By Charles Laubach and Imran Asghar
The Authors
Charles Laubach Charles is a partner at Afridi & Angell’s Dubai office. He has practiced as a legal consultant in the UAE since 1986. He advises on general corporate matters, military procurement and offsets, project finance, employment, and international trade controls. Charles is a member of the Pennsylvania and DC Bars. He holds a JD and an MA from the University of Pennsylvania, an MA from the University of London School of Oriental and African Studies, and a BA from Dartmouth College.
Imran Asghar Imran’s practice focuses on corporate and commercial law, as well as mergers and acquisitions. He advises clients in domestic and cross border transactions in connection with acquisitions, divestitures, and corporate restructuring matters. Imran is a member of the Pakistan Bar Association. He holds an LLM from the University of Warwick and an LLB from the University of London. |
Recent events, including the investigations into Facebook’s handling of its users’ personal data, have highlighted the realisation that personal data is, in today’s world, one of the most valuable resources for any business and that businesses not only collect and store their customers’ personal data but also use and even sell it for profit.
While there is no single federal data protection law in the UAE, and UAE law does not recognise concepts such as data controllers and data processors, over the years, there have been number of sectoral laws that deal with data protection. These include Federal Law 5 of 2012 on Combating Cyber Crimes, Federal Law 3 of 2003 Regarding the Organisation of Telecommunications Sector, and the UAE Central Bank’s Regulatory Framework for Stored Values and Electronic Payment Systems. There are also data protection laws in some of the UAE’s free zones, such as the Dubai International Financial Centre, the Abu Dhabi Global Market and Dubai Healthcare City. Dubai has a few of its own laws that deal with data protection in certain contexts, eg, Dubai Law 28 of 2015 Concerning Dubai Statistics Centre and Dubai Law 26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai.
A new sectoral data protection law, Federal Law 2 of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the New Law), has been published and is set to come into force in May 2019. The New Law is aimed at regulating the collection, processing and transfer of electronic health data that originates in the UAE and will apply to all “information and communication technology methods and uses” in the healthcare sector in the UAE, whether onshore or in any of the free zones (including the Dubai Healthcare City).
The New Law will apply to all businesses that handle health data and information such as healthcare facilities and providers, pharmacies, medical insurance providers and intermediaries, service providers assisting with medical claims management, as well as technology service providers servicing the healthcare industry. Essentially, all businesses that process data relating to patient names, consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and laboratory results will have to comply with the New Law.
In view of the consistently fast paced development of healthcare related technology, the scope of application of the New Law could be much wider than was probably contemplated at the time of drafting it. A lot of the devices that we use in our day-to-day lives such as mobile phones and digital wrist watches have features that provide healthcare support. All businesses that manufacture such devices or develop applications that operate on these devices to provide healthcare support are likely collecting, processing and (in some cases) transferring data relating to fitness and lifestyles in the UAE, and as such, will likely fall under the scope of the New Law’s application.
The New Law requires businesses that use information and communication technology for processing health data to ensure its confidentiality, accuracy and validity, as well as its availability when required.
Some of the key features of the New Law are:
- a general prohibition on transfer of health data outside the UAE, subject to an authorisation by the relevant health authority;
- establishment and management of a central system by the UAE Ministry of Health and Prevention to store, exchange and collect healthcare data and information in compliance with the parameters set by the New Law; and
- a data retention period of not less than 25 years.
The parameters for storing health data and information inside the UAE will be defined by a resolution issued by the UAE Minister of Health and Prevention.
Non-compliance with the New Law may attract fines of up to Dh1 million. Other disciplinary sanctions include notices and warnings, and also the suspension or cancellation of an entity’s license.
Although a welcome step towards protection of healthcare data, the New Law is not the first law that regulates healthcare data in the UAE. UAE Federal Law 7 of 1975 concerning the Practice of Human Medicine Profession and the Ministry of Health Code of Conduct 1988 concerning the collection of health data impose obligations of confidentiality on healthcare practitioners. Those previous healthcare laws remain in effect, although the New Law repeals inconsistent provisions of prior law.
The timeframe to ensure compliance with the New Law as well as the scope of its application will be known once the underlying implementing regulations are issued. All concerned parties should closely monitor legislative developments in this regard and obtain legal advice to prepare for compliance with the New Law. ■
Afridi & Angell Founded in 1975, Afridi & Angell is a full-service UAE law firm in its fifth decade at the forefront of the legal community. From the beginning, our hallmarks have been a commitment to quality, unsurpassed knowledge of the law and the legal environment, and crafting of innovative business solutions. Licensed in the three largest Emirates of Abu Dhabi, Dubai and Sharjah as well as the Dubai International Financial Centre, our practice areas include banking and finance; corporate and commercial law; arbitration and litigation; construction; real estate; infrastructure projects; energy; project finance; maritime (wet and dry); and employment. We advise local, regional and global clients ranging in size and sophistication from start-ups, sole proprietorships, family-owned businesses, entrepreneurs and investors to some of the world’s largest public and private companies, governments and quasi-government institutions. We attract and retain clients with our dedication to practical guidance focused on their business needs supported by decades of experience here in our home jurisdiction, the UAE. Afridi & Angell is the exclusive member firm in the UAE of top legal networks and associations, most notably Lex Mundi, the world’s leading network of independent law firms, and World Services Group. |
Afridi & Angell’s inBrief provides a brief overview and commentary on recent legal announcements and developments. Comments and opinions contained herein are general information only. They should not be regarded or relied upon as legal advice. © 2019, Afridi & Angell |