The many digital platforms are transforming almost every industry today; it is swiftly becoming apparent that the similar looking terms of use and privacy policies currently applicable may not provide new entrepreneurs or platform users with an adequate sense of security. This inadequacy, coupled with an ever-increasing demand for technology lawyers in Dubai, necessitates a need for such entrepreneurs and platform users to become more cautious in regards to covering themselves against risks and losses.

A simple example of why new entrepreneurs are becoming progressively more cautious when covering themselves from risks and losses would be the knowledge that one of the crowdsourcing Apps recently invited users to undertake mystery shopping.

This example depicts the necessity for privacy policies and terms of use which will reduce the risks and losses when engaging in transactions on the digital platform.

The crowd-sourcing App in this particular case provided the Mystery Shoppers with a certain amount of store credit. The shopper could use such monetary value on the App for in-store purchases. However, for the shopper to use the store credit to partake in the mystery shopping, the App holders had to pay an activation fee. This activation fee paid by the App holders wanting to participate in mystery shopping enabled them to access the credit on the App. Once they had transferred this, the participants would go to the store only to find out that there is no credit available on the App. The theft of the activation fee is then known to them.

The terms of use on a website, in the form of Terms and Conditions, and the Privacy Policy are the basis of the express or implied contract between the platform owner and its users. Their effect is to limit liability and offer protection to digital platform owners. However, the question here is; what protection do platform users have; and does the online acceptance of today stand as a valid agreement against the law.

Terms and Conditions clause

Regarding the abovementioned example, the user of the digital platform was the party to bear the losses and risks caused by the actions of the third party – the scamming company. Below will be an example from the Second Circuit Court of Appeals, of how the owner of a digital platform did not sufficiently cover itself against risks and losses in its Terms and Conditions.

In this case, the user signed up for a programme that provides discounts on products and services in consideration of monthly fees. Following the users' enrolment and use of the application, he received an email from the defendant. In the email, there were additional Terms and Conditions, inclusive of an arbitration provision of a mandatory nature. Such new Terms and Conditions were never expressly consented to by the user. The user canceled his account and claimed a full refund, to which the defendant only provided a partial refund. The user then commenced a class action, to what end the defendant responded by seeking to enforce the arbitration provision in the additional terms and conditions. The court a quo concluded that the user had never agreed to the new terms and conditions, the Appellate court upheld the conclusion.

With consideration of precedent regarding contract law and enforceability in the context of shrink-wrap and agreements of an electronic nature, the emailed Terms and Conditions would be binding if:

  1. After receiving actual notice, or at a minimum, inquiry notice regarding the additional terms; and
  2. The user then manifested his assent, expressly or implied.

The law does not require Terms and Conditions on a website, however as can be noted above, having adequate Terms and Conditions, to which users must consent to, could limit the liability of the platform owner immensely. The efficacy of the site owners' terms and conditions clause is pertinent to whether they can be held liable for content on their website. The prior mentioned case held the following on what companies should do to limit their liability:

a. Indicate all the terms of notice;

  1. Require visitors or users of the site to page through the terms. Only once this is completed should they be able to select the 'agree' option or expressly and actively provide their consent to the terms;
  2. Restrain using the website or initiate using services on the site before express permission by the user; and
  3. Periodically have users of the site reconfirm their agreement to the terms.

Numerous sites request users to create a profile and yet they do not require the users to agree to their terms before gaining access to their profile. Users on the site are expected to seek out, on their own accord, the terms and conditions. Users get faced with clauses such as the following:

"By entering, executing using, downloading, commenting, saving, accessing or using the Digital Platform you will automatically be considered a user which requires the full acceptance of every provision included in these Terms, in the version published by, and at the time you access or use the Digital Platform. If you, as a user, do not agree to these Terms, you may not access or otherwise use the Digital Platform."

If it is considered, that the user was unaware of the fact that the action of entering, executing using, downloading, commenting, saving, etc. constituted their acceptance of every provision included in the Terms, how could such user be held to have consented to the Terms?

However, one should take cognizance of the fact that it is common practice for courts to rule in favor of the user who did not expressly consent to the terms and conditions. A court stated that acceptance need not be express, but where it is not, there must be evidence that the offeree knew or ought to have known of the terms and understood that the offeror would construe acceptance of the benefit as an agreement to be bound.

