Recent events, including the investigations into Facebook’s handling of its users’ personal data, have highlighted the realization that personal data is, in today’s world, one of the most valuable resources for any business and that businesses not only collect and store their customers’ personal data but also use and even sell it for profit.
While there is no single federal data protection law in the UAE, and UAE law does not recognise concepts such as data controllers and data processors, over the years, there have been number of sectoral laws that deal with data protection. These include Federal Law 5 of 2012 on Combating Cyber Crimes, Federal Law 3 of 2003 Regarding the Organisation of Telecommunications Sector, and the UAE Central Bank’s Regulatory Framework for Stored Values and Electronic Payment Systems. There are also data protection laws in some of the UAE’s free zones, such as the Dubai International Financial Centre, the Abu Dhabi Global Market and Dubai Healthcare City. Dubai has a few of its own laws that deal with data protection in certain contexts, e.g., Dubai Law 28 of 2015 Concerning Dubai Statistics Centre and Dubai Law 26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai.
A new sectoral data protection law, Federal Law 2 of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the New Law), has been published and is set to come into force in May 2019. The New Law is aimed at regulating the collection, processing and transfer of electronic health data that originates in the UAE and will apply to all “information and communication technology methods and uses” in the healthcare sector in the UAE, whether onshore or in any of the free zones (including the Dubai Healthcare City).
The New Law will apply to all businesses that handle health data and information such as healthcare facilities and providers, pharmacies, medical insurance providers and intermediaries, service providers assisting with medical claims management, as well as technology service providers servicing the healthcare industry. Essentially, all businesses that process data relating to patient names, consultation, diagnosis and treatment, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and laboratory results will have to comply with the New Law.
In view of the consistently fast paced development of healthcare related technology, the scope of application of the New Law could be much wider than was probably contemplated at the time of drafting it. A lot of the devices that we use in our day-to-day lives such as mobile phones and digital wrist watches have features that provide healthcare support. All businesses that manufacture such devices or develop applications that operate on these devices to provide healthcare support are likely collecting, processing and (in some cases) transferring data relating to fitness and lifestyles in the UAE, and as such, will likely fall under the scope of the New Law’s application.
The New Law requires businesses that use information and communication technology for processing health data to ensure its confidentiality, accuracy and validity, as well as its availability when required.
Some of the key features of the New Law are:
- a general prohibition on transfer of health data outside the UAE, subject to an authorisation by the relevant health authority;
- establishment and management of a central system by the UAE Ministry of Health and Prevention to store, exchange and collect healthcare data and information in compliance with the parameters set by the New Law; and
- a data retention period of not less than 25 years.
The parameters for storing health data and information inside the UAE will be defined by a resolution issued by the UAE Minister of Health and Prevention.
Non-compliance with the New Law may attract fines of up to AED 1 million. Other disciplinary sanctions include notices and warnings, and also the suspension or cancellation of an entity’s license.
Although a welcome step towards protection of healthcare data, the New Law is not the first law that regulates healthcare data in the UAE. UAE Federal Law 7 of 1975 concerning the Practice of Human Medicine Profession and the Ministry of Health Code of Conduct 1988 concerning the collection of health data impose obligations of confidentiality on healthcare practitioners. Those previous healthcare laws remain in effect, although the New Law repeals inconsistent provisions of prior law.
The timeframe to ensure compliance with the New Law as well as the scope of its application will be known once the underlying implementing regulations are issued. All concerned parties should closely monitor legislative developments in this regard and obtain legal advice to prepare for compliance with the New Law.