UAE: new consumer and data security law moves closer

Out-Law News | 01 Jul 2020 | 9:14 am | 1 min. read

A new federal law on consumer protection, with provisions on data security included, has moved closer to being finalised after it was approved by the United Arab Emirates’ (UAE) parliament. The law has still to be signed by the UAE president and then published.

The new legislation will apply to the whole of the UAE, including free trade zones.

According to press reports, it will also apply to related operations carried out by advertisers, suppliers or agents, including e-commerce transactions if the supplier is a UAE-registered company.

It will impose restrictions on using personal data for promotion and marketing and seek to protect an individual's privacy. Firms will be required to respect religious values, customs and traditions when providing customers with a service or commodity.

The law will enable the fair and prompt settlement of disputes, and help consumers obtain fair compensation. It will also regulate price increases, consumer standards and labelling.

Under the draft law, consumer-related advertisements and contracts will have to be in Arabic – although other languages can also be used. Penalties for breaching the law include a jail term of up to two years and a maximum fine of 2 million AED $540,000).

"In December 2019, the UAE Cabinet confirmed that it was planning to take steps to strengthen consumer protections across the UAE, particularly with respect to e-commerce transactions", said Marie Chowdhry, an expert at Pinsent Masons, the law firm behind Out-Law. "We understand that once the new draft is signed into a law, the consumer protection law will regulate the work of suppliers, advertisers and trade agents, control price increases and ensure customers have guarantees over the quality of goods and services. In addition, the draft law has been reported to be in line with the GCC's unified law on consumer protection."

Inclusion of provisions relating to the protection of personal data follow an announcement by the Telecommunications Regulatory Authority last year relating to the introduction of a new federal data protection law, which is part of its wider cybersecurity strategy. The DIFC has also recently overhauled its data protection regime.