Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Digital Transformation volume discussing various topics, including a look at the main laws and regulations, the impact of cybersecurity legislation, cloud contract considerations, the impact of data protection laws and more, within key jurisdictions worldwide.
1 What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?
The UAE has a complex patchwork of laws that impact the development of digital transformation. These cover legacy civil and criminal laws and more modern, European-style, data protection laws. There are industry specific laws in addition to law covering specific technologies (such as internet of things (IoT)). There are relevant telecommunications laws and regulations. Further laws are expected in both the data protection and the e-commerce spaces. In addition to this are cybersecurity and IT security regulations and guidelines that govern both the UAE public and private sector.
2 What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?
The UAE government leads in digital transformation developments. At the heart is the UAE government’s ICT Strategy 2021 and National Innovation Strategy which focus on the UAE’s development into a fully digitally enabled nation.As a result of the UAE government’s focus on digital transformation, the UAE was ranked sixth globally in the online services index and 17th globally in the E-Participation index according to the UN’s E-Government Development Index 2018 covering 193 countries. The IMD World Digital Competitiveness Ranking 2019 ranked the UAE as first in the Arab region and 12th globally among highly competitive countries.
In parallel with the National Innovation Strategy is the UAE Vision 2021. A key part of UAE Vision 2021 is the adoption of cloud computing to accelerate positive change. We are already seeing initiatives in the UAE, at both a federal and an Emirate level, to drive cloud computing adoption within government. We are also seeing a focus on smart government services.
Emirate level plans align with the federal vision and aim to usher in a new era in digital sustainability by streamlining data-driven systems and processes throughout government.
The UAE Telecommunications Regulatory Authority (TRA) has released its ‘TRA Vision’ that focuses on establishing and maintaining the UAE as a leading global digital economy. Central to that is the positioning of the UAE as a regional data and cloud hub.
In addition to the policy initiatives above, we have seen a substantial amount of regulatory activity both in, and affecting, the digital transformation space. We have seen the issuance of new data protection laws. We are also seeing relevant industry sector specific legislation rolling out from insurance to healthcare. We are expecting more legislative activity with a federal UAE data protection law widely anticipated. We also expect to see updates to existing laws in relation to electronic transactions and digital signatures.
We expect to see more regulatory activity in the financial services space as regional financial services organisations accelerate their digital transformation projects, both as a longer-term strategy and also as a short term reaction to the coronavirus pandemic. New ‘fintech’ market entrants are introducing innovative and disruptive new products and services into the UAE market, benefiting, in particular, from the creation of regulatory sandboxes. We expect to see similar activity in the e-commerce space and expect new consumer protection regulations covering B2C e-commerce shortly.
3 What are the key legal and practical factors that organisations should consider for a successful Cloud and data centre strategy?
International cloud service providers have long been focused on the UAE as a key regional market and we are now seeing these service providers building out their cloud footprints in UAE data centres. Close behind them are international technology vendors with products and services that fit within these cloud stacks.
The UAE’s legal landscape is fragmented, making it challenging for the cloud and data centre players to identify and effectively manage risk. With multiple data security and data privacy laws, some industry specific (such as the Health Data Law (detailed below)) and some (such as the UAE TRA’s IoT Regulatory Policy (also detailed below)) technology specific, it is a challenge to navigate, particularly for new UAE market entrants. This leaves both customers and suppliers with challenging decisions.
4 What contracting points, techniques and best practices should organisations be aware of when procuring digital transformation services at each level of the Cloud ‘stack’? How have these evolved over the past five years and what is the direction of travel?
For clients procuring digital transformation services in the UAE, the key is understanding what their options are based on the services being procured and the data relating to those services. Local customers may demand locally hosted solutions, regardless of whether there is a legal or regulatory requirement for such services.
UAE government customers need to be particularly careful in relation to the digital transformation services they procure based on the legal and regulatory framework currently being focused on government customers (in addition to critical national infrastructure).
