Saudi Arabia, United Arab Emirates and Egypt E-Commerce Legislations and Comparative European Union and Turkey Legislations Review


As we mentioned in our latest Article Saudi Arabia, United Arab Emirates, and Egypt is an appealing advantage for e- commerce initiatives. In this Article we will examine these countries regulation within scope of the consumer rights, data protection, license requirements and other related issues in comparison with EU and TR legislation.



The E-commerce Law in Saudi Arabia entered into force on 10 July 2019.[1] The E-Commerce Law aims to increase the contribution of e-commerce to the Saudi Arabian economy, to enable the foreign and local e- commerce companies to invest in Saudi Arabia, and ensuring the achievement of 2030 Vision. The law regulates the rights and obligations of Service Providers who are located in Saudi Arabia and Service Providers outside Saudi Arabia but provide products or services to consumers in Saudi Arabia. The Service Providers defined as; e-commerce practitioners registered in the trade registry (Merchants) and e-commerce practitioners not registered in the trade registry (Practitioners). However, non-registered service providers (Practitioners) are required to specify their company addresses on their e-commerce sites.

Consumer Rights

The Service Providers obliged to pay attention; to protect consumers data (Art.5), to disclose goods/services features appropriately and properly, to submit a statement containing the terms and conditions of the contract to be concluded to the Consumer ( Art.7), to submit a detail invoice that contains indicating the specified delivery date and location, total prices including taxes, and delivery costs, if any. (Art.8).

E-Commerce Law aims to protect the consumer against fraud, deception and misleading information statement by aiming to improve the confidence of the consumer regarding e-commerce transactions.

If Service Providers do not comply with the provisions of the E-Commerce Law and Regulation, they pay a penalty of approximately $270,000.

The Service Providers need to provide terms and conditions of the conducted contract pursuant to E-Commerce Law and Regulation. Fundamental features of goods/services, product warranty informations, the total price of the product and/or service, including taxes, and delivery and shipping costs, if any; payment and delivery terms, the service provider’s contact information, name, residing address etc., and also other specific information specified in the Regulations regulating the information that the Service Provider must provide according to the nature of each transaction should be disclosed to the Consumer. Without prejudice to the provisions of the E-Commerce Law, within the scope of the pre-information obligation of the service provider pursuant to Turkish and EU legislation, the consumer should be clearly informed that a binding contract will be concluded between the parties after the payment has been approved and this contract will constitute a payment obligation. (Article 7 of the Regulation.)

Pursuant to the E-Commerce Law, if the consumer has not used or benefited from the goods or services other than the cases specified in the E-Commerce Law, the right to return the product purchased through an e-commerce channel or the right to terminate the service contract within seven(7) days from the date of receipt has been recognized and the cost of terminating the contract is given to the consumer. As in the Turkish legislation, the consumer has the right to withdraw due to the right of return and cancellation, but in Turkey, the right to return is recognized as 14 days and there is no cost incurred if the consumer terminates the contract.

In addition to the consumer’s right to terminate the contract, if the Service Provider delays the delivery for more than fifteen days, the consumer will also have the right to cancel his/her order.

The cases in which the right of withdrawal cannot be exercised in Article 11 of the E-Commerce Law are the same as in Article 15 of the Turkish Regulation on Distance Contracts.

Information Required to Disclose on E-Commerce Sites

Pursuant to Article 6 of the Law and Regulation the Service Provider should disclose these informations on their web site: in case the service provider is not registered with an E-store Authentication Authority the service provider’s name and any identifying feature of the service provider; If the company is registered in the registry, its name and registration number, the e-commerce site privacy policy (if it is stated, that the privacy policy is not an obligation, contrary to the legislation in Turkey), the terms of use, the license information and contact number of the service provider, if available,the Service Provider’s tax number, customer complaints and resolution procedures and methods.


