Sign of the Times: The UAE’s new Federal Electronic Transactions Law and Trust Services

Introduction

On the 20^th of September 2021, the UAE published  a new electronic transactions law, Federal Decree by Law No. 46 of 2021 on Electronic Transactions and Trust Services (“ETTSL”), which repealed the Federal Law No.1 of 2006 (the “Old Law”) as of 2 January 2022.

However, there is a 12 month grace period which allows those subject to the law to ensure that they are compliant.  Further Executive Regulations still need to be issued to implement much of the new law and make it fully effective.

The ETTSL  reflects the  UAE’s commitment to its digital transformation strategy, as it provides the means to  enhance confidence in electronic transactions through the use of so called “Trust Services”. Trust Services are electronic services which aim to improve the confidence of citizens and businesses in the security and certainty of electronic transactions. By way of example, using “Trust Services” can confirm that an electronic document is in fact authentic, untampered with and sent from a trusted source

The ETTSL is timely as COVID 19 circumstances have heightened the need to ensure effective verification methods are in place in light of the increasing prevalence of electronic transactions that are conducted by parties at remote distances. Importantly, the ETTSL brings the UAE’s electronic transactions regulatory landscape in line with international best standards, as it introduces legal concepts into UAE law that are similar to the European EIDAS Regulation in order to promote seamless electronic interactions.

What is familiar?

Chapter 2 (Electronic Transactions) of the ETTSL still adopts the approach many of the provisions found in the Old Law, which was itself based on United Nations Commission on International Trade Law model laws that have been the foundation of electronic transaction and electronic signature laws worldwide.

As such, the ETTSL regulates the validity of electronic documents consistent with the Old Law, and maintains that an electronic document should not lose its legal validity as evidence or enforceability even if it is in electronic form. The ETTSL also sets out additional requirements for how an electronic document shall be stored to remain valid, and when an electronic document is deemed to have been sent/issued by the originator and received by a recipient. The ETTSL also sets out the conditions that must be met for the recognition of receipt. Such provisions are maintained within the new law as they are crucial as they help reduce the ambiguity faced by applying original contract law principles (i.e. offer and acceptance) to modern electronic transactions in today’s digitalized economy.

What has changed since the last electronic transactions law?

No Exclusions.  In contrast to the Old Law which excluded specific kinds of transactions (e.g .property transactions, or negotiable instruments), the Law has no such exclusions and expressly provides that a person may use any form of electronic signature or electronic stamp unless the legislation provides otherwise.

Further, in order to encourage cross border electronic transactions, the ETTSL allows the use of Trust Services outside of the UAE, which provide a similar level of security, and trust to those Trust Services within the UAE.

Regulated Trust Services

In order to enhance certainty, the ETTSL sets out a detailed regulatory framework for the following four types of Trust Services:

• Electronic Stamp: an electronic equivalent of a stamp that is applied to a document to confirm its origin and integrity.
• Electronic Time Stamps: evidences that a document existed at a point in time;
• Electronic Delivery Service: provides proof of sending and receiving of data.
• Electronic signatures: the expression in electronic format of a person’s agreement to the content of a document or set of data.

The new law goes into detail to enhance certainty. As such, whereas the Old Law did not distinguish between different types of time stamps/e-signatures, the ETTSL distinguishes between different types of e-signatures, and provides further detail as to when a document is deemed reliable. The types of e-signatures under the ETTSL  include:

• Electronic Signature: The definition of Electronic Signature under the Law resembles the Old Law. This is any form of digital mark to indicate acceptance of a document or data.  It could be a scanned copy of a wet signature or a “click” accept.
• Certified Electronic Signatures (CES): A Certified Electronic Signature needs to allow you to check the identity of the signatory (but does not need to guarantee it), and should also allow you to check there have been no subsequent changes.
• Approved  Electronic Signatures (AES).  Due to the secure manner in which it is created, the AES holds special status under the law. Under the Law, an Approved Electronic Signature will be treated as authentic as a handwritten signature.

The Executive Regulations are to designate further requirements for the creation of AES and CES.  Note we have seen differing translations of CES and AES, but essentially (whatever the translation) the types of e-signatures are akin to advanced electronic signatures and qualified signature respectively under eIDAS.

Providing Approved Trust Services

The ETTSL requires all providers of “trust services” to obtain a license from the Telecommunications and Digital Government Regulatory Authority (“TDRA”) for approval (“Licensee” or “Approved Trust Services provider). It is not yet clear exactly what the breadth of this licensing requirement is, as it could capture the offering of any electronic signature mechanism.

No person may provide the approved trust services unless it has obtained a license from TDRA and the obtaining the capacity of being a approved trust service provider according to the provisions of the ETTSL and its Executive Regulations.

The role of the Telecommunications Regulatory Authority and the Digital Government

The Telecommunications and Digital Government Regulatory Authority (“TDRA”)  is the competent authority who will be the regulator for the Law  – but the Federal Authority for Identity and Citizenship issues controls in the following two cases:

• Trust services or qualified trust services rendered to the governmental sector; and
• Trust services or qualified trust services that depend on the information or services of the Federal Authority for Identity and Citizenship.

Electronic Identification Systems  

Under the Law, the TDRA is to issue the rules, procedures and standards related to the Electronic Identification Systems, verification procedures and digital ID, after coordination with concerned bodies. Electronic Identification allows businesses and consumers to identify and authenticate who they are.

The Digital Identity issued according to the requirements of the electronic identification system approved by TDRA shall be approved in coordination with the Federal Authority for Identity and Citizenship as a means to have access to the electronic services and transactions provided by the governmental authorities.

The security and trust of the electronic identification system and the digital identity issued by such systems are categorized into three levels: Low, Average and High. The lowest level signifies a low level of confidence and increased risk of tampering, whereas the highest signifies a high level of confidence and minimal risk of tampering.

The digital identity used in the approved trust services has to satisfy the conditions of high level of security and trust.

People’s use of the digital identity issued through the electronic identification system under the Law to have access to the governmental electronic services will satisfy the requirements of the personality identification and personal attendance.

UAE Trust List

The TDRA will create a list of the licensees and their services and a list of the electronic identification system, the qualified electronic signature and stamps and include the same in the UAE trust list and publish them in any manner it may deem appropriate. The Executive Regulations shall designate the regulations and conditions for inclusion in the UAE Trust List.

Trust mark.

The TDRA is to provide for a trust mark that can be used by approved trust service providers to indicate that they provide approved trust services that meet the requirements of the Law.

Conclusion

The ETTSL ensures that electronic transactions and identification systems within the UAE will be in line with technological developments around the world, and is intended  to encourage digital transformation, investment, and the provision of electronic services to the public.

We will have more clarify around the mechanics of the law, particularly concerning trust services and trust service providers when the  implementing executive regulation are issued.