- within Privacy topic(s)
- with Inhouse Counsel
- in United States
- with readers working within the Media & Information industries
The Abu Dhabi Global Market (ADGM) recently introduced the Data Protection (Substantial Public Interest Conditions) Rules (the "Rules") to clarify the conditions under which organizations may process special categories of personal data, such as health, biometric, or genetic information, without consent, provided it serves a substantial public interest.
The Rules focus on two key areas: insurance and safeguarding children and vulnerable individuals.
In the following sections, we will break down these two areas in detail and illustrate how the Rules apply through practical examples. This approach will highlight not only the legal framework but also how it operates in real-life situations where balancing data protection and public interest becomes essential.
Insurance
The Rules permit the use of sensitive personal data when it is necessary for insurance purposes, such as arranging or administering contracts, underwriting, handling claims, or meeting legal obligations. However, this is only allowed under strict safeguards. If the data processing does not directly concern the individual, the insurer must demonstrate that obtaining consent was not reasonably possible and that the individual has not actively withheld consent. Simply failing to respond to a consent request does not count as refusal.
To illustrate this, imagine a person is injured in a car accident and unconscious in the hospital. To process their medical bills and manage their insurance claim, the insurer may need access to health and hospital records. Normally, such data would be strictly off-limits without consent. But in this situation, waiting for consent could delay vital financial and legal protections.
This ensures insurance companies can act swiftly in urgent, sometimes life-altering cases, while preventing misuse of data where consent could reasonably be sought.
Safeguarding Children and Individuals at Risk
The Rules also allow the use of sensitive personal data to protect vulnerable people, such as children under 18 or adults who are considered at risk because they need care or support, face harm, and cannot protect themselves. In these situations, consent is not required if the person cannot give it, if it would be unreasonable to expect it, or if asking for it would put the individual's safety or well-being at greater risk.
Picture a teacher who suspects a child is being neglected at home. Reporting the case may require sharing sensitive details about the child's health or family circumstances with child protection authorities. Asking for the parents' consent would not only be unreasonable, but could actively endanger the child.
Similarly, an elderly person with dementia who depends on caregivers may be at risk of financial exploitation. In such cases, processing personal data, such as medical or financial records, may be necessary to safeguard their well-being, even though the person cannot meaningfully consent.
By setting out strict conditions and definitions, ADGM ensures that the exception of processing sensitive data without consent cannot be abused. The message is clear: personal privacy remains the rule, but in cases where lives, livelihoods, or well-being are at stake, public interest must take precedence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