Cloud service providers can assist in simplifying and explaining the UAE’s legal and regulatory landscape allowing customers to more effectively navigate it, building contractual terms and conditions that meet the local legal and regulatory requirements and also offering the flexibility to react effectively to a changing legal landscape, sharing and mitigating the risk of regulatory change. In particular, the legal and regulatory landscape needs to be able to effectively support regional cloud businesses. We have seen recent regional innovations to manage this issue through ‘data embassy’ laws in the cloud space which blur the legal lines of national borders and sovereignty, allowing cloud customers to store data under the domestic data protection law of their country of residence, rather than where the cloud is physically located. Notwithstanding these legal ‘innovations’, laws largely remain national, rather than regional, in nature and, with some limited exceptions, restrict the ability to provide regional digital transformation services and support regional digital transformation roll-outs.
We have seen, through a number of recent UAE legal developments, how new laws have fundamentally changed what can be offered from a cloud services perspective. Without continuity, clients will often revert to a safer, more conservative option, which may not be the most cost effective or, alternatively, make different investment decisions until they have greater clarity on the direction of travel for UAE laws and regulations.
5 In your experience, what are the typical points of contention in contract discussions and how are they best resolved?
Understanding and managing contract risk remains the key challenge. Mandatory local law requirements are often raised and, often on analysis, found to be manageable contractually. Governing law and jurisdiction are key points of contention. The UAE is fortunate to have access to various dispute resolution mechanisms, ranging from the UAE civil law courts to common law courts in the financial free zones and to arbitration and other ADR forums. As a result, contracting parties can identify a dispute resolution mechanism to which they are comfortable agreeing. Contract liability also remains challenging under UAE law with the UAE courts able to deviate, within certain limits, from the agreed contractual positions based on their assessment of a contracting party’s loss. The same is true for contract warranties and indemnities. International suppliers used to common law legal systems can find the UAE’s civil law system challenging. An understanding of how the law is interpreted and administered, in practice, allows contracting parties to properly assess the contract risk this carries and build that contract risk into their commercial and operational models.
6 How do your jurisdiction’s cybersecurity laws affect organisations on their digital transformation journey?
The key cybersecurity laws and regulations in the UAE are focused on government sector entities, and those involved in critical national infrastructure. These laws are to be found at both a federal and an Emirate level. They focus on raising cybersecurity awareness and levels of protection. This, though, can slow the pace of digital transformation as organisations seek to understand and then accommodate these requirements.
The National Cybersecurity Strategy 2019 (Cybersecurity Strategy) was launched by the TRA and aims to ‘create a safe and strong cyber infrastructure in the UAE that enables citizens to fulfil their aspirations and empower businesses to thrive.’ The Cybersecurity Strategy aims to mobilise the whole cybersecurity ecosystem in the UAE. Its focus is to implement a comprehensive legal and regulatory framework that will cover all types of cybercrime, secure existing and emerging technologies and protect small and medium-sized enterprises against the most common cyberthreats. The legal framework aims to cover data privacy and protection, artificial intelligence, blockchain, cloud services, IoT, and digital signatures.
At a UAE federal level, the UAE Information Assurance Standards (IAS) include security controls for cloud computing. All UAE government entities and other entities identified as critical are obligated to implement the IAS. The IAS recommend that all entities in the UAE (including non-government entities) should adopt the IAS on a voluntary basis. The IAS include security controls for cloud computing, and require government entities to define information security requirements covering the retention, processing and storage of data in cloud environments, including compliance with requirements potentially limiting the processing and storage of information in external entities (including overseas). Furthermore, the UAE Cabinet has issued a decision which sets out strict requirements for federal government entities saving information on external storage devices and restrictions on the type of information which can be saved.
