or technology listed in the control list issued by the Council of Ministers.
In accordance with the list published by the Council of Ministers if a software is used for military or security purposes it will be subject to export controls in the UAE and hence would need the approval of the Executive Office of Control and Non-Proliferation.
-
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
There are no specific technology laws governing IT outsourcing in the UAE.
Nonetheless, various laws and regulations have in-built provisions providing guidance on internal policy requirements for IT functions, outsourcing, and minimum requirements for outsourcing agreements in relation to the specific activity(ies) regulated thereunder.
Specifically, wherever IT Outsourcing is being undertaken by regulated entities, like exchange houses, banks, insurance providers or VASPs the sector specific laws that prescribe standards and rules for outsourcing.
-
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
No specific law exists in relation to the transfer of an employee’s work to a third party which would effectively render the employee dismissed. Nonetheless, the federal employment law framework provides procedural and substantive obligations for employees to follow in terminating the services of an employee.
-
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
The primary legislation governing the telecommunications sector within the UAE (including all free zones) is the Federal Law by Decree No. 3 of 2003 Regarding the Organization of Telecommunications Sector (as amended) (“Telecommunications Law”), supplemented by several regulations, rulings, and licensing guidelines. Telecommunications and Digital Government Regulatory Authority (TDRA) has been established under the Telecommunications Law as the statutory body, responsible for regulating and managing telecommunications and information technologies in the UAE.
The Telecommunications Law mandates a licensing requirement for the sale, provision, or operation of a ‘Telecommunication services’, though some services can be provided through agreements with existing UAE licensed operators. Telecommunication Services are defined as the service of transmitting, broadcasting, switching, or receiving by means of a telecommunications networking any of the following:
- wired and wireless telecommunications;
- voice, music, and other sounds;
- visual images;
- signals used in radio and TV broadcasting;
- signals used to operate and control machinery or apparatus;
- The installation, maintenance, adjustment, repair, replacement, moving or removal of apparatus which is or will be connected to a public telecommunications network;
- The construction, maintenance and operation of networks for telegraph, telephone, telex, leased circuits, domestic and international data networks, Internet and Wireless Transmission; or
- Any other Telecommunications Services approved by the Board.
Other relevant legal frameworks include:
- TDRA-CPR: The TDRA is empowered by the Telecommunications Law to represent customer interests and ensure consumer protection. As such, the TDRA issued the Consumer Protection Regulations 2020 (CPR), outlining consumer rights and responsibilities, service standards, terms of supply, complaint handling, information provision, personal data usage, and billing for subscribers.
- PDPL: Personal data within the UAE is regulated under the Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data (“PDPL”), applicable to all sectors within the UAE, including the telecommunications sector. It ensures information confidentiality, protects privacy, provides governance for data management and protection, and defines the rights and duties of all parties. (See also questions 18)
-
What are the principal standard development organisations governing the development of technical standards in relation to mobile communications and newer connected technologies such as digital health or connected and autonomous vehicles?
Whilst specific technical standards do not exist per se, several bodies within the UAE have provided regulatory frameworks and policies to guide industry players in developing and adopting connected technologies.
TDRA: The TRDA is a key regulator within the UAE stipulating principles and guidelines for connected technologies having provided a regulatory procedure and policy to regulate the Internet of Things (IoT).
AD-DOH: The Abu Dhabi-Department of Health (AD-DOH) has established a guidance policy on digital health to be able to adopt digital health technology to improve communication, responsiveness, access, quality, and safety of healthcare services.
EHS: The Emirates Health Services (EHS) has adopted IoT technology to collect user data from digital health devices.
Dubai: The governing body of Dubai recently passed a Law No. (9) of 2023 On regulating the operation of autonomous vehicles in Emirate of Dubai, thus providing a supervisory framework for autonomous vehicles operating within the Dubai Emirate.
-
How do technical standards facilitating interoperability between connected devices impact the development of connected technologies?
Technical standards significantly impact the development of connected technologies by ensuring compatibility, fostering innovation, and enhancing user experience. Such standards can help to reduce development costs and accelerate innovation by providing a common framework. They also improve security and reliability, support regulatory compliance, and enable the creation of broader ecosystems, leading to new use cases and business models.
-
When negotiating agreements which involve mobile communications or other connected technologies, are there any different considerations in respect of liabilities/warranties relating to standard essential patents (SEPs)?
