Many businesses operating in the healthcare and technology sectors have found a home in the United Arab Emirates in recent years. The government focus on promoting industries outside of the oil and gas sector, planned incentives to encourage foreign investment (such as ten-year visas for skilled medical and technological professionals), and friendly environment for some of the world's most prestigious medical institutions (such as Johns Hopkins Hospitals and the Cleveland Clinic), are encouraging more healthcare and technology companies (the "HealthTech" sector) to come to the UAE.
Companies in the HealthTech sector currently operating or considering establishing a presence in the UAE should be excited about the opportunities in the country, but also need to be mindful of an important element of their business: patient privacy and the security of patient data.
Every company has different needs and requirements, but we have summarised some of the key UAE laws and regulations which should be considered.
I. AT THE FEDERAL LEVEL
The UAE does not have a stand-alone data protection law. At the Federal level, data protection is covered under several laws, including the UAE Constitution, the Penal Code, the Cybercrime Law, the Telecommunications Law and the new ICT Healthcare Law. This means that consideration must be given to the interplay and impact of multiple pieces of legislation.
The right to privacy is part of the UAE Constitution (Federal Law No. 1 of 1971), and non-consensual publication of any data which relates to an individual's private or family life is punishable under the UAE Penal Code.
Under the UAE Penal Code (Federal Law No. 3 of 1987, as amended), consent of the person whose data is being shared must be obtained if that data may relate to that person's private or family life. The exceptions to obtaining consent under the UAE Penal Code are when: (i) a UAE official/public authority requires the transfer of the data; or (ii) the data transfer serves the public interests or national security. There are no specific conditions about how such consent is to be provided. As a matter of best practice, we encourage clients to obtain permissions in writing and retain these in the company's records in a safeguarded manner that allows ready access.
The Cybercrime Law (Federal Law No. 5 of 2012) regulates electronically saved or shared data, including personal data, obtained through unauthorised actions, as defined under that law, and prohibits the invasion of an individual's privacy.
The Telecommunication Law (Federal Law No. 3 of 2003) applies to the extent that data is obtained through any means of telecommunication, including through telecommunication providers.
The Law on the Use of Information and Communication Technology ("ICT") in the Area of Health (Federal Law No. 2 of 2019) (the "ICT Healthcare Law") was issued on 6 February 2019 to more specifically regulate the use of ICT within the healthcare industry at UAE Federal, Emirate and free zone level.
II. THE ICT HEALTHCARE LAW
The new ICT Healthcare Law will regulate the security and safety of health data and information in the UAE; as it seeks to introduce a framework which promotes international standards and values. The ICT Healthcare Law is a framework piece of legislation and will be supported by detailed Executive Regulations, which will follow in the near future.
Key provisions of the law include the following:
- The Ministry of Health and Prevention ("MoHAP") will establish a central system to store, exchange and collect health data and information, in conjunction with Federal and local health authorities (Article 5).
- MoHAP will establish and apply a national strategy on the use of ICT in healthcare (Article 10(1)).
- It will not be permissible to store, process or generate relevant health data and information outside the UAE without the consent of MoHAP (Article 13).
- Data processors must keep healthcare data and information confidential and only use this for healthcare purposes, unless the patient's consent has been obtained. This is subject to limited exceptions, including where the disclosure is: (i) required by insurance companies or any authority funding the healthcare services; (ii) for scientific and research purposes, provided the patient's identity is not disclosed; and (iii) requested by competent authorities (Article 16).
- MoHAP may seek to ban or block websites, both inside and outside the UAE, which violate the UAE's standards for healthcare advertising or which undertake the same without permission or a license from MoHAP (Article 18).
- Data and information must be retained for at least twenty-five (25) years from the date of the last health procedure (Article 20).
- Penalties include monetary fines and suspension of licenses, and are strictly without prejudice to those penalties contained in other applicable laws (Article 25).
The ICT Healthcare Law was published on 6 February 2019 and will come into force in May this year.
III. EMIRATE-SPECIFIC LAWS AND REGULATIONS
Dubai Health Authority. The Dubai Health Authority ("DHA") published its "Health Record Guidelines" (the "DHA Guidelines") in 2012. The DHA Guidelines are similar to the HAAD Directive (discussed below) in their nature and scope. The DHA Guidelines provide general requirements that "Custodians" of patient health records must follow in regard to the storage and maintenance of, and authorised access to, such records, whether in paper or electronic form. We expect DHA to publish further policies and regulations relating to health data in the near future following publication of the ICT Healthcare Law.