At an Emirate level, the Dubai Electronic Security Centre’s (DESC) Dubai Cyber Security Strategy focuses on a number of core cybersecurity domains: achieving awareness, skills, and capabilities to manage cybersecurity risks in the public and private sector; putting controls in place to protect data confidentiality, integrity, and availability; ensuring data privacy for the public and private sectors and individuals; promoting research and development in cybersecurity; ensuring the continuity and availability of IT systems; and establishing national and international collaboration to manage cyber risks. DESCs Dubai Government Information Security Regulation (ISR) presents minimum requirements for information security controls in Dubai government entities. The ISR includes a specific control on cloud security which prevents cloud service providers from handling and storing ‘classified data’ (as defined under the ISR) of Dubai government entities outside the UAE. ‘Classified data’ under the ISR is loosely defined as ‘information assets, material or data that an entity claims as sensitive, secret or confidential’, giving Dubai government entities the ability to decide what they consider as ‘classified’ data and what less sensitive workloads can be securely stored in the cloud.
In Abu Dhabi, the Abu Dhabi Digital Authority’s (ADDA) Information Security Standard mandates that Abu Dhabi government entities classify and process data based on sensitivity. The standard currently does not contain provisions that explicitly restrict cloud processing. However, if strictly interpreted, there is a requirement for Abu Dhabi Government entities to store ‘restricted data’ (undefined) in Abu Dhabi government infrastructure and to present ADDA with a business case if an entity seeks to use a public cloud to store its data. ADDA is currently reviewing its standard regarding cloud security.
While there are no applicable critical national infrastructure laws at a federal level, the government of Abu Dhabi has created a Critical Infrastructure and Coastal Protection Authority (CICPA) to ensure the safety and security of all critical infrastructure and establishments across the Emirate of Abu Dhabi. CICPA may issue regulations from time to time which may impact the public sector. As noted above, the IAS applies to government entities and other entities identified as critical by the Signals Intelligence Authority (SIA) (formerly known as the National Electronic Security Authority (NESA)).
Moving away from policy, at a legal and regulatory level, the key cybersecurity law is the Federal Law on Combating Cybercrimes of 2012 (Federal Law No. 5 of 2012) (the Cybercrime Law). The Cybercrime Law forms the backbone of the regulatory framework for tackling cybercriminal conduct in the UAE. The Cybercrime Law regulates the abuse and misuse of electronic information through activities such as hacking, identity theft, and fraud. We expect updates to this law shortly and for its extension to new and emerging technologies such as AI, blockchain and cloud.
In the telecommunications space, Federal Decree-Law Regarding the Organisation of the Telecommunications Sector of 2003 (Federal Decree-Law No. 3 of 2003) (Telecommunications Law) provides statutory protection for all information, including personal data, obtained through any means of telecommunication, including through telecommunications service providers (TSPs). The TRA set up the Computer Emergency Response Team to improve the standards of information security and the protection of IT infrastructure. The Telecommunications Law provides strict penalties for cyber-related offences.
In 2017, the TRA passed the Consumer Protection Regulations which contain provisions dealing with the requirement for TSPs when outsourcing to engage only vendors that adopt reasonable and appropriate cyber, technical, and organisational measures to protect the confidentiality and security of ‘subscriber information’.
Finally, the Federal Law on Electronic Commerce and Transactions of 2006 (Federal Law No. 1 of 2006) (the e-Commerce Law) is concerned with the security of electronic transactions and ensuring that electronic data is authentic and reliable. The e-Commerce Law seeks to protect the rights of people, which may include their data protection rights and doing business electronically. It also seeks to minimise the forgery and alteration of electronic communications, and the commission of fraud, by way of theft or misuse of personal data, in electronic commerce and other electronic transactions. In the realm of cybersecurity, anyone who accesses and discloses information in electronic records, documents, or communications without authorisation shall be subject to imprisonment or substantial fines, or both.
In the financial services space, the Federal Regulatory Framework for Stored Values and Electronic Payment Systems of 2017 (Federal Regulations of 2017) (the Framework), issued by the Central Bank of the UAE, regulates how digital payment service providers store and process their users’ information, including personal data. The provisions include the requirement to store all user identification data and transaction records within the UAE and restrictions on when and with whom that data can be shared. Digital payment service providers are also required to ensure the confidentiality of user and transaction data, which may include cyber, technical, operational, and organisational methods. The UAE Central Bank also has regulations controlling the outsourcing of ‘confidential data’ outside of the UAE. The Dubai Financial Services Authority (DFSA) is also highly visible on raising awareness on cybersecurity issues.