N/A
-
Which body(ies), if any, is/are responsible for data protection regulation?
The Federal Decree-Law No. 44/2021 on the Establishment of the UAE Data Office institutes the UAE Data Office as the data protection regulatory authority under PDPL. The UAE Data Office acts as the federal data regulator and is responsible for preparing data protection policies and legislation, proposing and approving monitoring standards, developing complaint systems, and issuing implementation guidelines in relation to the PDPL.
Furthermore, the DIFC and the ADGM free zones have their own responsible bodies for their respective jurisdictions. The responsible bodies are the Commissioner of Data Protection and the Office of Data Protection for DIFC and ADGM respectively. Additionally, even though the Dubai Healthcare City (“DHCC”) free zone has a dedicated data protection framework, it has yet to establish a data protection body.
-
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
Personal data within the UAE and at the federal level is governed by the PDPL. The PDPL applies to the processing of personal data within the UAE, as well as to data controllers and processors outside the UAE handling the personal data of individuals from UAE . However, it does not apply to government data, public entities, personal data for personal use, health or credit data if protected and governed by separate legislation, or entities in free zones with their own data protection regulations. The PDPL outlines the rights of data subjects in line with global standards and includes thorough obligations for controllers and processors. Additionally, the PDPL outlines requirements for transferring data outside the UAE.
Other relevant federal laws
- The Constitution of the United Arab Emirates 1971 (“UAE Constitution”): The UAE Constitution guarantees citizens’ general right to privacy, ensuring the freedom and confidentiality of communication by post, telegraph, and other means under the law.
- The Consumer Protection Law establishes and protects consumer rights in relation to consumer privacy and security without using their data for promotion and marketing purposes.
- Federal Decree-Law No. 34 of 2021 on Countering Rumors and Cybercrimes (“Cybercrime Law”) aims to enhance online safety by addressing the misuse of technology. Cybercrimes Law provides a comprehensive framework to combat various cybercrimes and protect personal and national interests in the age of social media and online activities.
Sector Specific Frameworks
Banking and Credit Data
The Central Bank of UAE (CBUAE) has implemented several data protection requirements across its legal framework including the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities (Central Bank Law), Consumer Protection Regulation 2020, and the Consumer Protection Standards 2021. Moreover, the CBUAE’s Stored Value Facilities Regulation 2020 (SVF Regulation) and the Retail Payment Services and Card Schemes Regulation 2021 (RPSCS Regulation) contain specific data protection requirements in relation to the respective licensees thereunder.
Separately, Federal Law No. 6 of 2010 on Credit Information stipulates that entities must use mechanisms and terms for protecting and maintaining the confidentiality of credit information and conditions for exchanging credit information outside the state.
Health
The health sector is primarily regulated by the Federal Law No. (2) of 2019, Concerning the Use of the Information and Communications Technology in Health Fields (“ICT in Health Law”). The ICT in Health Law ensures the safety and security of health data stipulating requirements for maintaining data confidentiality and protecting data from unauthorised changes. The ICT in Health Law is supplemented by the Cabinet Resolution No. (32) of 2020 Concerning the Executive Regulation of the Federal Law Concerning the Use of the Information and Communication Technology in the Areas of Health (“ICT in Health Regulation”). The ICT in Health Regulation sets conditions and controls for storing and exchanging health data through a centralised system, including system access requirements and authorization controls. Additional guidance is provided under the Ministerial Resolution No. (51) of 2021 regarding the cases in which health data and information may be stored or transferred outside the country (“Health Transportation Law”). The Health Transportation Law clarifies the situations and conditions for storing or transferring health data outside the UAE.
Telecommunications
The TDRA’s Telecommunications Law and TDRA-CPR collectively provide a data protection regime for the telecommunications sector; (See also question 13). Additionally, the TDRA’s Internet Access Management (“IAM”) policy provides a user privacy protection guideline for website owners.
Free Zones
As stated before, the PDPL excludes its jurisdictional application from free zones with dedicated legislation for personal data protection. The excluded free zones include the DIFC, ADGM, and Dubai Healthcare City (“DHCC”) which have implemented their own personal data protection regimes.
DIFC: Personal data is regulated under the DIFC Law 5 of 2020 Data Protection Law (“DIFC-DPL”) and the Data Protection Regulations 2020 (“DIFC-DPR”).
