Abu Dhabi has rolled out new regulations aimed at strengthening the protection of sensitive personal information within its jurisdiction, in particular for sectors such as insurance, education and other fields where handling such data is widespread. Introduced under the Abu Dhabi Global Market’s (ADGM) umbrella of the Data Protection Regulations 2021, the recently issued “Substantial Public Interest Conditions Rules 2025” seek to strike a balance between allowing necessary use of personal information and safeguarding vulnerable individuals.
Here’s what residents, businesses, and institutions need to know:
What the New Rules Enact
- Processing Without Consent in Certain Circumstances
Under the new rules, organisations may process certain categories of sensitive personal data without direct individual consent, but only when this is in substantial public interest. Examples include protecting children, persons at risk of harm, or other broadly defined vulnerable groups. This applies particularly in insurance and education. - Clearer Definitions Introduced
To avoid ambiguity, the rules define important terms such as “insurance contract,” “insurance purpose,” and the thresholds for what qualifies as “at-risk” individuals. This helps harmonize interpretation across institutions and ensures consistency in application. - Safeguards for Vulnerable Individuals
Specific guidelines are established on how data pertaining to “at risk” individuals—whether minors or adults—must be handled. These include limitations on data collection, usage, as well as requirements to ensure additional protections are in place to reduce the risk of misuse. - Balancing Use with Protection
While the rules allow certain flexibility in processing data in the public interest, they mandate responsible handling. Organisations must maintain accountability, transparency, and trust. The changes emphasize that using sensitive data without consent is only acceptable under strict criteria, and with robust oversight.
Sectors Most Affected
- Insurance: Companies in the insurance sector can now process sensitive personal data without consent in specific situations tied to public interest. For example, to assess risk, provide coverage, or perform duties associated with public welfare. However, such processing must align with the framework’s safeguards.
- Education: Schools and educational institutions must ensure that handling of sensitive data—such as health information, personal background of at-risk students, etc.—adheres to the revised definitions and protection methods. This ensures the welfare of minors or students who may be vulnerable.
Goals & Rationale Behind the Reforms
- Protecting the Vulnerable: One of the driving reasons is to ensure that those who are "at risk"—including children, people needing protection, or those in difficult circumstances—are shielded when their personal data is being handled by institutions.
- Regulatory Clarity: By clarifying definitions and obligations, the new rules reduce uncertainty for businesses and institutions, lowering the risk of inconsistent practices or legal exposure.
- Supporting Growth & Trust: As Abu Dhabi (and ADGM) expands, including into areas like Al Reem Island, having robust data protection is meant to build confidence among residents, investors, and businesses. Transparent rules help ensure that essential public services can function without compromising privacy rights.
What Organisations Need to Do
- Review and Update Data-Handling Policies: Insurance firms, schools, healthcare providers, and others must audit their existing protocols to ensure they align with the new definitions (e.g. “insurance purpose,” “at risk persons”) and handling criteria.
- Train Staff & Ensure Accountability: Staff responsible for collecting, processing, and storing sensitive data must understand the new thresholds for what requires consent vs what can be processed under public interest. Internal oversight should ensure compliance.
- Implement Additional Safeguards: Especially when dealing with at-risk individuals, organisations should limit unnecessary data collection, ensure secure storage, and enforce strict access controls.
- Transparency and Record-Keeping: Organisations must maintain clear records of when and why sensitive data is processed, particularly in cases without consent, and be transparent with affected individuals wherever possible.
Potential Challenges
- Ambiguity Around “Substantial Public Interest”: Even with definitions, institutions may find it difficult to determine in specific cases whether their use of data qualifies under public interest, or whether consent is still required. Misinterpretation could lead to legal risk.
- Balancing Efficiency versus Over-caution: Entities may feel constrained if they must always weigh compliance heavily, possibly slowing down operations. Finding the balance between operational necessity and privacy protection will be key.
- Costs of Compliance: Additional safeguards, oversight, and training may introduce costs—both administrative and technical—to ensure organisations meet the heightened standards.
What This Means for Residents & Individuals
- Individuals should expect stronger protections for personal data when dealing with institutions governed under ADGM. If your data is used without explicit consent, it should now be in compliance with very specific criteria.
- Vulnerable or at-risk individuals can expect that their data will be handled with extra care under the law.
- There may be more visibility into how institutions use their data—organisations may be required to be more transparent.
Broader Implications & Alignment with International Standards
The ADGM’s move aligns with global trends toward stronger data protection laws, particularly in jurisdictions aiming to follow frameworks similar to Europe’s GDPR. By clarifying rules, defining sensitive categories, and allowing lawful uses of data where consent is impractical but public interest is high, Abu Dhabi is positioning itself as a jurisdiction with both privacy and pragmatism.
These regulatory updates also complement the UAE’s broader Data Protection Law (Fifth-Federal Decree-Law No. 45 of 2021) as well as rules in other special zones and free zones, reinforcing the message that personal data protection remains high on the government’s regulatory agenda.
