The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
United Arab Emirates
The United Arab Emirate’s (UAE’s) Department of Health, located in the Emirate of Abu Dhabi, has launched a new mobile application, called “TraceCovid.” The purpose of the application is to track infected individuals. The UAE does not have one specific law on privacy and data protection. The country has a number of legal instruments to protect the privacy of individuals. These legal instruments include Federal Law No. 5 of 2012 on Combating Cybercrimes, Federal Law No. 3 of 1987 on the Penal Code, and the 1971 UAE Constitution. Federal Law No. 2 of 2019, known as “the Health Data Law,” is the first and only domestic legislation regulating data retention and protecting the privacy of personal health data.
As of May 22, 2020, the total number of diagnosed COVID-19 cases in the United Arab Emirates (UAE) was 26, 898 including 12,755 recoveries and 237 fatalities. In response, the UAE’s Department of Health, located in the Emirate of Abu Dhabi, launched a new mobile application, called “TraceCovid.” The purpose of the application is to track infected individuals. The application can be downloaded on both Apple and Android devices. The application uses the Bluetooth function on smartphones and allows users to detect and identify another device with the same application installed.
According to the Department of Health, if two people are near each other, their mobile phones will exchange an encrypted Secure Tracing Identifier (STI) and store the exchanged STI locally on their phones. If one of them is infected with the virus, the relevant authorities will be able to access the user’s data and timestamps. This will allow the medical authorities to track all the other individuals who have come in close contact with the infected person.
Many citizens and expatriates of the UAE have no reservations about sharing their data in general, especially with retailers. According to a report by professional services firm KPMG, 78% of UAE consumers are willing to share their personal data with retailers and other institutions. Only about 22% percent are not in favor of disclosing their personal data with any organization at all, according to the same report. According to the Telecommunications Regulatory Authority (TRA), mobile phone penetration in the UAE increased to 228.3 phones per 100 people in the first quarter of 2017, with the total number of subscriptions amounting to 19.8 million.
II. Legal Framework
A. Privacy and Data Protection
The UAE does not have one specific law on privacy and data protection. The country has a number of legal instruments protecting the privacy of individuals. These legal instruments include Federal Law No. 5 of 2012 on Combating Cybercrimes, Federal Law No. 3 of 1987 on the Penal Code, and the 1971 UAE Constitution.
1. Federal Law No. 5 of 2012
The Law penalizes individuals and entities who disclose any information obtained by electronic means, if such information was obtained in an unauthorized manner. It also criminalizes the act of using, without authorization, any computer network, website or method of information technology to disclose private information.
2. Federal Law No. 3 of 1987 on the Penal Code
The penal code of the UAE sanctions any person who violates the private or family life of other individuals by eavesdropping, recording, or transmitting, through a device of any kind, conversations that took place in a private place or by telephone or any other device, or by capturing or transmitting, through any type of device, a picture of a person in a private place.
3. The 1971 Constitution
The Constitution states that communications by post, telegraph or other means are confidential.
B. Data Retention and Location Tracking
Federal Law No. 2 of 2019, known as “the Health Data Law,” is the first and only domestic legislation regulating data retention and protecting the privacy of personal health data. It also regulates the use of information technology and communications (ITC) in the healthcare sector. Furthermore, the Law governs the transfer, sharing, and retention of electronic health data, including patient names, consultation, diagnosis and treatment data, alphanumerical patient identifiers, common procedural technology codes, medical scan images and lab results.
Under the title “The Obligation to Use Information Technology and Communications,” the law requires that health care providers use ITC to store and transfer health data to ensure its confidentiality. The law also mandates that health care providers preserve health data against any unauthorized modifications, loss, alteration, deletion or addition.
Health care providers must also create adequate technical procedures to guarantee the security of health data. The Law obligates them to ensure that only authorized personnel have access to patients’ health data to guarantee its confidentiality.
Retention and transfer of the health data of UAE citizens and expatriates outside the UAE are prohibited unless authorized by the Ministry of Health. Violation of this provision by any person or entity is punishable by a fine between 500,000 and 700,000 Emirati Dirham (between US$125,222 and US$175,312). Health care providers must retain health data for a period not less than 25 years from the date on which the last procedure took place.
The Law stresses protection of the confidentiality of health data. However, it allows sharing of health data without the permission of the patient under the following circumstances: (1) responding to a request for information issued by insurance companies covering the medical services, (2) for the purpose of adopting public health preventive and treatment measures, (3) to respond to a request for information issued by a judicial authority, and (4) to respond to a request for information about a patient pertaining to the preservation of public health.
The Law imposes disciplinary actions and fines ranging between one thousand and one million Emirati Dirhams (between US$250 and US$250,000) on health care providers who violate any of its provisions.
III. Electronic Measures to Fight COVID-19 Spread
On April 19, 2020, the Health Department in Abu Dhabi announced that it had launched a mobile application, called “TraceCovid.” The department has urged all UAE citizens and expatriates to install the application on their mobile devices. The main purpose of the mobile application is to identify any individuals who came close to someone who is a COVID-19 patient.
According to the main web page of “TraceCovid UAE,” the application authorizes users to detect mobile devices that have the same application installed. To illustrate, when a person is located at a supermarket and comes close to another person whose phone also has TraceCovid installed, the application on both mobile devices exchanges an encrypted STI and stores the exchanged STI locally on their devices. The STI consists of anonymized data and a timestamp. In the event that one of those two people gets the virus, the health department will request that the infected person upload the list of STIs stored locally on that person’s mobile phone. Such information will assist the medical authorities in contacting other people who may have come in close contact with the infected person and identify them faster to minimize the spread of the virus.
The Abu Dhabi Health Department has announced that the TraceCovid application does not affect the use and efficiency of Bluetooth on a mobile phone. The application runs in the background to communicate with another person’s mobile device that has the same application. The department also said that the privacy of the personal data of the person installing the application is protected.
The Health Department of Abu Dhabi also launched a second mobile app for individuals who have been identified as COVID-19 patients or who have come in close contact with someone infected with COVID-19. These individuals are ordered to quarantine at home.
According to the health department, these individuals will be asked to download a mobile app from Google Play or the App Store. The app ensures that the quarantined person adheres to mandatory requirements. The main purpose of the app is to send alerts that inform users to stay within the range of movement allowed during the quarantine. The app provides the health authorities with the precise location of these individuals to ensure that they do not violate the quarantine.
We were unable to find any information on tracking individuals who do not possess a mobile device.
Prepared by George Sadek
Foreign Law Specialist
 Id. art. 22.
 Federal Law No. 2 of 2019, art. 4(1).
 Id. art. 4(2).
 Id. art. 6.
 Id. art. 8.
 Id. art. 13.
 Id. art. 24.
 Id. art. 20.
 Id. art. 16.
 Id. art. 25.
Last Updated: 12/30/2020