ADGM: Personal data is regulated under the Data Protection Regulations 2021 (“ADGM-DPR”) provides the framework for data protection.
DHCC: Personal data is primarily regulated under Regulation Number (7) Of 2013- Health Data Protection Regulation (“HDPR”). Additionally, the DHCC provides that all healthcare regulations within the DHCC are managed by the Dubai Health Authority (“DHA”)1, as such, the DHA’s Health Data Protection and Confidentiality 2022 (“HDPC”) could apply.
Footnote(s):
-
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
PDPL: The executive regulations to the PDPL which are expected to provide the relevant sanctions for breaches under the law are yet to be published at the time of writing.
DIFC: The administrative fines stipulated under the DIFC-DPL for contraventions of the said law range between $25,000 – $100,000. The Commissioner of Data Protection is empowered to issue an additional general fine to the stipulated amounts if considered appropriate and proportionate to the breach committed.
ADGM: For the various contraventions identified under the ADGM-DPR, the administrative penalties that can be imposed are capped at $28 million. The Office of Data Protection shall be guided by the conditions and procedures stipulated under the ADGM-DRP when imposing an administrative penalty.
DHCC: Non-compliance with the HDPR could result in a maximum fine of AED 5,0002 (~USD 1,361).
Footnote(s):
-
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
The PDPL aligns closely with global standards, particularly the EU’s General Data Protection Regulation (GDPR), in terms of definitions, principles, and data subject rights. As such, technology contracts in the UAE do not typically need to reference external data protection regimes. There may be instances where there can be differences, gaps, or conflicts with an external jurisdiction’s framework and where compliance with the external data protection laws is necessary. In such cases, contracts might include clauses to ensure adherence to these regimes, but this would be more of an exception rather than the norm.
-
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
Currently, there is no designated body for regulating Artificial Intelligence (AI) within the UAE. Nonetheless, the UAE has established the UAE Council for Artificial Intelligence and Blockchain (AI Council), tasked with proposing policies for an A.I.-friendly ecosystem, advancing sector research, and promoting public-private collaboration, including with international institutions, to accelerate A.I. adoption. Please refer to Response 22 for more details on UAE’s initiatives in this sector.
-
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
Whilst a dedicated framework for AI does not exist currently within the UAE, regulators have been proactive in providing guidance frameworks and policies.
AI Council: The AI Council has published several guides coupled with self-assessment tools in relation to AI including the Deepfake Guide, AI Hardware Infrastructure Report UAE, Artificial Intelligence Guide, Blockchain Guide, AI Guide, and the UAE AI Strategy.
Supervisory Authorities: Furthermore, in 2021, the financial regulators within the UAE including the CBUAE, Securities and Commodities Authority (“SCA”), DFSA, and FSRA (“Supervisory Authorities”) issued Guidelines for Financial Institutions Adopting Enabling Technologies (“Enabling Technology Guidelines”). The Enabling Technology Guidelines set out best practices for financial institutions when adopting enabling technologies such as big data analytics and AI. Its key objective is to promote the growth of the UAE’s financial sector through the adoption of enabling technologies while ensuring proportional risk management.
DIFC: The DIFC recently updated its DIFC-DPR in September 2023 to introduce requirements that would require DIFC entities, to adhere to the new AI-related provisions. The introduction of Regulation 10 under the DIFC-DPR provides a regulatory framework for the processing of personal data via autonomous and semi-autonomous systems. It sets out the obligations for ‘Deployers’, ‘Operators’ and ‘Providers’ as defined under the DIFC-DPR. Further, it imposes a general requirement for autonomous and semi-autonomous systems to follow the principles of ethics, fairness, transparency, and accountability in addition to implementing consumer protection measures.
ADGM: In 2019, the ADGM’s Financial Service Regulatory Authority (“FSRA”) released the Supplementary Guidance on Authorisation of Digital Investment Management (“Robo-Advisory”) Activities (“Robo-Advisory Guidance”). The Robo-Advisory Guidance seeks to assist the industry by outlining how the FSRA’s existing regulatory framework applies to robo-advisory businesses within its jurisdiction. It covers essential areas, including the necessary regulatory permissions and additional compliance requirements for offering digital investment services.
Dubai: The Dubai Digital Authority has issued its own guidelines for AI principles and ethics coupled with a self-assessment toolkit for industry participants to self-review. Dubai also recently launched the ‘Dubai Universal Blueprint for Artificial Intelligence’ and announced the appointment of 22 Chief AI Officers across key government departments that will support the agenda for adopting and regulating AI.