Article 12 of the Regulation and after the establishment of the e-store, the trade registry must be registered within 30 days. Practitioners who are not registered in the trade registry can apply through the Ministry’s website by collecting the information required in Article 12 of the Regulation. For a completely foreign venture, an application must be made to the Saudi Arabian Investment Authority for an Investor License. With the investor license, the foreign investor can operate his company in the region without the need for a local business partner. In addition to the investor license, foreign investors should apply to the Ministry of Trade and Industry for a trade registry certificate. Registration with the Chamber of Commerce and Industry and meeting with the General Manager are mandatory. In addition, it is obligatory for the foreign investor to register with the Zakat, Tax and Customs Authority, the Ministry of Human Resources and Social Development ,and the General Organizations of Social Insurances. [2]

Electronic Advertisements

Pursuant to E-Commerce Law commercial advertisements are ntegral part of the contract and legally binding. The Service Provider will be binding by the product features and price specified in advertisement. In accordance with the E-Commerce Law, electronic advertisements should be included in the content; the name of the advertised product or service; the name and any identifying feature of the Service Provider, unless registered with an e-shop authentication body; Service Provider’s contact information; and other information specified in the Regulation. In the content of the service provider’s electronic messages; should use a clear and understandable statement that they are advertisements and contribute to the conscious choice of the consumer by providing accurate information about the features of the advertised product/service. If the Service Provider is not registered with an E-Shops Verification Body (E-Shops Verification Body), the name of the service provider and any identifying features, the service provider’s contact information must also be clearly present in the advertisement. In addition, the electronic advertisement must not contain any false offers, statements, claims or deceptive content that will deceive or mislead the consumer, as well as a false logo or trademark expression that the service provider does not have the right to use.

As in the Law on the Regulation of Electronic Commerce, in Article 10 of the E-Commerce Law and Regulation, the consumer has the right to refuse taking electronic commercial messages. The Service Provider obliged to stop sending electronic advertisements to the Consumer as of the receipt of this request. In addition, the E-Commerce Law and Regulation includes a regulation on the protection of personal data regarding electronic advertisements. Our explanations about these regulations are included in the Personal Data Protection Law section.

Data Protection

There is a clear emphasis on the protection of consumer data in the E-Commerce Law, and the E-Commerce Law imposes a legal obligation on the service provider to protect the confidentiality of consumer data. As stated in Article 5 of the E-Commerce Law, the information considered as personal data is counted in the Regulation [3]. Accordingly, in Article 5 of the Regulation, the information containing specific information about the identity of the Consumer such as name, identity information, address, telephone number, personal property, account and bank card numbers, still and moving pictures are defined as personal data. Accordingly, in accordance with the E-Commerce Law, the Service Provider will not be able to store the Consumer’s personal data and electronic communications, except for the purpose of fulfilling its obligations, unless agreed by the parties at different times, except for the time required by the nature of the electronic transaction. In addition, it will take the necessary measures to protect and maintain the confidentiality of these personal data and electronic communications throughout the storage period. Also the Service Providers will not use the Consumer’s personal data or electronic communications for unauthorized purposes and will not disclose them to other organizations free of charge or for their own interests , unless the Consumer allows such disclosure or is required by law. Similarly in EU and Turkish legislation, personal data processing conditions are defined in personal data legislation, and no data processing conditions are specifically regulated by law. Personal data to be obtained during e-commerce and personal data processing conditions are not listed in the Turkish Electronic Commerce regulations, and data can be merely processed in cases listed in the Law on the Protection of Personal Data.

Besides, in the Law on the Regulation of Electronic Commerce, the retention period of the consumer’s personal data is not specified, as in Article 5 of the E-Commerce Law.

In the Saudi Arabian E-Commerce Law, the Service Provider is also responsible for the protection of the Consumer’s personal data from its subsidiaries or affiliates that it works with. When we examine the Data Protection Law in Turkey, the data controller and the data processor will be jointly responsible for the security of personal data in the Article 12 of the Data Protection Law. However, since there is no Data Protection Law regulation in Saudi Arabia However, since there is currently no Data Protection Law in effect in Saudi Arabia, it is concluded from the relevant Regulation that the responsibility for a data security breach arising from personal data processing during e-commerce transactions will be on the Service Provider as the data controllerIn addition, in the Turkish e-commerce legislation and the relevant Saudi Arabian legislation, the service provider cannot transmit the consumer’s personal data to third parties or use them for other purposes.

Regarding the violation, unlike the legislation of Turkey and the European Union, the notification of the violation is made to the relevant Ministry, not to a Data Protection Authority. EU and Turkish legislation and Saudi Arabian legislation are the same in terms of notification to the consumer, that is, to the data subjectIn accordance with EU and Turkish legislation, the scope and effects of the violation and the measures taken to remedy this violation will not exempt the Service Provider from liability to the Consumer, and the Service Provider will have to comply with those given by the competent authorities regarding the remedy of the violation.

