This order establishes a robust confidentiality regime to protect sensitive patient data during the high-stakes litigation between Health Bay Investment and Dr. Kamal Akkach, ensuring compliance with both DIFC and UAE healthcare data protection standards.
What is the nature of the dispute in CFI 087/2019 and why was a confidentiality club order necessary?
The litigation in CFI 087/2019 involves a complex commercial dispute between Health Bay Investment in Healthcare Enterprises & Development LLC and Anglo Arabian Healthcare Investments (the Claimants) and Dr. Kamal Akkach (the Defendant). Given the healthcare sector context of the parties' business operations, the discovery process inevitably involves the exchange of highly sensitive personal information, including medical records, financial data, and patient contact details.
To manage the disclosure of this sensitive material while maintaining the integrity of the litigation, the parties sought a formal mechanism to restrict access to "Confidential Information." The court-sanctioned order defines this information broadly, encompassing data protected under Dubai Law No. 26 of 2015, Federal Law No. 2 of 2019, and the DIFC Data Protection Law. The order ensures that while the parties can effectively litigate their claims, the privacy rights of third-party patients are not compromised. As the order specifies:
For the avoidance of doubt, Confidential Information contained in a document, witness statement and / or expert report in these Proceedings should not be used for any purposes other than the furtherance of this litigation.
Which judge presided over the issuance of the Agreed Confidentiality Club Order in CFI 087/2019?
The Agreed Confidentiality Club Order was issued by Nour Hineidi, sitting in the DIFC Court of First Instance. The order was granted by consent on 10 May 2021, following the submission of letters from the representatives of both the Claimants and the Defendant dated 29 April 2021.
What were the positions of the parties regarding the handling of sensitive healthcare data?
Both the Claimants and the Defendant recognized the necessity of a structured "confidentiality ring" to facilitate the exchange of evidence without violating data protection statutes. The parties jointly proposed a framework that balances the need for transparency in legal proceedings with the strict requirements of healthcare confidentiality. By consenting to this order, the parties avoided a contested application, demonstrating a mutual commitment to protecting patient privacy while ensuring that their respective legal teams, experts, and e-disclosure providers could access the necessary documentation to advance their cases.
The parties agreed that access to unredacted documents containing sensitive information would be strictly limited to "Authorised Persons." This designation requires individuals to provide a signed undertaking to the Court, ensuring they are legally bound by the confidentiality restrictions. The parties also established a mechanism to challenge the inclusion of specific experts or providers in this ring:
A party may also apply to the Court for a variation of this Order in the event that the Producing Party objects to its expert or e-disclosure provider receiving Confidential Information.
What was the specific doctrinal issue the Court had to address regarding the scope of the confidentiality regime?
The Court was tasked with defining the jurisdictional and procedural boundaries of a "confidentiality club" within the context of DIFC civil procedure. The primary doctrinal issue was how to reconcile the open-justice principle—which generally favors public access to court documents—with the statutory obligations to protect sensitive medical and financial information under both DIFC and UAE law. The Court had to determine the precise criteria for "Authorised Persons" and establish a clear protocol for the marking, redaction, and eventual destruction of confidential documents to ensure that the litigation process did not become a vehicle for the unauthorized dissemination of private healthcare records.
How did the Court structure the "Authorised Persons" test to ensure data security?
The Court adopted a rigorous, multi-tiered test to determine who qualifies as an "Authorised Person." Access is not granted automatically; it is contingent upon the individual being named in the Schedule to the Order and, crucially, providing a signed undertaking to the Court. The order further distinguishes between internal legal teams and external experts or e-disclosure providers, requiring a notice period for the latter to allow the Producing Party an opportunity to object.
This structured approach ensures that the "Confidential Information" is only accessible to those strictly necessary for the furtherance of the litigation. The Court’s reasoning emphasizes the necessity of control over the information flow, as evidenced by the strict limitation on who may view unredacted materials:
Only the Authorised Persons of a Receiving Party may inspect the unredacted copy of documents marked as containing Confidential Information.
Which specific DIFC and UAE statutes were cited as the basis for the confidentiality protections?
The order is explicitly grounded in a framework of both local and federal legislation. The definition of "Confidential Information" is tethered to the following legal instruments:
* Dubai Law No. 26 of 2015: Concerning the regulation of the healthcare sector in Dubai.
* Federal Law No. 2 of 2019: Concerning the Use of the Information and Communications Technology in Health Fields.
* DIFC Data Protection Law: The primary DIFC legislation governing the processing of personal data.
* Dubai Health Authority (DHA) regulations: Governing the handling of patient records.
The order also references the Rules of the DIFC Courts (RDC 2014), specifically regarding the general powers of the Court to manage the disclosure process and protect sensitive information during proceedings.
How did the Court apply RDC 2014 principles to the management of the confidentiality ring?
The Court utilized its case management powers under the RDC 2014 to implement a flexible yet enforceable regime. By incorporating a mechanism for the substitution or addition of Authorised Persons, the Court ensured that the litigation could proceed efficiently without requiring a new court order for every minor change in personnel. The order provides a clear administrative pathway for these changes:
The Parties may seek to substitute or add to the persons listed at Part A to the Schedule at any time by giving a minimum of 5 days’ written notice to the other Party.
This is further supported by the requirement that notified parties must respond within 5 working days, creating a streamlined process for managing the confidentiality ring that minimizes judicial intervention while maintaining court oversight.
What was the final disposition and the specific relief granted by the Court?
The Court granted the Agreed Confidentiality Club Order by consent. The order mandates that the Producing Party must clearly mark documents containing Confidential Information and provide redacted copies to the Receiving Party. It also includes provisions for the return or destruction of confidential materials once the proceedings have concluded:
Upon the conclusion of these proceedings, on 21 days' notice, the Producing Party may require the Receiving Party and its Authorised Persons to return or destroy any Confidential Information produced by the Producing Party.
The order also provides a safety valve for any person affected by the restrictions, allowing them to apply to the Court to vary or disapply the provisions if they are deemed inappropriate for specific materials.
What are the wider implications of this order for practitioners handling healthcare litigation in the DIFC?
This case serves as a template for practitioners dealing with sensitive data in the DIFC. It demonstrates that the Court is highly receptive to bespoke confidentiality regimes that are grounded in both DIFC and UAE law. Litigants should anticipate that in any case involving medical or financial records, the Court will expect a proactive approach to defining "Authorised Persons" and establishing clear protocols for the handling of unredacted documents. Practitioners must ensure that all experts and e-disclosure providers are prepared to sign formal undertakings, as the Court will not permit access to sensitive information without such safeguards.
Where can I read the full judgment in Health Bay Investment v Dr. Kamal Akkach [2021] DIFC CFI 087?
The full text of the Agreed Confidentiality Club Order can be accessed via the DIFC Courts website: https://www.difccourts.ae/rules-decisions/judgments-orders/court-first-instance/cfi-087-2019-1-health-bay-investment-healthcare-enterprises-development-llc-2-anglo-arabian-healthcare-investments-sole-propriet
Cases referred to in this judgment:
| Case | Citation | How used |
|---|---|---|
| N/A | N/A | No specific case law precedents were cited in this procedural order. |
Legislation referenced:
- Dubai Law No. 26 of 2015
- Federal Law No. 2 of 2019 (Concerning the Use of the Information and Communications Technology in Health Fields)
- DIFC Data Protection Law
- Dubai Health Authority (DHA) Regulations
- RDC 2014 (Rules of the DIFC Courts)