In the healthcare space, the Federal Law on Information and Communication Technology in the Health Field of 2019 (Federal Law No. 2 of 2019) (the Health Data Law) regulates the processing of electronic health data originating in the UAE, including patient names, consultation, diagnosis, and treatment data, alphanumerical patient identifiers, common procedural technology codes, medical scan images, and lab results. The Health Data Law applies to all entities operating in the UAE and the free zones that provide healthcare, health insurance, healthcare IT, and other directly or indirectly related services. In terms of security, the Health Data Law requires that the ‘validity and credibility’ of health personal data be ensured by keeping it safe from ‘non-authorised damage, amendment, alteration, deletion or addition’. In keeping with international data protection standards and best practices, the Health Data Law requires entities to introduce cyber, technical, operational and organisational procedures to ensure the integrity and security of personal health data. The Health Data Law contains a regime of sanctions for non-compliance including disciplinary actions and monetary fines. These sanctions may be imposed, for example, for failing to implement cybersecurity measures to ensure that information is kept safe from non-authorised damage, amendment, alteration, deletion, or addition.
The 2018 internet of things (IoT) Regulatory Policy issued by the TRA (IoT Policy) regulates the provision of IoT services. Under the IoT Policy, providers of IoT services, including network provider platforms and machine-to-machine connectivity providers, are required to use cyber measures including prescribed encryption standards.
7 How do your jurisdiction’s data protection laws affect organisations as they undergo digital transformation?
The UAE has a number of dedicated data protection laws and regulations in addition to a patchwork of other laws which contain privacy-related provisions. This creates a challenging landscape to navigate. The dedicated data protection laws are currently located in the UAE financial free zones: Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). Dubai Healthcare City (a health-focused free zone) also has its own data protection regulations. These provide European style data protection laws that international cloud service providers and technology vendors will recognise and be comfortable managing, with their products and services likely to be structured to be compatible with the principles set out in these laws. A new data protection law, closely aligned to the EU’s GDPR, was recently issued by the DIFC and a similar updated data protection law is expected shortly in ADGM.
Outside of these free zones, there are a number of other laws that need to be considered. These include the UAE constitution and criminal laws such as the UAE Penal Code and the Cybercrimes Law (as noted above). These include provisions relating to protecting confidentiality and the unauthorised disclosure of data. They do not resemble the approaches taken by dedicated European-style data protection laws and, as a result, can provide some challenges for clients to understand their risks under the laws and how their products and services work in relation to these laws. We would note the potential for new data protection laws in the UAE in the near future. A key challenge will be how these new laws integrate with, or overlay, the existing legal landscape.
In relation to industry-specific laws with key data protection elements, we would highlight the following laws.
The Health Data Law regulates the processing of electronic health data originating in the UAE. In terms of data protection, the Health Data Law mandates that all health service providers that use ICT on personal health data ensure that such information will be kept confidential and will not be shared without authorisation. The law also introduces data privacy and protection concepts which include: purpose limitation; consent to disclosure; and accuracy. The Health Data Law states that Health Data cannot be stored, processed, generated, or transferred outside of the UAE, unless the activity has been approved by a resolution from the relevant government authority. To comply with the Health Data Law, it will be necessary to host data on local servers and to control access and processing activity in accordance with the law.
Staying in the healthcare space, where we are seeing a lot of regulatory activity relating to data and IT securit. For example, the Abu Dhabi DOH Healthcare Information and Cyber Security Standard (which was issued prior to the Health Data Law) states: ‘The healthcare entity shall not use cloud services or infrastructure to store, process or share information that contains health information. The healthcare entity shall ensure that healthcare information is not transmitted outside the UAE; identify and disconnect integration of systems that process; store or utilise health information with any of the entity’s systems that connect or utilise cloud services; and not share identified or de-identified health information with third parties, inclusive of counterparts and partners, unless authorised by the health sector regulator of Abu Dhabi.’