-
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
No. Currently, the UAE has not established any regulatory framework or provisions for generating Large Language Models (“LLMs”) or generative AI. Nonetheless, the AI Council has published two guidelines for practical use cases in generative AI.
-
Do technology contracts in your jurisdiction typically contain either mandatory (e.g mandated by statute) or recommended provisions dealing with AI risk? If so, what issues or risks need to be addressed or considered in such provisions?
Save for the amendments made to the DIFC-DPR to introduce a notification requirement for entities employing autonomous and semi-autonomous systems, the existing regulatory frameworks do not expressly stipulate a requirement to address AI risks within contractual agreements. As such, entities established within the DIFC using autonomous and semi-autonomous systems are therefore mandated by law to notify their users (via the user agreement, privacy policy, or otherwise) of the fact that said systems are in use, the risk mitigation measures adopted, and the potential risks that the users should consider.
Additionally, given the proliferation of AI usage and entities within the UAE, it can be reasonably expected that the published guidelines, policies, and ethical principles are being employed in drafting risk-mitigating contractual clauses related to AI.
-
Do software or technology contracts in your jurisdiction typically contain provisions regarding the application or treatment of copyright or other intellectual property rights, or the ownership of outputs in the context of the use of AI systems?
Whilst express provisions do exist to establish the Intellectual Property (“IP”) right of ownership for AI-generated content, the existing legal frameworks can be employed to support the case for AI. The definitions of identified works and authors under existing IP laws within the UAE (federal and free zones) can be widely interpreted to include AI-generated content and credit the AI system as an author. However, a major dilemma remains unresolved as to determining the author between the human that inputs the prompt and the AI that generates the result based on the prompt. Given the lack of a regulatory determination on this aspect, it would therefore be a task for the contracting parties to negotiate and determine the distribution and ownership of the IP of AI-generated content.
-
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
Blockchain and digital assets are well embraced and supported by regulators through adequate and supportive regulatory frameworks within the UAE. There are several regulatory bodies within the UAE that cover blockchain and digital assets, addressing varying aspects within the wider sector. Currently, most of the existing frameworks are dedicated to digital assets and a few others specifically address blockchain.
Federal
CBUAE: The CBUAE regulates payment token services across the UAE (except for the financial free zones of DIFC and ADGM) (colloquially known as stablecoins) under the recently established Payment Token Services Regulations. Payment tokens were previously regulated under the RPSCS Regulation and the SVF Regulation in relation to custodial services. Additionally, the Enabling Technology Guidelines issued through a collaborative initiative with the Supervisory Authorities establish guiding principles for adopting Distributed Ledger Technology (DLT) and blockchains.
SCA: Regulates Virtual Assets (“VA”) and Virtual Asset Service Providers (VASPs) under Cabinet Resolution No.111 of 2022 on the regulation of Virtual Assets and Service Providers (“VA Resolution”) and other regulations, across the UAE (except for the financial free zones of DIFC and ADGM). Through Decision No. 112/2022 on Delegating Certain Competencies related to the Regulation of Virtual Assets, the SCA has delegated its regulatory authority to the Dubai Virtual Asset Regulatory Authority (“VARA”) as the dedicated regulator within the Emirate.
Dubai Emirate: VARA is the dedicated regulator for VA and VASPs operating within the Dubai Emirate. Its regulatory framework consists of the VARA Law No. (4)/2022 on Regulating Virtual Assets in the Emirate of Dubai and the Virtual Assets and Related Activities Regulations 2023 coupled with the rulebooks and administrative decisions issued thereunder (“VARA Framework”). The VARA VA framework establishes a comprehensive regulatory framework for various types of VASP activities including advisory services, broker-dealers, custodial services, exchanges, lending and borrowing, investment management, transfer services, and VA issuance. Additionally, VARA has also established an issuance framework for Fiat Referencing Virtual Assets (“FVRA”) ie. stablecoins.
DIFC: DIFC’s regulatory framework for digital assets is outlined in the Regulatory Law 2004 and its associated rulebooks coupled with Consultation Paper No. 143 – Regulation of Crypto Tokens. The framework provides a licensing and regulatory regime for VASPs and specific VAs.
