Our first edition of 2022 focuses on Healthcare and Life Sciences. It is a sector that will once again have the spotlight on it this year as we continue to tackle COVID-19 and its subsequent variants. While the pandemic continues to challenge the sector, governments across the region forge ahead with their plans to expand and upgrade healthcare systems and develop robust world-class healthcare infrastructure.
For the region, healthcare is a vital pillar in diversifying its economies, both locally and as medical tourism hubs. To underpin this, healthcare authorities across the region continue to implement frameworks and regulations that provide structure and accountability.
In this edition, you have unique access to great insights and expert commentary on a number of pertinent healthcare regulatory developments. You will find a topical mix of articles; for example, our lawyers discuss vaccines and returning to work during the pandemic. They take you through several other areas, including stem cell research in Bahrain, clinical research laws in Egypt, and Saudi medical device and pharmaceutical laws.Take a read of the edition
The Dubai International Financial Centre (“DIFC”) has issued a new Data Protection Law DIFC Law No. 5 of 2020 (“DIFC DP Law”). This law applies in the jurisdiction of the DIFC only.
In this article, we discuss an entity’s obligations under the DIFC DP Law when it wishes to transfer personal data outside the DIFC.
There are many reasons an entity may wish to transfer personal data to another jurisdiction outside the DIFC. Namely, that entity may have a parent or subsidiary entity, or an affiliate outside of the DIFC (including in onshore UAE). It may require transferring personal data for administrative purposes, to analyse and monitor that data, for record keeping of employee, contractor and client data, and even to provide personal data to third parties for marketing purposes.
Regardless of why the entity is transferring personal data, it is very important that the relevant entity has systems and procedures in place to ensure that personal data is processed for the purposes or related purposes which the data subject expected, unless one of the exemptions outlined in the DIFC DP Law applies. Entities should ensure they understand what personal data is being transferred, where and for what reason. Controllers and processors must maintain written records of processing activities (“ROPA”) for which it is responsible or carrying out as instructed. The ROPA must contain information that sets this out, and includes details of the technical and organizational measures that are applied to the processing.
According to the DIFC DP Law, entities must ensure they protect and safeguard personal data. One primary factor that determines an entity’s obligations under the DIFC DP Law is whether the outside jurisdiction receiving the personal data has a level of protection over personal data which is considered to be adequate or inadequate.
The adequate jurisdictions are set out in Appendix 3 of the DIFC DP Regulations and include transfers to: the United Kingdom, Europe and the Abu Dhabi Global Market. A jurisdiction which many house affiliates of many entities operating in the DIFC and is not considered an ‘adequate jurisdiction is the United States’. The “Privacy Shield” replaced Safe Harbour in 2016, and is a mechanism recognised by the European Commission for transferring personal data between the European Union / European Economic Area and the United States of America. The DIFC does not recognise it for this reason, as DIFC has no such agreement in place for transfers of personal data from the DIFC to the United States of America. Therefore, Privacy Shield cannot be relied upon for transfers from the DIFC to the United States of America.
On this basis, the DIFC DP Law requires that entities implement safeguards for transfers of personal data to jurisdictions such as the United States
In addition, the Commissioner may determine that a jurisdiction outside the DIFC does have an adequate level of data protection, in its discretion, by taking into account factors including:
If the Commissioner has determined that the third party jurisdiction does not have an adequate level of protection, a transfer may only take place under certain circumstances including that:
(A) The controller or processor in question has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate safeguards referred to in (a) above may be provided for by factors including:
The Commissioner has provided a set of standard clauses to be applied to contractual or other arrangements that require the transfer of personal data outside of the DIFC. They are available on the DIFC website. The standard clauses may not be altered other than to complete basic information or provide additional commercial requirements. If any alteration to the standard clauses is contemplated by the relevant entity utilizing them, the Commissioner should be consulted first and such alterations agreed in writing.
(B) A derogation applies, including:
Where a transfer could not be based on the safeguards or derogations set out above, such transfer may take place only if the transfer:
The DIFC DP Law also covers controller and processor obligations around data sharing (as distinct from data transfers). This occurs when a government entity requests the controller or processor to share personal data with it. It is common for government organizations or authorities to request data, including personal data, on demand for a variety of purposes. While the Commissioner encourages such sharing, the organization receiving such request still needs to consider what controls should be in place to govern the sharing and ensure that all parties involved will apply them. If the organisation deems a request too broad, it may ask for specificity or request appropriate, written binding assurances that the data will be ethically and responsibly managed.
Under the DIFC DP Law, where a controller or processor receives a request from any public authority the disclosure and transfer of any personal data, it should:
Before personal data is shared in response to a request for information the relevant entity should consider:
The DIFC DP Law Guide suggests the creation of policies regarding sharing personal data with government entities. Examples are contained on the Commissioner’s website.
An entity may choose or be required to transfer personal data outside the DIFC for many reasons, including record keeping and third party marketing purposes. Under all circumstances, it is necessary for the entity to scrutinise what personal data it is sending, to which third parties and for what purposes. Further, that entity should ensure it meets all requirements under the DIFC DP Law, depending on whether or not the third party jurisdiction has been considered to have an adequate level of protection in accordance with the DIFC DP Law.