Technology, Media & Telecoms Digest

We are delighted to present the sixth edition of our TMT Digest, focusing on legal developments and updates in the TMT field within our region. 

This digest aims to provide a comprehensive overview of recent case law and advancements, fostering knowledge sharing among our regional TMT team. By staying informed, our practitioners will be better equipped to navigate the regulatory frameworks governing the Middle East TMT sector. 

We hope you find this edition to be informative and beneficial. As always, we encourage you to share your thoughts, feedback, and any notable developments that may contribute to our collective knowledge.

United Arab Emirates

DIFC Launches Consultation on Proposed Amendments to Data Protection Law

The DIFC has initiated a consultation process proposing amendments to select legislation, including the Data Protection Law (DIFC Law No. 5 of 2020). The proposed changes include clarifying the extra-territorial long-arm jurisdiction of the law to controllers and processors not established within the DIFC. The amendments also introduce clearer guidelines on data transfers outside the DIFC and the redressal mechanisms for violations under the law, strengthening the framework for compliance and transparency. These changes are intended to streamline data protection processes, improve clarity for businesses, and enhance individuals’ privacy rights. Stakeholders are invited to review and provide feedback on the proposed amendments through the consultation process. Stakeholders are encouraged to review and submit feedback on the proposed changes by 26 March 2025.

ADGM Entities Urged to Update Data Protection Registers

The ADGM Office of Data Protection (ODP) has issued Circular No. 1 of 2025, reminding all ADGM entities of their obligations under the ADGM Data Protection Regulations 2021 (DPR 2021) to regularly update their Data Protection Register and maintain accurate records of their designated Data Protection Contact Person. According to Section 24 of DPR 2021, all ADGM entities must adhere to the following obligations:

Maintaining an Accurate Register – Entities must ensure that their Data Protection Register contains up-to-date information regarding the purposes of data processing, categories of data subjects, and data transfers.
Timely Updates – Any modifications in data processing activities, including new data collection processes or changes to existing declarations, must be promptly reflected in the Register.
Updating Contact Person Details – Entities must ensure that the contact details of their designated Data Protection Contact Person, including any changes in the appointment or cessation of a statutory Data Protection Officer, are updated to facilitate inquiries, complaints, and reporting.
As the regulatory authority overseeing data protection compliance in ADGM, the ODP has published guidance on Data Protection Registration, available through ADGM Registry 2.0. Entities are encouraged to review the guidance and ensure adherence to DPR 2021 to avoid enforcement actions.

⚖️ Dubai Court of Cassation Judgement No. (1846) of 2024

The court ruled that an investment agreement is void if it involves activities for which the parties are not legally authorized. In this case, the plaintiff filed a lawsuit against the defendants seeking to annul an investment agreement and recover AED 28 million. The plaintiff alleged that the defendants illegally invested funds and sought the annulment of the investment agreement dated 20/2/2017, along with the repayment of AED 28 million plus interest. The court found that the defendants were not authorized to engage in investment activities, specifically in currency exchange offices and cryptocurrency trading, which were the primary areas of investment under the agreement. Consequently, the court ruled in favor of the plaintiff, declaring the investment agreement void and ordering the defendants to repay AED 28 million with interest. The court’s decision serves as a precedent, emphasizing the legal ramifications of engaging in unlicensed investment activities and the imperative of adhering to regulatory frameworks to mitigate legal and financial risks.

Kingdom of Saudi Arabia

­SDAIA Opens Public Consultation on Licensing Regulations for Data Processing Audits and Certification

The SDAIA has issued two draft regulations for public consultation: one concerning accreditation certificates for personal data protection and another governing the licensing of audits related to personal data processing activities. The draft regulation on accreditation certificates establishes the criteria for data controllers and processors to obtain certification, demonstrating compliance with the Personal Data Protection Law (PDPL) and its Implementing Regulations. Meanwhile, the draft regulation on licensing audits sets out the framework for entities seeking authorization to conduct audits or issue accreditation certificates, specifying the applicable procedures, validity periods, and conditions for license renewal or revocation.

SDAIA Publishes Personal Data Breach Incident Guide

The SDAIA Personal Data Breach Incident Guide provides a structured framework for managing personal data breaches in compliance with the Saudi Personal Data Protection Law. It mandates a three-stage response: (1) Notifying SDAIA within 72 hours, detailing the breach, affected data, and remedial actions; (2) Containing the breach, including notifying affected individuals and mitigating risks; and (3) Documenting the incident, retaining records and implementing corrective measures. The Guide applies to all controllers under Saudi law and defines key terms such as “Controller,” “DPO,” and “Personal Data Breach.” Emphasizing cybersecurity and data governance, it aims to enhance trust, minimize risks, and strengthen regulatory compliance.

SDAIA Opens Public Consultation on Deepfake Guidelines (Draft Guidelines)

The SDAIA has released draft deepfake guidelines for public consultation. As artificial intelligence tools become increasingly ubiquitous, the ability to manipulate audio and video to falsely represent individuals poses a significant risk, necessitating measures to prevent misinformation and reputational harm. The rules distinguish between non-malevolent deepfakes, which are used for legitimate reasons and necessitate explicit agreement and unambiguous labelling, and malicious deepfakes, which are meant to deceive or harm. Establishing moral standards, openness, consent, privacy protection, and educating people about the dangers of deepfakes are among the suggestions. Compliance with data privacy laws, minimal data use, privacy-preserving methods, consent management, documentation, explainability, non-intrusive watermarking, bias elimination, Human-in-the-Loop oversight, governance frameworks, risk assessments, and beneficial applications are all highlighted in ethical principles for developers.