ADGM: ADGM’s regulatory framework for digital assets is specified under inter alia, (i) Financial Services and Market Regulations, 2015 (“FSMR”) and the related rulebooks, (ii) Guidance on Regulation of Virtual Asset Activities (“Virtual Asset Guidance”), (iii) Guidance on Regulation of Digital Securities Activity in ADGM (“Digital Securities Guidance”), and (iv) Guidance on Regulation of Digital Security Offerings and Virtual Assets (“Offering Guidance”). The framework provides a licensing and regulatory regime for VASPs and specific VAs. Furthermore, ADGM is currently the only regulator within the UAE to have established a blockchain specific law under the DLT Foundations Regulation 2023.
RAKDAO: The Ras Al-Khaim Digital Asset Oasis (“RAKDAO”) is an economic free zone focused on licensing businesses engaged in VA activities, blockchain, Web3, and AI. RAKDAO has been recently established and has yet to issue specific blockchain or digital asset laws. However, it is anticipated that the relevant frameworks will be introduced in the near future.
-
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
In the UAE, the Federal Decree by Law No. (14) of 2023 Concerning Modern Technology Based is the principal law for digital marketplaces. The aim of this Federal Decree is to develop the digital economy, protect consumer rights, and ensure secure digital transactions. It covers goods, services, and data transactions via technological platforms, including websites, e-platforms, smart applications, electronic commerce, and social media platforms. The Federal Decree prioritizes consumer safety within the digital marketplace by requiring strict adherence to all legal and regulatory requirements, including data protection regulations. It mandates the establishment of a secure environment for consumer transactions and the implementation of robust cybersecurity measures to prevent hacking incidents.
It also ensures that the consumers have a right to transparent information, right to return, replace or recover the price of defective goods, right to safe digital transactions and the right to contact and lodge complaints against digital marketplaces/traders.
The Internet Guidelines issued by the Telecommunications and Digital Regulatory Authority also impact digital marketplaces in the UAE. The Internet Guidelines emphasise that the content on a website must be in line with UAE’s public morality. Content that violates cultural norms, including pornography, inciteful material, promoting terrorism, prohibited commodities or illicit acts is considered unacceptable. The website operators of the digital marketplace would have to operate with extreme caution and ensure that such content is not displayed on their websites.
There is no specific regulation which governs search engines in the UAE. However, the Federal Decree-Law No. (34) of 2021 On Countering Rumors and Cybercrimes (“Cybercrime Law”) and the Federal Decree by Law No. (45) of 2021 Concerning the Protection of Personal Data (“PDPL”) regulate different aspects of search engines.
Search engines under the Federal Decree-Law No. (34) of 2021 On Countering Rumors and Cybercrimes have been defined as an “Information Network Broker”. An “Information Network” has been defined as “A connection between two or more information programs and information technology equipment that allow users to get access to and exchange information.”
Some of the provisions in the Cybercrime Law which deal with dissemination of false, anti-national or inciteful information directly impact search engines. If search engines fail to take prompt actions with respect to removing such information when requested or lacking the appropriate audit/filtration mechanisms to deal with such posts they might end up being penalised under the Cybercrime Law.
Lastly, both search engines and digital market have to comply with the data protection provisions stated under the PDPL. These entities must ensure that they handle data in accordance with the provisions specified in PDPL, covering aspects such as processing, storage, and usage of personal data.
-
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
Social media in the UAE is primarily regulated by:
- Federal Decree-Law No. (34) of 2021 On Countering Rumors and Cybercrimes (“Cybercrime Law”)
- Federal Decree by Law No. (55) of 2023 Concerning Media Regulation (“Media Law“)
- Internet Guidelines issued by the Telecommunications and Digital Regulatory Authority
- Federal Decree by Law No. (45) of 2021 Concerning the Protection of Personal Data (“PDPL”)
Under the Cybercrime Law “social media” entities fall under the category of “information network brokers”. Hence, just like “search engines” all provisions in the Cyber Crime Law which deal with dissemination and broadcasting of information would also be applicable to social media entities. Consequently, if these entities were to broadcast or distribute information is considered as inciteful, false, anti-national or causing defamation, they would be penalised under the law.
