Federal position  

The Telecommunications and Digital Government Regulatory Authority (TDRA) has issued several policies, including the Regulations on Unsolicited Electronic Communication (RUEC), which regulates unsolicited electronic communications having a UAE link and covers all electronic communications conveyed by means of a telecommunications network to an electronic address. The Mobile Marketing SMS Regulatory Policy approved by Resolution No.17 of 2022 (the Mobile Spam Policy) applies to spam SMS marketing messages that have a UAE link. Electronic communications or SMS messages with a UAE link encompass SMS messages originating in the UAE, those sent by individuals or companies physically located in the UAE, messages accessed through devices located in the UAE, and messages received by individuals physically present in the UAE.  

Together, these policies serve as the framework for governing the practices of licensed telecommunications network service providers, namely du and Etisalat. Whereas strictly speaking, the RUEC and the Mobile Spam Policy only directly apply to Etisalat and du, they apply indirectly to anyone using the Etisalat or du networks to send marketing communications. This is because du and Etisalat, as the main licensed telecommunications providers in the country, are under an obligation to implement all practical measures to minimize the transmission of spam over their telecommunications network.  

Whereas the Mobile Spam Policy only captures SMS messages with a UAE link, the wording of the RUEC is broad enough to encompass all direct electronic communications and spam messages with a UAE link to the extent that such messages are intended to supply the recipient with goods, a service, or a business opportunity. Marketing electronic communications are defined broadly under the RUEC to include any form of electronic communications, sent either with the purpose of 'offering,' 'advertising, or promoting,' 'goods, services, or business opportunities.' Therefore, any service or product-related messages sent directly to consumers using the UAE's public telecommunications network fall within the RUEC, whether such messages are sent through SMS, email, or an app.  

Both the RUEC and the Mobile Spam Policy require that consent gained for marketing messages be obtained through an opt-in process, whereby customers explicitly grant permission in a clear and transparent manner. All brands that are sending marketing SMS messages in the UAE are required to register their sender names and upload a consent database on the Consent Management Service (CMS) platform for approval from the operator and to prevent their SMS messages from being blocked. A valid UAE trade license is required to register a Sender ID. The steps to perform this process are detailed in Etisalat's CMS guidelines.  

Breaching the RUEC directly is a breach of the Federal Law by Decree No. 3 of 2003 Regarding the Organisation of the Telecommunication Sector (the Telecommunications Law), and may subject offenders to a fine of not less than AED 5,000 (approx. $1,360) and not more than AED 200,000 (approx. $54,450). Where the application of the RUEC is indirect (compliance is required as an obligation under the licensed service provider's terms and conditions), then non-compliance would be a breach of contract. However, the real enforcement mechanism is blocking the messaging. 

There are other federal laws that restrict direct marketing. For example, there is a general requirement under the Federal Law No. 15 of 2020 on Consumer Protection that grants consumers the right not to have their information used for marketing purposes. However, explicit consent from the consumer may act as an exception to this restriction. Moreover, the new Federal Decree-Law No.14 of 2023 on Consumer Protection grants consumers the option to receive or refuse to receive promotional or marketing campaigns, whether through communications, emails, or social media platforms. 

Under Federal Decree-Law No. 45 of 2021 on Protection of Personal Data (PDPL), personal data, which is any data or information relating to identified or identifiable individuals, can only be processed with the consent of the data subjects, except in very limited circumstances, none of which apply to the processing of such personal data for the purposes of sending marketing communications. Where consent is the basis for processing personal data, Article 6 of the PDPL outlines certain specific requirements for how such consent must be obtained, including that the consent be 'explicit' and provided through a clear affirmative action. Moreover, the PDPL specifies that the consent should include the data subject's right to easily withdraw such consent.  

Although the PDPL came into force in January 2022, it has not yet become fully effective in light of the Executive Regulations to the PDPL (which were expected to have been published in March 2022) not yet being published. The PDPL grants controllers and processors a grace period of six months from the date of publication of the Executive Regulations to the PDPL to regularize compliance with the PDPL and its Executive Regulations, and so non-compliance will likely not attract any penalties at present.  

Financial free zones (DIFC and ADGM)  

Financial free zones in the UAE, namely the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC), have their own specific data protection laws, such as the DIFC Data Protection Law No. 5 of 2020 (the Law) and the ADGM Data Protection Regulations 2021 (the 2021 Regulations) which generally only apply to companies incorporated in those free zones. Therefore, the PDPL does not apply in the DIFC and the ADGM. Nonetheless, the RUEC and the Mobile Spam Policy apply in the DIFC, ADGM, and other free zones as there is a legislative gap.  

Any processing of personal data for the purpose of direct marketing activities by companies incorporated in the DIFC falls within the scope of the Law. Likewise, in the ADGM, the 2021 Regulations govern the collection, processing, or storage of any personal data for direct marketing activities by companies incorporated in the ADGM. Both the ADGM's 2021 Regulations and the DIFC's Law require controls to inform data subjects about whether their personal data will be processed for direct marketing and require that data subjects have the right to object to direct marketing.  

Further, to the extent that data subjects have consented to direct marketing, such consent should be easily and freely withdrawable as controllers are required to provide simple and effective means of withdrawing consent.  

Conclusion 

In summary, the UAE's regulatory framework for direct marketing is multifaceted, encompassing federal, DIFC, and ADGM jurisdictions. The TDRA's RUEC and Mobile Spam Policy set stringent guidelines at the federal level, emphasizing consent, recordkeeping, and potential penalties. Further, applicable data protection laws impose rigorous controls where personal data is processed for the purposes of direct marketing and require companies to inform data subjects where their personal data is going to be processed for direct marketing purposes.  

Nick O'Connell Partner 
[email protected]
Andrew Fawcett Partner 
[email protected]  
Darya Ghasemzadeh Associate 
[email protected] 
Al Tamimi & Company, Riyadh