x Abu Dhabi, UAE Thursday 20 July 2017

Call for stronger data protection laws

Legal experts in the UAE call for federal privacy law to help fight the rising tide of spam emails.

The Telecommunications Regulatory Authority has a set of guidelines in place to protect personal data.
The Telecommunications Regulatory Authority has a set of guidelines in place to protect personal data.

Legal experts in the UAE want wider data protection laws to shield consumers against a rising tide of spam email.

Personal information is protected across the Emirates by a patchwork of confidentiality policies at different companies, overlapping laws, as well as legislation affecting individual business districts.

But experts say the UAE should take a leaf out of Qatar's book and consider a federal law governing the processing of personal information.

"In the greater UAE there is not one single data protection law," said David Yates, the head of commercial intellectual property and technology at Al Tamimi & Company. "What one would like to see is a federal legislation that protects the personal data of residents both online and more generally."

Qatar has drafted what is believed to be the first comprehensive privacy laws in the Gulf region.

In the UAE, the Telecommunications Regulatory Authority (TRA) does have a set of guidelines in place to protect personal data. Additionally, free zones such as the Dubai International Financial Centre and Dubai Healthcare City have privacy laws that meet with international standards, under individual charters developed by each centre.

But there is no coherent federal law protecting consumers against email spam and wider breaches of privacy.

Qatar is considering a draft set of laws to ban unauthorised disclosure or processing of personal information as a criminal offence.

Under the proposed legislation, any companies or individuals caught short will face up to two years' imprisonment and a fine of up to 300,000 Qatari rials (Dh302,620). That could be a major deterrent for any companies using unscrupulous methods to market or email consumers.

With the rise of daily deals websites in the UAE, consumers have complained about the excessive number of emails they receive, having never signed up for them. Culprits use methods to collate lists of thousands of email addresses such as buying personal information or collecting it on the internet.

YallaBanana.com, a new daily deals startup in Dubai, has a list of 300,000 email addresses it obtained from its parent company, Turret Media, which collected the data before the website even existed.

One of its competitors, JOYoffer, ran a competition where customers won prizes if they signed up their friends' email addresses. Many people just trawled the internet and signed up as many email addresses as possible.

Under the new rules being considered by Qatar, JOYoffers' methods would be subject to scrutiny.

"It would not be acceptable for companies to be buying a list or trawling through websites to get email addresses," said Dino Wilkinson, a media and communications lawyer at Norton Rose. "That is what the laws are brought in to protect."

Mr Wilkinson said breaches of privacy could have a big impact in the UAE. "I do not think there's a major black market of data in the UAE," he said.

"But it only takes one or two slips and there's a big loss of data that could affect confidence quite badly."

Dan Stuart, the co-founder of the daily deals website GoNabit, said a first step in reducing email spam would be to build awareness of existing guidelines.

"People who are not compliant need the information to become compliant," he said.

He added the UAE's existing privacy guidelines had rarely been enforced. "I've never heard of it ever having been … put to the test. It's a very different message when something is enforced."

The TRA did not comment.

In much of Europe and the US, there are restrictions on disclosing personal information and data collectors have to provide details to individuals about how their information is to be used.

Due to the large expatriate populations in the Middle East, legal experts say people come to the region expecting their personal data to be protected in the same manner as their home country.

"Consumers in major developing economies are becoming increasingly aware of their rights and have an expectation that their data will be handled fairly," said Mr Wilkinson.

India introduced strict laws this year to entice more international companies to use the country as a base for outsourcing and IT operations.

"I do believe consumers, especially in e-commerce, will increasingly consider a country's reputation for protecting personal data when deciding where to do business," said Mr Wilkinson.

Many businesses in the UAE, such as banks, financial institutions and medical establishments, already have strict internal privacy policy laws in place to protect their customers.

Despite this, implementing a federal privacy law or ensuring the current policies in place abide by the letter of the law could prove costly for companies.

"If you just bring in a new piece of legislation tomorrow it would cause a lot of disturbance and costs in compliance," said Mr Yates.

He said a staged approach to an introduction of a federal privacy law in the UAE, where companies signed up to a voluntary code and publicised that to distinguish their businesses commercially, would be preferable.

Enforcement of any new privacy law would also be crucial to its success.

"There will need to be investment by the UAE in a new authority or existing authority to take on the role of regulator for information and data protection," said Mr Wilkinson.

"That's the important part in how effective the laws are. If you have a regulator that does not have much power or teeth to what it can do, the law is going to be less effective."

rjones@thenational.ae

bflanagan@thenational.ae