In brief: telecoms regulation in United Arab Emirates

Communications policy

Summarise the regulatory framework for the communications sector. Do any foreign ownership restrictions apply to communications services?

The United Arab Emirates (UAE) consists of seven emirates, each of which operates as its own legal jurisdiction, and laws are made at both a federal and an emirate level. Some emirates have defined areas within them that have been designated as free zones, which typically have separate civil and commercial laws for businesses and individuals in the relevant free zone, although they all remain subject to UAE federal criminal law. Examples of free zones in the UAE include Dubai International Financial Centre, Dubai Creative Clusters Authority and Abu Dhabi Global Markets. For the purposes of this chapter, unless otherwise specified, we focus on the laws and regulations applying at a federal level.

The principal law in the UAE that relates to the communications sector is Federal Law No. 3 of 2003 Regarding the Organisation of the Telecommunications Sector (the Telecoms Law).

The Telecoms Law establishes the Telecoms and Digital Government Regulatory Authority (TDRA) as the regulator of the telecommunications and information technology sector in the UAE. The Telecoms Law establishes a licensing-based regulatory framework for the supply of telecommunications services to customers in the UAE. Article 37 of the Telecoms Law, for instance, provides that individuals and corporate entities may not provide ‘telecommunications services’ through ‘public telecommunications networks’ to customers and ‘subscribers’ without obtaining a licence. Article 37 of the Telecoms Law is complemented by TDRA Resolution No. (6) of 2008 regarding the Licensing Framework (the Licensing Framework). The Licensing Framework provides that ‘regulated activities’ in the state are licensable by the TDRA. Here, ‘regulated activities’ means the operation of a ‘public telecommunications network’ or the provision of ‘telecommunication services’.

Telecommunications services are defined in the Telecoms Law as delivering, broadcasting, converting or receiving, through a telecommunications network:

• wire and wireless communications;
• voice, music and other audio material;
• viewable images;
• signals used or transmission (other than public broadcasts);
• signals used to operate and control machinery or equipment;
• activities relating to the interconnection of equipment with a public telecommunications network;
• operating data transmission services, including the internet; and
• any other services approved by the High Committee appointed under the Telecoms Law.

Foreign ownership restrictions that previously applied to onshore companies in the UAE have been eased following amendments under Federal Decree-Law No. 26/2020 to the UAE’s Commercial Companies Law (Federal Law No. 2/2015) (which has now been replaced by Federal Decree-Law No. 32/2021 on Commercial Companies). The Departments of Economic Development of Abu Dhabi and Dubai have both released their respective lists of activities that would allow foreigners to establish companies with 100 per cent full ownership.

Cabinet Decision No. 55/2021 on the Determination of the List of Strategic Impact Activities outlines seven categories of activities (eg, education, defence and telecommunications) that are considered to have a strategic impact on the UAE’s economy whereby prior approval of the relevant regulatory authority needs to be obtained. Save for fisheries-related services (which require 100 per cent UAE ownership), the specific details of minimum UAE ownership and UAE board representation requirements of these activities are to be decided by the relevant regulatory authority (Strategic Impact List).

Companies established in free zones are exempted from these foreign shareholder restrictions and can be wholly foreign-owned, and several international communications operators have established wholly owned entities in such free zones; however, they cannot offer public telecommunications services in the UAE, which, since 2006, has been a closed duopoly market.

The two providers of public telecommunications services (du and Etisalat) are licensees of the TDRA. The eligibility element of each licence refers to the licensee being a ‘UAE juridical entity established and in good standing under the laws of the UAE’.

Other than public telecommunications services, there is scope for non-UAE businesses to actively participate in the broader communications sector, although even international businesses that have procured a specific licence from the TDRA have largely done so through a UAE-incorporated entity as the licensee. Beyond the provision of public telecommunications services in the UAE, there are many businesses offering products and services as part of the wider communications eco-system, and many of these are not subject to foreign ownership restrictions.

Describe the authorisation or licensing regime.

Under the Telecoms Law, the provision, operation or sale of any telecommunications services through a public telecommunications network in the UAE requires a licence from the TDRA.

Currently, only two operators are licensed for public telecommunications in the UAE: du and Etisalat. This follows government policy on the operation of a duopoly in the telecommunications field. We understand the TDRA is not currently considering further licences to break the duopoly.

The licences granted to du and Etisalat have various features; for example, each is required to filter the content that flows through its networks in line with the priorities of the state. Notable content filtering takes place concerning matters concerning the state, foreign policy and morality issues. The decision as to which content should be filtered is essentially made through private discussions between the TDRA and the mobile operators (regarding TDRA policies on internet access), but there is no practice of publishing details on specific content-level filtering rationale.