The United Arab Emirates

Regarding the law of the United Arab Emirates, a contract becomes legally binding upon the parties after the express or implied acceptance of the offer by the offeree. There are however a few exceptions to this rule which warrant that a contract is only legally binding if it is in writing.

Of relevance to electronic contracting on digital platforms, is the Federal Law Number 36 of 2006 on the Evidence and Commercial Transaction. This piece of legislation governs that electronic evidence or electronic messages are not recognized. Due to this, Dubai has implemented the Dubai Law Number 2 of 2002 relating to Electronic Transaction and Commerce Law. Regarding this legislation should a person contract, offer to contract or accept to contract, either wholly or in part, using electronic messaging, such an agreement will see be considered valid in the eyes of the law. Federal Law No.1 of 2006 on Electronic Commerce and Transactions (the e-Commerce Law) was put in force to align the country's legislation with the needs of the online marketplace.

The Privacy Policy

The privacy policy is not only required by law but is considered one of the most critical inclusions on a digital platform. It is of significant priority and should be read and assented to by all users. However, this is seldom the case. The Privacy Policy relates to the website's policy as to what it will and will not do with the information a user provides on the site.

There are multiple issues about the privacy of the data collected on digital platforms. To illustrate one, would be the issue of how one can be exposed to far-reaching effects when unwarranted data is in the hands of marketers, financial institutions, employers and governmental institutions, For example, impact on relationships, employment, qualifying for a loan and even to get on a plane. While there is much concern about this, little has been done to improve privacy protection online.

For the privacy risks that need reducing highlighted above, each person must make careful consideration of what data they are putting on the web and what the implications of the Privacy Policy on the relevant page are.

In a time when privacy infringement is rife, and more and more high-profile privacy breaches are being commonly publicised, it is imperative for all digital platform users to reconsider what personal data they provide to such platforms precisely.

An example of a recent high-profile privacy breach is the Facebook breach, in which a political data firm with links to President Trump's 2016 campaign was able to harvest private information from more than 50 million Facebook profiles without the social networks alerting users.

Data collection and privacy policies internationally

There is a significant disparity globally in the governing of data collection and online privacy. Some countries display stringent legislation in this regard while others lack relevance and authority. Below are examples of how different states regulate this.

European Union

The European Union Data Protection Directive of 1998 states that anyone processing personal data must do so in a fair and lawful manner. For the data collection to be considered legal, the taking in of the data must be for specified, explicit and legitimate purposes, and users must give unambiguous and explicit consent after being informed that data collection and processing is taking place.

Germany

In Germany, the Federal Data Protection Act of 2001 states that any collection of any personal data (including computer IP addresses) is prohibited unless the collector gets the express consent of the subject. The data collector also has to get the data directly from the users (for example, it is illegal to buy email lists from third parties).

The United Arab Emirates Law

There is no Federal data protection law in the UAE; there is also no single national data protection regulator. Due to this fact, the protection from risks and losses is the sole responsibility of the individuals. Although, there are two rights afforded by the UAE Constitution of relevance here. Article 30 of the UAE Constitution which provides for freedom of opinion and to express that opinion either in writing, verbally or by any other medium of communication. As well as, Article 31 which is a general right to privacy and it provides for a right to freedom of correspondence through various means of communication and the secrecy thereof.

Sectoral laws

Regarding Federal Decree Law No. 5 of 2012 on Combating Cybercrimes, Article 2 prohibits unauthorized access to websites or electronic information systems or networks. Article 2 further imposes more severe penalties when such actions result in, among other things, the disclosure, alteration, copying, publication, and replication of data. A penalty's severity will increase if such data is of a personal nature.

Article 21 of the Federal Decree No. 5 of 2012 also prohibits the invasion of privacy of an individual through a computer network and electronic information system and information technology, without the individual's consent and unless authorized by law. Article 21 further prohibits disclosing confidential knowledge obtained in the course of, or because of, work, through any computer network, website or information technology

It is of significance here that on 25 May 2018, UAE-based companies with relations and business dealings with European Union consumers will need to ensure that they comply with Regulation 679/2016. This Regulation concerns the protection of natural persons regarding data collection.