Social media entities fall in the category of “media outlets” under the Media Law. A social media entity as per Article 8 of the Media Law conducts the activity of “Electronic and digital media activities”. Thus, a social media entity under the Media Law would have to obtain a license under Article 12 from the Media Regulatory Office to operate in the UAE. Along with obtaining the requisite license, all social media entities would also have to comply with the Media Content Standards as provided under Article 17 of the Media Law. The Media Content Standards in the UAE require social media entities to adhere to a comprehensive set of guidelines aimed at maintaining societal harmony, respecting religious beliefs, and safeguarding national interests. These standards encompass avoiding offense to state institutions and symbols, aligning with domestic and international policies, and refraining from content that could harm foreign relations or national unity. They also emphasize upholding cultural heritage, preventing incitement of violence or sectarian strife, and respecting privacy of individuals and public morals.
Similar to digital marketplaces, if a social media entity publishes, distributes or broadcasts any information that violates cultural norms, including pornography, inciteful material, promoting terrorism, prohibited commodities or illicit acts, it would be in violation of the Internet Guidelines published by the Telecommunications and Digital Regulatory Authority.
All social media entities in the UAE must comply with the data protection provisions stated under the PDPL. These entities must ensure that they handle data in accordance with the provisions specified in PDPL, covering aspects such as processing, storage, and usage of personal data.
-
What are your top 3 predictions for significant developments in technology law in the next 3 years?
Artificial Intelligence: As AI technologies become more integrated into everyday life and business operations, there will likely be increased scrutiny and regulation. This could involve guidelines for ethical AI development, liability frameworks for AI decisions, and regulations concerning AI biases and fairness. The UAE has already started moving in this direction, but instead of opting for stringent regulations from the get-go, it has adopted a more business friendly approach towards AI regulation and development. The UAE’s approach towards AI is centred around growing the country’s digital economy. The UAE National Strategy for Artificial Intelligence 2031, supported by the UAE Council for Artificial Intelligence and Blockchain, aims to position the UAE as a global leader in AI. Furthermore, the Ministry of AI has issued non-binding guidelines on AI ethics principles and guidelines, aimed at promoting ethical AI design and use. While Abu Dhabi establishes the Artificial Intelligence and Advanced Technology Council to boost AI research and development, presently regulatory frameworks remain minimal, reflecting efforts to foster innovation. On similar lines Dubai has also issued Smart Dubai AI ethics guidelines and a universal blueprint for AI to drive economic transformation, integrating AI across sectors.
Payment Tokens: The introduction of the Payment Token Regulation by the Central Bank of the UAE (CBUAE) marks a significant milestone in the evolution of the UAE’s financial landscape, solidifying its position as a global leader in the crypto and virtual assets sector. By establishing a clear and comprehensive regulatory framework, the UAE not only aligns with international standards, such as the EU’s MiCA regulations on stablecoins, but also creates a favorable environment for innovation and growth in payment token services. This regulation paves the way for the adoption and integration of Payment Tokens, defined as virtual assets that maintain a stable value by referencing fiat currencies or other stablecoins, into the UAE’s financial system. The categorization of Payment Tokens into Dirham Payment Tokens and Foreign Payment Tokens, coupled with the licensing requirements for activities such as issuance, conversion, and custody and transfer, ensures a robust and secure ecosystem for both businesses and consumers. As crypto and virtual asset companies seek jurisdictions with clear and supportive regulatory frameworks, the UAE will stand out as a prime destination, poised to leverage the potential of Payment Tokens to enhance financial inclusion, streamline cross-border transactions, and foster economic growth.
Healthcare: The UAE’s health care spending is projected to increase to 5.4% of GDP by 2024, driven by a compound annual growth rate (CAGR) of 8.5%. The UAE’s healthcare sector has seen significant growth driven largely by the expanding presence of health insurance. The country features a robust government-funded healthcare service alongside a rapidly advancing private healthcare sector. Recent developments in healthcare regulation in the UAE reflect two main trends: first, an expanded role for the Ministry of Health and Prevention and improved coordination among regulatory bodies; second, a clear separation between provider functions and regulatory oversight. These trends aim to enhance healthcare standards and efficiency across the UAE’s healthcare landscape. However, to sustain these trends and become a medical tourist hub in the future, the UAE would have to:
- The UAE would have to focus building interconnected, digital-first healthcare systems that integrate AI, robotics, and advanced technologies to improve care delivery.
- Create a hospitable regulatory environment and robust digital infrastructure aimed at attracting manufacturers, investors, and innovators in the health sector; and
- Promote educational opportunities and career pathways designed to inspire and engage UAE citizens in pursuing careers within these industries.
