The UAE’s Ministry of Health and Prevention (MoHAP) has issued a long awaited resolution setting out exceptions to Article 13 of Federal Law No. 2 of 2019 (“Health Data Law“), which by default prohibits the transfer, storage, generation or processing of health data that relates to health services provided in the UAE (“UAE Health Data“) outside of the UAE.
Ministerial Resolution 51/2021 (“Resolution“) relaxes the data transfer restriction for certain types of processing operation, and will be welcomed by industry players many of whom have adopted a ‘risk-based’ approach to cross-border data transfers since the restriction was introduced.
This alert summarises the exceptions to the Article 13 restriction and identifies certain of the practical challenges that remain to be considered. An interactive reference guide setting out the conditions applicable to each exception is also linked to this alert and can be accessed here.
- The Resolution sets out a list of permitted exceptions to Article 13 of the Health Data Law to permit cross-border transfers and overseas processing of UAE Health Data in 10 separate circumstances, including to support pharmacovigilance reporting, scientific research, the administration of insurance claims and UAE Health Data processing in the context of wearables and healthcare monitoring devices.
- The Resolution provides much-needed clarity to companies operating within the healthcare and lifesciences sector as well as to companies who provide technology services for the benefit of UAE patients and/or healthcare providers.
- Ensuring that a processing operation fits within the scope of an exception is only the first step required under the Resolution. Companies wishing to benefit from an exception must go on to ensure that they are able to comply with any associated conditions. The majority of the exceptions are subject to various conditions, some of which will be more challenging than others to implement in practice.
- Businesses wishing to rely on an exception under the Resolution are advised to work with their IT and product teams to consider the practical as well as the legal implications associated with relying on a particular exception.
- If none of the scenario specific exceptions are applicable, the Resolution offers companies the option of relying on the formal consent of the concerned person (i.e., data subject) or their representative to permit the export or overseas processing of UAE Health Data. There is currently no guidance on what form this formal request should take.
- The Resolution has also reconfirmed that the requirements of the Health Data Law only apply to health data that originates from UAE patients and that relates to healthcare services provided in the UAE. Accordingly, the Article 13 restriction will not apply to services provided in the UAE to the extent they involve the processing of data derived from healthcare services provided overseas.
- MoHAP has set out its expectations when it comes to export and overseas processing of UAE Health Data and so non-compliant processing activities are unlikely to be tolerated any longer. To avoid fines, companies which process UAE Health Data are advised to review their data flows and assess whether the arrangements are compliant or whether changes or additions need to be made.
Click here to access the full article in more detail.
Click here to access the interactive reference guide.
To speak to us in relation to the Health Data Law, any data and technology related matters, or issues generally, please feel free to contact Kellie Blyth.