In Dubai Court of Cassation case number 67/2010 (132), the court observed the contrast between Article 30 of the UAE Constitution, Article 47 of the Federal Law Number 15 of 1980 Concerning Press and Publication (the Press Law) and Clause 79 of the Press Law. In this case, the appellant initiated legal action on the basis that the defendant had published the details of the case regarding the appellant's wife. The defendant was a limited liability company in Dubai that was dealing with printing and publishing and had published the details of a case surrounding the extra-marital affair of the appellant's wife. The appellant contended that this had caused substantial harm to his family since the news spread instantly to his home country also. Let us analyze each of these Provisions carefully before proceeding. Article 30 of the UAE Constitution provides freedom of opinion and to express that opinion in writing, verbally, or by any other medium of communication. Provision 47 of the Press Law stipulates that newspapers are permitted to publish the details of cases before the courts unless the proceedings of the case get held in secret session. On the other hand, Article 79 of the Press Law has explicitly prohibited the publications of news, photos or investigations regarding the family or private life of individuals if it can cause harm. These laws mean that the legislators have provided the public with the freedom of expression and at the same time, has limited that freedom to protect the privacy of individuals. The Dubai Court of Cassation, in light of the above Provisions, held that the appellant failed to prove that the defendant had published untrue events and the Court had not decided on whether to rule the earlier proceedings as secret sessions. The Court of Cassation dismissed the appeal case and stated that the defendant was not liable for other newspapers that published the news.

Advise to drafters of terms of use

To draft terms of use for a website, that will afford adequate protection to both platform owners and users the following essential elements should be included:

  • Limitation of liability – a necessary disclaimer removing the responsibility for errors in the web content. Should the site be interactive, and others able to post on the site – a disclaimer must be included, which states that the website and website owners do not endorse users and are not responsible for the statements made by third parties.
  • Intellectual property – a clause to inform users that the contents, logo and other visual media created is the property of the website.
  • Termination – a provision to notify users that use the site in an abusive manner will result in termination at the sole discretion of the owner.
  • Governing law – a clause that describes which legal jurisdiction will apply in cases of dispute – this should be the country in which the headquarters of the website is.
  • Links to other sites – a clause should be included which warrants against liability for third party websites linked to the main website.
  • Privacy policy – when collecting any information from users, a privacy policy must be present.

The Abu Dhabi Court of Cassation had to decide on the validity of electronic signature to determine whether the appellant was eligible to get a commission in the case of 393/2010 (218). In this case, the court observed and decided on the validity of electronic signatures to qualify as evidence under Federal Law Number 10 of 1992 regarding Civil and Commercial Transactions (the Civil Transactions Law). Article 17 (3) of the Civil Transactions Law states that e-Signatures have the same effect and validity as provided in the e-Commerce Law. The e-Commerce Law offers electronic communication with an equal level of importance in the eyes of the law and considers it valid evidence in a commercial transaction. Further, Article 4 and Article 10 of the e-Commerce Law information communicated through emails shall not lose its validity merely on the basis that the mode of communication is electronic and electronic signature shall be accepted as evidence even where such email or e-Signature is not original or in its original form. The court dismissed the appeal in this case by ruling that the electronic communication in question was valid evidence of the transmission between the parties and the appeal was filed merely on the premise that the trial court had erred in its factual understanding of the law and the value of the evidence submitted thereon.

VAT Liability

Because a significant proportion of retailers and distributors in the UAE provide their services both physically and via the internet, it is imperative to fully grasp the relevant VAT implications which are now in force. VAT regulations take into consideration the location of supply (of a good) – the area in which it is made available to the consumer. This consideration could also include the place where freight of the goods ends.

Regarding VAT for services, it is the customers' place of establishment that is considered the relevant location for tax purposes. Unless such person is a non-taxable entity; if this is the case, the site of the supplier is where the tax will incur.

VAT liability applies to all transactions, including e-commerce transactions and online purchases.

Conclusion

Some countries are party to the Organisation for Economic Co-operation and Development (the OECD) multilateral initiative dealing with online privacy and data protection issues. However, many countries, including the United Arab Emirates are not a party to such initiative and only bare rudimental legislation governing website terms of use. The world online is expanding at a paid rate, and lawyers are challenged to fill in the gaps in the law and guidance to adequately regulate the growing world of digital platforms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.