In addition to the duopoly policy on fixed and mobile public telecommunications services, the TDRA has issued licences to other UAE entities for specific purposes, such as broadcast satellite transmission, public access mobile radio, mobile satellite and satellite services.

All such licences are issued individually to entities meeting various requirements under the Telecoms Law and under a decision made by the TDRA board. A licence can be categorised as either a class licence or an individual licence. Individual licences refer to whether scarce resources are requested such as spectrum or frequencies; class licences are issued where non-scarce resources are required and where the activities are insignificant enough that less regulatory supervision is required.

The TDRA requires an application form to be completed by a potential licensee, which includes relevant information such as management and shareholding structures, their business operations, including the type of networks and services they intend to provide and funding sources for these business operations.

Do spectrum licences generally specify the permitted use or is permitted use (fully or partly) unrestricted? Is licensed spectrum tradable or assignable?

The Telecoms Law gives the TDRA responsibility for managing and regulating radio spectrum in the UAE. There is no established spectrum trading or leasing practice. The TDRA grants temporary authorisations on an application for up to 90 days and such authorisations are specific to the applicant.

In common with many other jurisdictions, the UAE has its National Frequency Plan. This is issued by the TDRA and provides that certain services can only be provided within certain spectrum bands. In practice, the TDRA is known to have shown some flexibility in certain cases where this would not cause interference. All of the 800, 900 and 1,800 megahertz (MHz) spectrum has been divided between the two mobile operators, which means higher bandwidths can be supported in all frequency bands. Not all of the 2,100MHz band is currently licensed and the 3,500MHz band is licenced for fixed wireless access.

Which communications markets and segments are subject to ex-ante regulation? What remedies may be imposed?

Under the Telecoms Law, the TDRA does have the power to issue ex-ante regulations and decisions concerning practices, as well as to conduct ex-post investigations. Until 2012, it was not uncommon for the TDRA to publish determinations and decisions concerning telecommunications services publicly, including on their website. Since 2012, it appears the regulator has taken the decision not to publish such determinations and decisions publicly but communicate them only to the relevant entities instead.

The TDRA has a short regulatory policy on ex-ante competition safeguards, which details the various factors it may take into account in assessing competition and dominance in the UAE. The policy provides wide discretion to the TDRA on the factors to be considered and the remedies to be imposed depending on the outcome of an assessment of the level of competition in the relevant market.

Is there a legal basis for requiring structural or functional separation between an operator’s network and service activities? Has structural or functional separation been introduced or is it being contemplated?

There is currently no directive that imposes structural or functional separation between an operator’s network and its services in the UAE.

Outline any universal service obligations. How is provision of these services financed?

It is the responsibility of the TDRA to oversee the provision of telecommunications services throughout each emirate of the UAE and ensure that they are sufficient to meet public demand across the UAE; however, this has not taken the form of a hard universal service obligation. The TDRA fulfils this obligation via its relationships with the state-backed public telecoms companies who each have references in their licences to financial obligations around universal service obligations; however, these provisions are typically only references back to the general regulatory framework rather than a specific, hard obligation. Etisalat’s TDRA licence differs from that of du on the issue of universal service and has a harder obligation that extends to certain services such as dial-up internet services.

The two public telecoms operators, du and Etisalat, have a significant government-ownership interest and have invested heavily in infrastructure and broadband. Given the nature of the duopoly, there are no direct government subsidies.

Describe the number allocation scheme and number portability regime in your jurisdiction.

Under the Telecoms Law, the TDRA has the authority to control the allocation of telephone numbers and numbering plans. To this end, the TDRA has released a National Numbering Plan that sets out this approach to number allocation. This includes the numbering regimes used to indicate which emirate the call arose from, as well as reserving certain numbers for the emergency service and premium paid-for calls.

The licensed operators can apply to the TDRA for allocation of a batch of numbers, which is granted based on capacity, future demand, utilisation by the licensee and administrative effort. The TDRA allocates rights to use numbers in continuous blocks of up to 100,000 numbers. The licensed operators are then responsible for allocating the numbers to their subscribers.

At the end of 2013, the UAE implemented a mobile number portability programme. Notwithstanding the mobile virtual network operator or independent branded services, there are only two mobile network operators in the UAE and so the only number portability is between the two. Both networks offer a number porting application form that can be submitted to request a number transfer.

Are customer terms and conditions in the communications sector subject to specific rules?

The TDRA is empowered by the Telecoms Law to represent customer interests in the UAE. This encompasses issuing rules or regulations relating to the terms of supply to the customer and includes consumer protection regulations, such as key terms that must be included in contracts with customers (eg, restrictions on usage and rights to terminate) and detailed information that must be provided to the customer before the purchase of a service. The TDRA has also issued a consumer protection guide that sets out a customer’s rights concerning their service contract, the privacy of information, access to services and several others.

