Enhanced UAE Consumer Protection in a Time of Accelerated Digital Transformation

Expanded scope of protection for consumers – welcomed changes to the United Arab Emirate’s consumer protection regime

The United Arab Emirates (“UAE”) Cabinet issued Federal Law No. 15 of 2020 on Consumer Protection (the “Law”) on, or about 15 November 2020, which repealed Federal Law No. 14 of 2006 (the “Old Law”). The Law is set to govern the sale of all goods and services within the UAE (onshore and in free zones) and additionally, governs any incidental operations to consumer selling as carried out by suppliers, advertisers, or trade agents. The year 2020 reflected a distinctive shift from conventional brick and mortar retail, towards accelerated digital transformation among businesses within the GCC. As the e-commerce sector rose from $5 billion in 2015 to approximately $24 billion today, the UAE took stock of the changing economy (the pandemic, being a catalyst) and has now introduced within the Law, provisions governing e-commerce transactions.

Interface with the Old Law

The Law emphasizes existing provisions of the Old Law, but also introduces new provisions and has expanded the scope of consumer protection to cover developing sectors such as that of the e-commerce sector. Below, we outline some of the salient features of the Law.

Main Provisions

Expansion of scope: in comparison with the Old Law, the Law broadened the meaning of a ‘provider’, the definition of which now extends to any person who “plays a part in producing, trading, or storing a commodity”. This consolidating language applies to most, if not all businesses within a given supply chain, creating a chain of accountability under the ambit of the Law.

Data protection: while the UAE at large does not have a comprehensive data protection regime, the Law attempts to provide for the protection of consumer data. We draw attention to Article 4(5) of the Law, which addresses data security and the unauthorized use of consumers’ data.

Consumer supplying businesses now have a statutory obligation to protect consumer data and avoid using such data for marketing purposes. Interestingly, the Law introduces ‘connective-tissue’ language with the UAE Constitution and UAE Penal Code where consumers' religious values, customs and traditions must be protected when providing a commodity or service.

E-commerce: Article 25 of the Law triggers a provider notification obligation where e-commerce providers registered in the UAE must be required to provide its consumers and relevant authorities in the UAE their names, legal status’, addresses, relevant licensing authority, and sufficient information (in Arabic) on the services that they provide. We anticipate further obligations of e-commerce providers will be prescribed in the Law’s accompanying Executive Regulations, which are expected in the coming months.

The obligations applicable to e-commerce providers are particularly relevant in cases of e-commerce platforms that are online ‘marketplaces’ acting as agents. The objectives of marketplaces are to connect consumers with product/service providers in exchange for some combination of a fee or commission. With the new definition of ‘provider’, it is clear that an online marketplace, in addition to its suppliers on the platform will be accountable to the provisions set out under the Law, thereby providing recourse for consumers that may have acquired goods or services via that platform.

Defects and Flaws in the good(s) or service(s) provided: the Law imposes on providers an obligation to replace, repair, or reimburse the consumer for any flaws in the goods or services that recur at least three times during the first year of the consumer receiving it.

Penalties: those providers and advertisers (also implying online marketplaces) that violate provisions of the Law relating to false advertisement and/or failing to remedy or replace defective goods or services may face up to two years’ imprisonment and additionally fines up to AED 2 million. This is obviously intended to ensure compliance with the Law thereby enhancing consumer protection.

Takeaways

The Law came into effect on 16 November 2020, and its accompanying Executive Regulations are expected to come into force by May 2021.

With digital transformation accelerating within the UAE as a reaction to the pandemic, and with restrictions on mobility for consumers to physically visit shop vendors and service providers, the gap between trade and consumer recourse appears to have narrowed with the introduction of the Law. We expect this gap to recede further with the introduction of further Executive Regulations and further adaptation by the regulators to evolving business practices. As is the case with most transformative sectors on a global level, regulations tend to follow innovation; the UAE is no exception. The new Law is an example of such adaptation by regulators as business evolves.

E-commerce businesses now have mandatory obligations to declare who they are, where they are located and the types of activities they are permitted to carry out. They are also under notable scrutiny when handling consumer data and by extension, are expected to have in place, appropriate cyber and information security policies and procedures to prevent and react to data breaches or loss. E-commerce businesses should take note of their obligations which may be enforced by penalty regimes of the Law along with other cybersecurity and electronic crime laws in the UAE.

Businesses should bear in mind three key takeaways from the Law and its supporting regulations: (C)ompliance, (A)ccountability and (T)ransparency.

We at Norton Rose Fulbright in the Middle East and around the world welcome these progressive changes to consumer protection in the UAE. Should you have any questions, please reach out to the contacts below.