In accordance with the 3rd paragraph of Article 5 of the Regulation, the personal data of the consumer is processed with the consent of the consumer in the process of becoming a member of the e-commerce site and / or application. If the membership process is a condition of receiving services it will not be accepted as an explicit consent in accordance with the EU and Turkish legislation. Another issue subject to explicit consent in the Regulation is the storage of the Consumer’s personal data for another purpose, such as advertising or marketing, without their explicit consent.


Federal Law No. 1 of 2006 on Electronic Commerce and Transactions aims to facilitate and eliminate barriers arising from uncertainties over the writing and signature requirements of electronic commerce and other electronic transactions and promote the development of the necessary legal and commercial infrastructure for the implementation of secure Electronic Commerce. The law deals with the preservation of electronic commercial messages, the aspects of electronic communication, and the validity of contracts established through electronic communication (Art.11,12). In this part we will examine the regulations on consumer rights (according to the New Consumer Protection Law), data protection, and license requirements in UAE.

Consumer Rights in UAE

The consumer rights are regulated under the Chapter 5 of the Federal Law Number 24 of 2006 , UAE consumers are granted the following rights:

  • The Right to Safety: to be protected from products, production processes and services that may cause harm to health and safety
  • The Right to Return: to return or exchange the goods in the event of any defect discovered by the consumer
  • The Right to Informed: to informed the accurate information concerning the goods and services (ex: origin of products, expiry date and ingredients of food items, price of the product including taxes etc.) the suppliers should inform that placing an order is to conclude a binding contract between the parties.
  • The Right to Choose: to have multiple options of items and services at competitive prices and quality
  • The Right to Representation: to express opinions to develop the goods, services, prices and availability

On 10 November 2020, The UAE Cabinet issued Federal Law No. (15) of 2020 on Consumer Protection which repealed Federal Law No. (24) of 2006 on Consumer Protection. The new Law is in line with the Unified Law on Consumer Protection of the Gulf Cooperation Council Countries (GCC). According to the new Federal Law on Consumer Protection, the main three key provisions are listed below:

Consumer Privacy

According to Article 4 of the Consumer Protection Law, suppliers and businesses now have an obligation to safeguard their consumers’ data. As such, suppliers and businesses are prohibited from using consumer data and information for marketing and promotional purposes. Furthermore, the consumers’ religious views, customs, and traditions must be protected when providing a commodity or receiving any service.


E-commerce service providers that are registered within the UAE are required to provide consumers and competent authorities with their names, legal status, address, details of licencing authority and other sufficient information in Arabic. There is also a requirement to provide details of specifications, terms of contracting, payment and warranty (Article (25)). Moreover, according to the provisions stipulated in Article 8, all the information made available to consumers, data, advertisements, contracts and invoices must be in Arabic. It is worth noting that other languages may also be used alongside the main language, which as stated above is Arabic, at the supplier’s discretion.


The applicable penalties for breach of the Consumer Protection Law have increased from those outlined in the Old Consumer Protection Law. For example, the following may result in imprisonment of up to two years and a fine not exceeding AED 2 million (Article (29)):

failure to abide with clear and legible labelling (including how to use and install a particular good);
providing misleading prices for goods and services;
failure to repair or replace a defective product without charge; and
falsely advertising goods or services (or providing false data).
Penalties may be doubled in the event of a re-offence.[4]

Pursuant to Article 36 of the Law on Consumer Protection, it is envisaged that the Regulations in Force will enter into force by 15 May 2021 and further clarification of the Law on Consumer Protection is envisaged.[5]

License Requirements

Steps to obtain license in Dubai [6]:

Decide a legal structure of your business (Inc., LLC)
Choose a location ( There are two types of zones in Dubai: Mainland and Free Zone. In the Mainland you need a local sponsor with a 51% stake in the Company, whereas in the the FreeZone foreigners can own a 100% stake in the Company.)
Register a trade name ( You must reserve your trade name and obtain an initial approval certificate from The Department of Economic Development. Trade name can not include any offensive or blasphemous language)
Apply for a license (E commerce license application in Mainland you should apply to the municipality or the Department of Economic Development in the emirate you wish to set up in, if you are opting for Freezone the license is issued by relevant Freezone authority. For a company set up in the Mainland, you have to pay around AED 10,000 to the DED for trade name registration, initial approval, and issuance of the license. In case you are looking to set up within a free zone, the license will have to be acquired from the relevant Freezone authorities. The type of license issued depends upon the nature of your online business[7].)
Apply for your visas ( residence visas etc.)
Open your corporate bank account

Dubai CommerCity (DCC) free zone

As we mentioned in our latest Article, Dubai CommerCity is a joint venture between Dubai Airport Free zone Authority (DAFZA) and Wasl Asset Management Group. . It provides a unique eCommerce ecosystem to global and regional brands to help them set up and operate their eCommerce business in the MENA region. The free zone is divided into three clusters designed in a modern and innovative way to strategically achieve environmental and investment sustainability. The clusters are: the business cluster, the logistics cluster and the social cluster.[8]

Business incentives include:

100 per cent foreign company ownership
no corporate tax or income tax
100 per cent repatriation of capital and profits.