Are there limits on an internet service provider’s freedom to control or prioritise the type or source of data that it delivers? Are there any other specific regulations or guidelines on net neutrality?

No specific regulations require net neutrality in the UAE. Both of the public telecoms operators have offered plans with zero rating on certain social media applications.

Bandwidth throttling by internet service providers is common. Network traffic that relates to Voice over Internet Protocol (VoIP) services is often blocked or has its capacity reduced to give partial effect to the TDRA’s policy on VoIP services, whereby such services (where there is network breakout) are not permitted unless provided by one of either du or Etisalat.

Is there specific legislation or regulation in place, and have there been any enforcement initiatives relating to digital platforms?

There is no specific legislation or regulation concerning digital platforms.

Are there specific regulatory obligations applicable to NGA networks? Is there a government financial scheme to promote basic broadband or NGA broadband penetration?

There are no specific regulations concerning NGA networks. Du and Etisalat are both committed to providing high-speed networks across the UAE, and the UAE has a very high penetration of fibre-to-home connectivity. Given the nature of the public telecommunications duopoly in the UAE, there are no direct government subsidies or financial schemes available.

Is there a specific data protection regime applicable to the communications sector?

The UAE has issued its first federal data protection law in September 2021 (Federal Decree-Law No. 45 of 2021 Regarding the Protection of Data Protection) (the Personal Data Protection Law) that is applicable to all sectors in the UAE, save for free zones like the Dubai International Finance Centre and Abu Dhabi Global Market that have their own data protection regimes. The newly established UAE Data Office will be responsible for regulating the implementation and enforcement of the core data protection concepts such as personal data, controllers, processors, processing, requirements to appoint a data protection officer and subject rights. The new Personal Data Protection Law is conceptually similar to the General Data Protection Regulation (GDPR) and will have extra-territorial effect in that it is applicable to organisations established in and outside of the UAE that process personal data of data subjects within the UAE. Despite its similarities to the GDPR, it is noteworthy that the Personal Data Protection Law does not provide for a ‘legitimate interests’ basis for processing personal data, and so consent will be required unless an exception (eg, public interest, defending a legal claim) applies. Further, there are slightly more onerous obligations to record personal data and the requirement to notify the UAE Data Office of breaches of personal data ‘immediately upon becoming aware of them’ (as opposed to the lower threshold of ‘without undue delay’ under the GDPR).

Although the Personal Data Protection Law came into force on 2 January 2022, it will not be enforced until six months after the publication of relevant implementing regulations. At the time of writing, there has been no indication of when the implementing regulations will be issued.

Is there specific legislation or regulation in place concerning cybersecurity or network security in your jurisdiction?

Key primary legislation relating to cybercrime includes Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumours and Cybercrime (the Cybercrime Law) (effective 2 January 2022) and the Penal Code.

The new Cybercrime Law specifically deals with activities like:

• hacking (this was previously described as unauthorised access);
• identity theft and fraud;
• crimes that involve computers;
• networks and electronic information;
• impersonation;
• electronic robot;
• cryptocurrency; and
• the spreading of false information.

The Penal Code consists of general provisions prohibiting various criminal acts, some of which will apply to cybercrime.

The Cybercrime Law applies across all sectors, with no exceptions. In practice, it will be of particular relevance to the telecommunications and financial services sectors, as these are typically entrusted with critical data and therefore more likely to be targets of cybercrime. Further, there are specific implications to the banking, medical, media or scientific sectors as aggravated penalties will apply if the harm affects the said sectors. The Cybercrime Law also penalises those who spread rumours and fake news as well as those who perpetuate (namely, republish and recirculate) such information that, among others, provokes public opinion and intimidates and harms the public interest.

From a general cybersecurity compliance perspective, many of the licensing instruments published by the TDRA relating to emerging technology such as the internet of things emphasise the importance of cyber controls, particularly as regards the active elements of the related radio frequency dependent infrastructure.

The Signals Intelligence Agency (SIA) is the UAE federal authority responsible for the cybersecurity of the UAE. SIA operates under the direction of the UAE Supreme Council for National Security. Government organisations, semi-government organisations and business organisations that are identified as critical infrastructure in the UAE are required to follow SIA compliance guidelines. The primary standard to follow for SIA compliance is the UAE Information Assurance Regulations.

The TDRA has also established the UAE’s Computer Emergency Response Team, which was established by statute and has published a wide-ranging information security policy.