Qatar

CRA Issues New Consumer Protection Policy and Regulation for Enhanced Transparency

The Communications Regulatory Authority (CRA) has issued the Communications Consumer Protection Policy and Regulation, setting a new standard for consumer rights and Service Provider obligations in the telecommunications sector in Qatar. The Policy outlines the key objectives and principles that will govern consumer protection efforts in Qatar. Furthermore, the Regulations provide a detailed set of rules and procedures that Service Providers must adhere to. They cover advertising standards, marketing practices, billing transparency, contract fairness, data privacy, and customer notifications. Specific provisions address common consumer concerns, including unsolicited direct marketing, spam, and the safeguarding of personal data.

CRA Releases Cloud Data Interoperability and Portability Regulations

By Decision No. (34) of 2024, the CRA has issued the Regulation for Cloud Data Interoperability and Data Portability. This regulation implements the policy and regulatory recommendations on Data Interoperability and Data Portability outlined in the Cloud Policy Framework issued by the CRA in 2022 by:

• Encouraging cloud service providers to embed data portability and interoperability into their services by requiring them to provide minimum contractual commitments to portability.
• Establishing essential requirements to facilitate data interoperability.
• Supporting the adoption of internationally recognized, industry-led standards for cloud service providers.
• Mandating that, where customers are government entities, cloud service providers must offer an application programming interface (API) to ensure interoperability between the entity’s computer systems and those of other government entities.

This regulation marks a significant step towards enhancing data portability and interoperability, fostering a more open and efficient cloud environment for consumers and businesses alike.

Bahrain

Bahrain’s TRA issues Cybersecurity Guidelines to Strengthen Telecommunications Sector Resilience

The TRA issued the “Telecommunications Sector Cybersecurity Guidelines” on December 5, 2024, with the purpose of establishing a baseline set of security measures and best practices to protect the telecommunications industry from cyber and physical threats. The guidelines are primarily aimed at telecommunication entities operating within the Kingdom of Bahrain. These entities include organisations regulated under the Telecommunications Law, but the guidelines emphasize that they may also be beneficial to other entities outside the explicit scope of the law, as they aim to enhance cybersecurity hygiene and resilience across the entire telecommunications sector. The guidelines are structured into several key domains, each addressing different aspects of cybersecurity. These include (non-exhaustively):

• IT Security Governance: This includes controls related to roles and responsibilities, risk management, strategies, policies, procedures, asset management, change management, business continuity management, and cybersecurity awareness and training.
• Cyber Defense: This covers identity and access management, network security, enterprise email protection, data security and encryption, physical and environmental security, and social media cybersecurity.
• Cybersecurity Assessment, Audit, and Third-Party Cyber Risk Management: This focuses on audit processes, vulnerability management, penetration testing, third-party services, telecom products, vendor cybersecurity, and cloud computing.
• Cybersecurity Operations and Incident Management: This includes incident detection, incident management, threat intelligence and information sharing, and testing and exercises.

While the guidelines are not currently binding, they are intended to help telecommunication entities align with industry standards and regulatory expectations.

Jordan

Jordan Enters New Era of Data Protection as Enforcement of Privacy Law Begins

With the grace period for compliance now elapsed, Jordan’s new data protection law enters a critical phase of enforcement, marking a significant shift in the country’s regulatory landscape. Organizations and individuals that process personal data must now fully adhere to the law’s requirements, as regulatory scrutiny is expected to intensify. The Data Protection Unit, established to oversee compliance and enforcement, is now positioned to take a more active role in ensuring adherence to the law. Its actions in the coming months will likely set key precedents for how data privacy is regulated in Jordan, shaping expectations for businesses and individuals alike.

Moreover, Jordanian courts will play a crucial role in interpreting the law, particularly in cases of non-compliance or disputes over data privacy rights. Judicial rulings on early enforcement cases will influence the legal landscape and provide further guidance on the practical application of data protection principles. With regulators and courts now actively engaged, Jordan’s data protection framework is entering a new phase—one that will define the country’s approach to digital privacy for years to come.

Egypt

Egypt Launches Second Edition of National Artificial Intelligence Strategy

Egypt has unveiled the second edition of its National Artificial Intelligence Strategy 2025-2030. This strategy aims to leverage AI for social and economic development, positioning Egypt as a regional and global leader in AI.
Building on the foundation laid by the first edition launched in 2020, the strategy was announced by the President of the Republic of Egypt and the National Council for Artificial Intelligence (NCAI). The NCAI is responsible for developing and governing the implementation of the strategy. The strategy outlines a vision of ‘inclusive AI to foster Digital Egypt, promoting social and economic development and benefiting all Egyptians.’ Its mission is to ‘create an AI industry supported by governance, technology, data, infrastructure, ecosystem, and talents, to ensure its sustainability and competitiveness for promoting Egypt’s development.

Oman

Oman Extends Compliance Grace Period for Personal Data Protection Law (PDPL)

In a significant development for businesses operating in Oman, Ministerial Decision No. 6 of 2025 has extended the grace period for compliance with the Omani Personal Data Protection Law No. 6 of 2022 (PDPL). Previously set to expire in February 2025, the new deadline now grants organizations until February 2026 to align their data processing activities with the law’s requirements. This extension provides businesses with additional time to implement necessary governance frameworks, data protection policies, and ensure technical safeguards are in place to meet compliance standards.

While the extended deadline offers much-needed flexibility, organizations should not delay their compliance efforts, as enforcement measures are expected to be strictly applied once the grace period ends. Companies operating in Oman should take this time to assess their data protection practices and make the necessary adjustments to avoid potential penalties.