-
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?
Presently in the UAE, technology contracts do not include any provisions pertaining to environmental obligations or net zero commitments. However, in today’s era with the gradual rise in environmental awareness and sustainability, this contractual trend might evolve to include such provisions.
United Arab Emirates: TMT
This country-specific Q&A provides an overview of TMT laws and regulations applicable in United Arab Emirates.
-
Is there a single regulatory regime that governs software?
-
How are proprietary rights in software and associated materials protected?
-
In the event that software is developed by a software developer, consultant or other party for a customer, who will own the resulting proprietary rights in the newly created software in the absence of any agreed contractual position?
-
Are there any specific laws that govern the harm / liability caused by Software / computer systems?
-
To the extent not covered by (4) above, are there any specific laws that govern the use (or misuse) of software / computer systems?
-
Other than as identified elsewhere in this overview, are there any technology-specific laws that govern the provision of software between a software vendor and customer, including any laws that govern the use of cloud technology?
-
Is it typical for a software vendor to cap its maximum financial liability to a customer in a software transaction? If ‘yes’, what would be considered a market standard level of cap?
-
Please comment on whether any of the following areas of liability would typically be excluded from any financial cap on the software vendor’s liability to the customer or subject to a separate enhanced cap in a negotiated software transaction (i.e. unlimited liability): (a) confidentiality breaches; (b) data protection breaches; (c) data security breaches (including loss of data); (d) IPR infringement claims; (e) breaches of applicable law; (f) regulatory fines; (g) wilful or deliberate breaches.
-
Is it normal practice for software source codes to be held in escrow for the benefit of the software licensee? If so, who are the typical escrow providers used? Is an equivalent service offered for cloud-based software?
-
Are there any export controls that apply to software transactions?
-
Other than as identified elsewhere in this questionnaire, are there any specific technology laws that govern IT outsourcing transactions?
-
Please summarise the principal laws (present or impending), if any, that protect individual staff in the event that the service they perform is transferred to a third party IT outsource provider, including a brief explanation of the general purpose of those laws.
-
Please summarise the principal laws (present or impending), if any, that govern telecommunications networks and/or services, including a brief explanation of the general purpose of those laws.
-
What are the principal standard development organisations governing the development of technical standards in relation to mobile communications and newer connected technologies such as digital health or connected and autonomous vehicles?
-
How do technical standards facilitating interoperability between connected devices impact the development of connected technologies?
-
When negotiating agreements which involve mobile communications or other connected technologies, are there any different considerations in respect of liabilities/warranties relating to standard essential patents (SEPs)?
-
Which body(ies), if any, is/are responsible for data protection regulation?
-
Please summarise the principal laws (present or impending), if any, that that govern data protection, including a brief explanation of the general purpose of those laws.
-
What is the maximum sanction that can be imposed by a regulator in the event of a breach of any applicable data protection laws?
-
Do technology contracts in your country typically refer to external data protection regimes, e.g. EU GDPR or CCPA, even where the contract has no clear international element?
-
Which body(ies), if any, is/are responsible for the regulation of artificial intelligence?
-
Please summarise the principal laws (present or impending), if any, that that govern the deployment and use of artificial intelligence, including a brief explanation of the general purpose of those laws.
-
Are there any specific legal provisions (present or impending) in respect of the deployment and use of Large Language Models and/or generative AI?
-
Do technology contracts in your jurisdiction typically contain either mandatory (e.g mandated by statute) or recommended provisions dealing with AI risk? If so, what issues or risks need to be addressed or considered in such provisions?
-
Do software or technology contracts in your jurisdiction typically contain provisions regarding the application or treatment of copyright or other intellectual property rights, or the ownership of outputs in the context of the use of AI systems?
-
What are the principal laws (present or impending), if any, that govern (i) blockchain specifically (if any) and (ii) digital assets, including a brief explanation of the general purpose of those laws?
-
Please summarise the principal laws (present or impending), if any, that govern search engines and marketplaces, including a brief explanation of the general purpose of those laws.
-
Please summarise the principal laws (present or impending), if any, that govern social media, including a brief explanation of the general purpose of those laws?
-
What are your top 3 predictions for significant developments in technology law in the next 3 years?
-
Do technology contracts in your country commonly include provisions to address sustainability / net-zero obligations or similar environmental commitments?