Is there specific legislation or regulation in place, and have there been any enforcement initiatives in your jurisdiction, addressing the legal challenges raised by big data?

There is no specific federal legislation or regulation in place; however, the emirate of Dubai has introduced the Dubai Law No. 26/2015 (the Dubai Data Law), which provides for local government and private entities to contribute certain non-confidential information relating to the emirate, known as Dubai Data, to a knowledge and database from which such entities can benefit. The intention is to improve integration, harmonisation and efficiency between services and encourage the development of a smart economy through digital transformation.

Are there any laws or regulations that require data to be stored locally in the jurisdiction?

The Personal Data Protection Law will implement restrictions on transfers of personal data whereby it may only be transferred outside the UAE to limited jurisdictions as determined by the UAE Data Office. If the intended jurisdiction is not deemed to have an adequate level of protection, personal data is only allowed to be transferred outside of the UAE if, among others, the transfers are necessary for the performance of a contract with, or in the interest of, the data subject, the transfers are necessary for establishing a legal claim or the express consent of the data subject is obtained and the transfer does not conflict with the security and public interest of the UAE. These concepts are similar to the ones introduced by the GDPR but have additional considerations of national security issues. The implementing regulations are expected to set out the controls and requirements for these exceptions for transferring personal data to jurisdictions that are deemed to not have an adequate level of protection.

Until the Personal Data Protection Law comes into effect, guidance given by regulators on data domiciliation within the UAE in certain key sectors, including telecommunications, will apply (but this does not come in the form of hard law or publicly available guidance). State-owned entities are also expected to abide by certain data domiciliation rules, which are not set out in hard primary legislation. As the Personal Data Protection Law does not apply to certain free zones, entities registered in the Dubai International Financial Centre or Abu Dhabi Global Market have to adhere to their specific regimes around transfers of personal data that impacts those businesses’ freedom to outsource or offshore certain functions.

Summarise the key emerging trends and hot topics in communications regulation in your jurisdiction.

As there is no expectation that the TDRA will permit any additional public telecommunications service providers to enter the UAE market in the near future, key changes in the market dynamics and regulation are likely to result from increased competition between the two operators. The TDRA has stated previously that the intention behind introducing a second licensed operator was that:

Competition is the drive for development, where it leads to higher quality services, lower prices and the adoption of latest technologies. It is a race that pumps innovation and progress into the veins of the sector.

There is an expectation going forwards that the TDRA will be keen to ensure that as much real competition as possible emerges between the operators.

Being considerably newer in its establishment, du has been playing catch-up around the infrastructure and expertise to compete on a truly level playing field with Etisalat. The two providers have often divided regions up geographically rather than compete directly for the same customers, so customers are effectively faced with a service provider with a de facto monopoly. In 2015, the two providers started bitstream access, a method by which the one network could be shared by the two operators, permitting customers more flexibility to choose a provider where the infrastructure previously restricted their choice. Greater ability for customers to switch between the providers has also been encouraged. It is likely that the TDRA will continue to encourage this competition.

The marked perception of increased competition in the mobile market was increased in 2017 when each of du and Etisalat launched mobile services under new brands: du acquired rights to launch a Virgin mobile-branded service and shortly after, Etisalat launched a prepaid service branded SWYP. Neither Virgin Mobile nor SWYP services are regulated independently of their respective MNOs.

Enterprise-focused information and communications technology (ICT) services’ growth through operator divisions or subsidiaries is a key area to watch, particularly as these divisions will compete with a large pool of non-operator affiliated entities. As regards the ICT services’ growth being experienced by the operators, enterprise adoption of emerging technology will continue to require regulatory guidance from the TDRA, as well as other concerned regulatory bodies in the UAE, to ensure the balance between advancement in technology and risk management is addressed.

The TDRA has been active in terms of regulatory and policy output covering a range of communications areas including Earth Station Regulations, Space Service Regulations and a new Information Assurance Regulation. One of the most significant developments in light of the various Smart City ambitions in the UAE is the Internet of Things Regulatory Policy, which remains largely untested and has a seemingly broad ambit covering internet of things’ services.

One of the areas where change is expected is around the move of operations into mobile financial services, fintech verticals focusing on consumer products and services, and the impact of open banking and liberalisation of the financial services sector in the UAE.

The enforcement of the Personal Data Protection Law and its implementing regulations will be a much-anticipated development. Companies will have to be vigilant for the issuance of the implementing regulations by the UAE Data Office as they will then have six months to align and harmonise their internal processes. It will be interesting to see the extent of penalties decided upon via the implementing regulations and their influence on the manner of implementation of the new personal data protection laws of neighbouring Saudi Arabia that are due to come into force in 2023.