The eCommerce licence (Tajer Abu Dhabi)

The eCommerce licence from Abu Dhabi Department of Economic Development (ADDED) allows entrepreneurs to add their online trade activities to their existing licences, or obtain a new licence to conduct business through websites and social media networks. In 2017, Tajer Abu Dhabi was restricted only to UAE nationals but in 2018, ADDED expanded the licence package to include all GCC nationals and UAE residents under three legal forms:

establishment for Emiratis and GCC nationals
one-person company for Emiratis and GCC nationals
limited liability company for residents in partnership with Emiratis.
It also raised the number of eligible activities covered by the licence to 1057. All are exempt from having a physical presence or an office.[9]

DED Trader Licence from Dubai

The eTrader licence from Dubai Economy (DED) allows UAE nationals and GCC nationals residing in Dubai to practise business activities through various social media networks.The eTrader licence can be registered under the name of a single owner only. The eTrader cannot open a shop or issue visas and in case of a legal dispute, the licensee alone will be held responsible.[10]

Required Documents for the License Application:[11]

Passport/visa copies of the shareholders
Copy of sponsors passport/Emirates ID ( if you establish your company in Mainland)
Local Service Agreement
No-objection Certificate from the relevant authority
Draft a memorandum of Association
If your online business involves physical products to sell or trade it is mandatory to have proper warehousing to store your goods and establish a reliable logistic system you can opt for a third party logistics or build your own.

UAE Regulations on Data Protection Law

Federal Law No. 5 of 2012 on Combatting Cybercrimes and its amendment by the Federal Law No. 12 of 2016 makes it illegal to disclose any information obtained by electronic means, if such information was obtained in an unauthorised manner.Article 21 of the law makes one liable if he uses an electronic information system or any information technology means for offending another person or for attacking or invading his privacy.

Article 22 of the same law makes one liable if uses without authorisation, any computer network, website or information technology means to disclose confidential information which he has obtained in the course of or because of his work.

Internet Access Management (IAM) policy

Telecommunications and Digital Government Regulatory Authority (TDRA) implements the Internet Access Management (IAM) policy in the UAE, in coordination with National Media Council and Etisalat and Du, the licensed internet service providers in the UAE. Under this policy, online content that is used for impersonation, fraud and phishing and/or invades privacy can be reported to Etisalat and Du to be taken down.

Electronic Transactions

Federal Law No. 1 of 2006 on Electronic Commerce and Transactions provides security measures of electronic transactions and ensures that electronic data is authentic and reliable.


Consumer Rights

The Law No 181 of 2018 which repealed Law No. 67/2006 , has ensured the consumer’s protection under the umbrella of the remote contracting, which was not previously treated in the old Law. The law also guarantees the consumers’ right to have comprehensive and correct information about the services introduced to them and products they consume. The main information provided about the product has to include the source of the product, its price, nature, main characteristics besides other information determined by the law’s executive regulations.

Essential consumer rights are following:

  • The right to health and safety for the normal use of the products
  • The right to obtain all of the correct information and data about the services or products that the consumer buys, uses or receives
  • The right to ensure respect for community customs and traditions
  • The right to receive fair compensation for damages towards the consumer or its money as a result of the purchase, use or receipt of the products
  • The right to return any faulty product for a full refund or replacement in the span of 30 days after purchase[12]
  • The right to replace or return for a full refund any product without reason within 14 days[13] Supplier’s Obligations

Since the Law addresses so many obligations we will only examine the substantial ones below.

Disclosing Obligations

The Supplier has the obligation of clearly disclosing all substantial data and information related to a product especially its source, price (including tax details or any other financial burdens), specifications and features, essential characteristics, where and when it is offered, the data enumerated by the Egyptian Standards Specifications, and any other data to be required by the executive regulation when issued .[14]Moreover, the product’s information has to include the supplier’s identifiable information, mainly including his address, contact information, and trade mark if available, all in Arabic as well.