The Dubai Data Law. Dubai has implemented a data law (Dubai Law No. 26 of 2015) (the "Dubai Data Law", sometimes referred to as the "Open Data Law"). The Dubai Data Law aims to permit the sharing of data between various organisations from both the private and public sectors, while seeking to maintain and protect confidentiality and privacy. The Dubai Data Law has implications for government entities, individuals, and corporate entities who use data related to Dubai. The data alludes only to that which is non-sensitive, non-confidential and openly accessible for use. While at first glance the Dubai Data Law may not appear to be applicable to many HealthTech businesses, it is worth reviewing your individual data processes to determine whether you need to take this into consideration.
2. Abu Dhabi
The Health Authority of Abu Dhabi ("HAAD") issued its "Standards for Medical Record, Health Information Retention and Disposal" (the "HAAD Directive") in 2015, which is applicable to Abu Dhabi healthcare facilities and professionals licensed by HAAD. The HAAD Directive sets forth the procedures for collecting, storing, distributing and destroying patient records, and gives HAAD the authority to impose sanctions for non-compliance with the HAAD Directive. We expect HAAD to publish further policies and regulations relating to health data in the near future following publication of the ICT Healthcare Law.
IV. FREE ZONE DATA LAWS
Dubai Healthcare City free zone ("DHCC") was established as a healthcare and wellness free zone in 2002. It has a stand-alone data protection law, the Health Data Protection Regulation (Reg. No. 7 of 2013) (the "HDPR"), which may be relevant to HealthTech businesses operating within DHCC. The HDPR is intended to promote and protect "Patient Health Information" by establishing principles with respect to the collection, use and disclosure by the DHCC and its licensed companies. The HDPR applies to all licensed companies operating in the DHCC regardless of where the data is held. In other words, if a DHCC-licensed company stores data on a server based outside of the UAE, the HDPR is still applicable to the manner in which that data is securely stored, processed and distributed. We expect DHCC to publish further policies and regulations relating to health data in the near future following publication of the ICT Healthcare Law.
V. THE GDPR
The European Union's General Data Protection Regulation ("GDPR") came into force in May 2018. Although this is an EU law, it has a global scope and application. Companies established in the UAE may be subject to the provisions of the GDPR and therefore must comply with certain of its obligations. Some of the main considerations that companies in the UAE should be aware of in respect of the GDPR are listed below, but this information should not be considered a comprehensive list.
1. Wide Scope
The GDPR applies primarily to companies located within the EU who hold "personal data"; (i.e., data that is identifiable to an individual (a "Data Subject"). The GDPR also applies to companies located outside of the EU, including the UAE, if they: (i) offer (or anticipate offering) goods or services to Data Subjects in the EU; or (ii) monitor the behaviour in the EU of Data Subjects.
This extends the reach of the GDPR outside the EU's boundaries, and means that many UAE companies could be subject to the GDPR's provisions. Examples of how a UAE company may be subject to the GDPR include:
- sending material to EU-based Data Subjects;
- monitoring EU Data Subjects via cookies when they access company websites;
- capturing data from EU Data Subjects through means such as websites for analytical purposes; or
- outsourcing the storage or processing of patient or customer information to data centers or service providers located in the EU.
2. Compliance must be demonstrated
The GDPR focuses on accountability and companies must demonstrate compliance with the law. The intention behind this is to force a more proactive approach to data protection.
3. No "broad-brush" consent
Broad-brush consents to data processing will no longer suffice under the GDPR. Instead, requests for consent must be given in an intelligible and easily accessible form, along with details of the purpose for processing the data. Consents must be clear, and it must be made as easy for a Data Subject to withdraw consent as it was to give it.
The days of paper records and "snail mail" are quickly being relegated to novelties of history as technology continues to progress the efficiency and accuracy of how data is collected, transmitted, stored and processed. With these technological advances come opportunities, as well as risks, for companies whose business operations depend on timely and safe data storage and transmission. The UAE has been, and will continue to be, an innovator in the exciting advances in the HealthTech sector, whether in the context of patient treatment or data maintenance. The companies that succeed in this growing market will be the ones with the ability to adapt to the UAE's evolving and uniquely layered legal framework. Baker Botts works with our HealthTech clients to anticipate legal changes, devise compliance strategies and ensure they gain the competitive advantage.
If you want to learn more about how these laws and regulations are applicable to your business, please contact us.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.