From a data protection standpoint, under the IoT Policy, IoT Service Providers have to follow specific principles of data storage including purpose limitation and data minimisation. Data is classified into four categories based on the potential adverse impact caused by a breach of confidentiality or unauthorised disclosure of the data. There are data localisation requirements which state that certain categories of data (including personal data) must be stored primarily in the UAE. However, such data may be stored outside of the UAE if the destination country has data security and user protection polices that are commensurate with those followed in the UAE. Certain categories of UAE government data must remain in the UAE under all circumstances.
With regards to government data transfers, Dubai has enacted the Dubai Data Law to facilitate Dubai’s vision for the sharing of data between Dubai government entities and the wider dissemination of information that is considered ‘open data’. Pursuant to the Dubai Data Law, certain policies have been approved with primary application to governmental entities, including rules and procedures regulating data classification, dissemination, exchange and protection (the Dubai Data Policies). All Dubai government entities (including free zone entities) must furthermore comply with the rules prescribed by the Dubai Data Policies when disseminating data in accordance with the Dubai Data Law. This policy works in combination with the Dubai government’s focus on big data. In Abu Dhabi, there are data transfer restrictions on Abu Dhabi government information classified as ‘restricted’, and a need to consult with ADDA prior to placing Abu Dhabi Government data on a public cloud.
8 What do organisations in your jurisdiction need to do from a legal standpoint to move software development from (traditional) Waterfall through Agile (continuous improvement) to DevOps (continuous delivery)?
The adoption of DevOps software development lifecycle practices in the UAE is emerging but still in a very early phase. The market remains very much focused on traditional software development activities, often with limited customisation and configuration. It remains an ‘off the shelf’ software market with time-consuming release roll-outs characterised by delay, misaligned expectations and often conflict. As requirements in the digital transformation space introduce the need for more agile and accelerated software development, we would expect to see more DevOps style projects emerging. Whether this will be for business critical software roll-outs (with UAE customer IT departments ready to embrace DevOps ways of working) or remain in a proof-of-concept space will need to be seen. As the move continues from hardware driven technology solutions to software driven technology solutions (software defined networking being a good example of this in the telecommunications space), we would expect a natural move to DevOps environments. From a legal standpoint, contracts will need to properly scope the DevOps requirements and deliverables to manage customer expectations with delivery realities and reflect the shared risk and responsibility, and collaboration, central to successful DevOps environments.
9 What constitutes effective governance and best practice for digital transformation in your jurisdiction?
Digital transformation projects often fail in the UAE through a lack of effective customer understanding of what they will deliver. Customer expectations need to be effectively managed from project kick-off once the sales teams leave and the operational teams engage. Effective governance can mitigate this risk and the contract needs to set out the governance framework that needs to be followed, drawing on best practice and involving governance professionals with an understanding of how to operationalise such governance programs.
The Inside Track
What aspects of and trends in digital transformation do you find most interesting and why?
After 10 years in the UAE, the digitalisation of the UAE government, at all levels, has been fascinating to watch. As a consumer of these e-government services, in addition to having worked on a number of these digital transformation projects, the impact they have had on how UAE government and society operates, and the efficiencies it has achieved, demonstrates the results these type of projects can produce if they can be effectively implemented.
What challenges have you faced as a practitioner in this area and how have you navigated them?
As with all digital transformation projects, the key challenge is converting the vision into reality and meeting (and managing) the expectation of the customer. I have seen this first hand working for technology service providers delivering these projects and, in private practice, for the customer. The more aligned the parties are at the start of the project the greater likelihood for success. Effective governance needs to keep the parties closely aligned for the duration of the project.
What do you see as the essential qualities and skill sets of an adviser in this area?
Our technology lawyers bring deep industry expertise to their work. They have worked for both service providers and technology vendors in the digital transformation space. Added to this is wide international experience, working for, and with, global technology clients. Finally, our lawyers have worked extensively for regional customers (and particularly government entities) procuring digital transformation services. As a result, we bring valuable perspective and knowledge, which when added to our local law and practice knowledge, helps clients, whether supplier or customer, effectively navigate the UAE legal and regulatory landscape.