The suppliers are also obliged by the law to ensure that all messages to the consumer including ads, data, information, documents, bills, and receipts are written in Arabic and in another languages at the Supplier’s discretion. These data shall be clearly disclosed and shall be easily read and understood by the consumer.

Warranty Liabilities

According to the Article 3 of this Law, the Supplier shall abide by the health and safety and quality rules as well as guaranteeing them in accordance with the Egyptian Standards Specifications or the international standards specifications approved in Egypt.


Through strict penalties against companies or merchants who violate regulations, the new law criminalizes the monopoly of any product or market and false and/or misleading advertisements or behaviour in any format under the Article 9 of this Law with a fine of up to EGP two million per violation.The new Law primarily aims to not mislead,fraud or deceive the consumer.

In event of businesses fail to fulfill their obligations to inform ( as we mentioned above) the customer in a clear manner.The businesses will otherwise face a fine between 10,000 EGP and 50,000 EGP.

Physical harm or death caused by faulty products are severe penalties that supplier will be penalized imprisonment.[15]

Data Protection Law in Egypt

Egypt’s Personal Data Protection Law was passed on 13 July 2020 and published on 15 July 2020. It will come into force on 15 October 2020, and the Executive Regulations are expected by 14 April 2021. The Personal Data Protection Law introduces a variety of compliance requirements, as well as some significant criminal penalties.

The Regulation will provide further detail on the role of the new regulator and how it will implement the new Law. Companies will have a 12-month grace period to comply with the Law from the date of publication of the Regulation.[16] The new Data Protection Law in Egypt has a similarity on definitions and scopes of the Regulations in Turkey and EU. As GDPR and Data Protection Law in Turkey data subjects have a various fundamental rights under the Regulations in Egypt. Unlikely the GDPR, Article 1 of the Law solely applies to personal data that has been electronically processed, data held exclusively in a physical format is not regulated.

Processing Data

The Personal Data Protection Law prohibits the processing of personal data except with the consent of the data subject, or where otherwise permitted by law. Processing must be lawful, transparent and that the personal data collected should be retained for no longer than is necessary to fulfill the intended purpose.

In contrast to the GDPR, as part of the transparency obligations, data controllers in Egypt do not have to disclose a privacy notice before processing personal data. However, they must maintain a register in accordance with Article 4 that describes the erasure mechanism, the retention period of such data, and so forth.[17]

Cross-border Transfer

Subject to certain exceptions, a company must obtain a license from the Regulator cross border transfer of a data, and should only transfer personal data to a country which affords the same level of protection to personal data as Egypt under the Law.(Article 14)

Transferring data to a country which not affords the same level of protection to personal data with Egypt shall carried out with the approval of Egyptian Data Protection Centre ( yet to be established) and where the level of protection provided is not less than that provided in Egypt pursuant to the Personal Data Protection Law.

Article 15 sets out a number of exceptions to the Article 14 restriction such as obtaining the express consent of the data subject.

Data Protection Officers

Foreign companies processing personal data in Egypt are obliged to appoint a representative in Egypt. For data controllers outside of Egypt a local representative must be appointed Data Protection Officer (DPO) as a point of contact for Egyptian data subjects and the Regulator.

Notification Requirements

In the event of a security breach, unlike under the GDPR, both controllers and processors are obliged to report the incident to the Regulator within 72 hours. In the case of a breach which impacts national security, companies must report the incident to the Regulator and the National Security authorities immediately, including the Ministry of the Interior and the General Intelligence Directorate.[18]


The Personal Data Protection Law provides for a variety of criminal offences, with a range of penalties – including fines and imprisonment. These includes:

Collecting, processing, disclosing, providing access or circulating personal data, by any means, other than with the consent of the data subject, or as otherwise permitted by law,
Processing and transferring personal data other than in accordance with the personal data protection law;
Preventing a data subject from exercising rights granted pursuant to the Personal Data Protection Law;
Failure of a data controller or data processor to comply with specific obligations, and notification/reporting requirement,
Failure to appoint a Data Protection Officer,
Failure of Data Protection Officer to perform duties as specified in the Personal Data Protection Law;
Failure to comply with digital marketing requirements pursuant to the Personal Data Protection Law.
These offenses according to the Personal Data Protection Law can be committed by Egyptian companies operating in Egypt or overseas and foreign companies operating in Egypt.

[1] For the full text of the relevant Law E-Commerce Law (Royal Decree Number M/126)


[3] Yönetmeliğin tamamı için bkz.