Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreWelcome to the first edition of Law Update for 2025. As we begin this exciting year, we are pleased to turn our attention to one of the most dynamic sectors in the UAE and the broader GCC region – healthcare. Over the past several years, the region has seen unprecedented growth in this sector, driven by legislative advancements, technological innovations, and the increasing focus on sustainability and AI. As such, healthcare is set to be one of the most important sectors in the coming decade.
In this issue, we explore key themes that are significantly shaping the future of healthcare in the UAE, such as recent changes in foreign ownership laws. These reforms present a major opportunity for foreign investors, opening up new avenues for international collaborations and improving the overall healthcare infrastructure. The changes in ownership laws are an important milestone, and we provide an analysis of what this means for the industry and the various players involved.
Read NowSDAIA, the Saudi Data & Artificial Intelligence Authority, has just released draft Regulations to the new Personal Data Protection Law, due to come into effect on 23 March 2022. The draft Regulations provide helpful clarity on many aspects of the PDPL, although ambiguity remains on a variety of topics.
Any business likely to be affected by the Law should scrutinise the draft Regulations, and consider making submissions on any areas of concern. Further information on the consultation process is available here:
https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/PDPL/Pages/default.aspx
The draft Regulations contain a number of significant issues, and we have not sought to address them all here. We do, however, make some observations about transfers of personal data outside the Kingdom. Unless well drafted, with practical considerations in mind, the transfer provisions have significant potential to cause issues for international businesses and for businesses that rely on cloud services hosted outside the Kingdom. This topic caused the most concern when the Law was first published in September 2021.
Do the draft Regulations satisfactorily address these concerns? Probably not, but with some adjustments they might work.
In summary, the potentially bureaucratic requirements around regulatory approvals prior to transfers abroad, as well as the question of whether the consent of the data subject negates the need to obtain such approval, would benefit from further scrutiny by SDAIA.
In Art. 28.1, the draft Regulations restate a basic requirement to host and process personal data in the Kingdom – but they also contemplate personal data being transferred outside. Such transfers would be subject to the controller undertaking a privacy impact assessment and obtaining the written approval of the relevant ‘regulatory authority’ (such as an industry sector regulator) having liaised with the ‘competent authority’ (being SDAIA, initially) on a case by case basis.
In Art. 28.2, the transfer provisions contain a statement that transfers of personal data to recipients outside the Kingdom can occur for public interest purposes (not defined); or where providing services to individuals (not corporates?) and the transfer is subject to the consent of the data subject and not in a manner contrary to what the data subject might expect. Art 28.2 includes reference to Art. 29, which provides for transfers to jurisdictions not assessed as providing an adequate level of data protection. (Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data.) The implication seems to be that, where the recipient is in a jurisdiction assessed as providing adequate protections, then the consent of the data subject will legitimise such transfers.
As noted above, Art. 30 contemplates SDAIA developing a list of jurisdictions that it considers to provide an adequate level of protection to personal data. For transfers to jurisdictions not assessed as providing an adequate level of protection, and excluding circumstances where the vital interests of the data subject are at stake, Art. 28.3 of the draft regulations contemplate a requirement for controllers to apply to SDAIA, at least 30 days in advance of proposed transfers. Art. 29 provides further requirements relating to transfers to such jurisdictions, including a requirement for controllers to undertake risk and impact assessments, and to provide appropriate safeguards (such as adoption of standard clauses, BCRs, etc.) .
As noted above, the draft Regulations contain a variety of other concerns, and further scrutiny is essential. We will be happy to share further insight on this significant development, and to provide support in the preparation of submissions to the consultation process if required. Please follow our Digital & Data ‘showcase’ page on LinkedIn, and contact email Nick O’Connell directly for any specific support.
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.