The House of Lords yesterday passed an amendment to the Data Protection Bill which provides welcome clarity in relation to the legitimate interests condition for processing personal data. The amendment is an early Christmas present for universities and other public authorities with hybrid activities.
The General Data Protection Regulation states that public authorities cannot rely upon legitimate interests as a legal basis for processing where that processing is carried out by a public authority in “the performance of their tasks.”
While there is a separate legal basis for processing in that is necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller, the restriction on legitimate interests was problematic.
The legitimate interests condition is currently used by large numbers of organisations (including public authorities) as the legal basis for many processing activities.
The restriction in GDPR caused particular concern for organisations like universities and others with hybrid activities, particularly given that the UK Data Protection Bill states that an organisation will be a public authority for the purposes of GDPR where it is a public authority (or Scottish public authority) for the purposes of the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002.
For example, a commercial entity that is owned by a local authority or other public body is subject to FOI laws. However, it is unlikely to be carrying out tasks in the public interest. Similarly, universities are subject to FOI laws, but it is difficult to argue that activities such as alumni fundraising or commercial activities are “tasks in the public interest.”
Amendment to the Data Protection Bill
The amendment to the Data Protection Bill resolves this by making clear that the restriction on using legitimate interests is limited. It does this by saying that an organisation will only be a public authority “when performing a task carried out in the public interest or in the exercise of official authority vested in it.”
Organisations subject to FOI laws will therefore still be able to rely upon legitimate interests where the activity in question is not a task carried out in the public interest or pursuant to that organisation’s official authority.
What about reliance on consent?
The amendment also has (positive) consequences in relation to the reliance by such organisations on consent as a legal basis for processing.
Recital 43 of GDPR states that is “unlikely” that consent can be freely given where the controller is a public authority. Given the way the amendment is drafted, that general presumption will apply only where the organisation is performing tasks in the public interest or exercising official functions.
However, organisations should remember that the overarching principle that consent must be freely given continues to apply. Any reliance on consent should therefore be considered carefully. Our handy guide to consent explains this in more detail.
Organisations will still need to understand and record the relevant legal basis for their data processing activities (which means that they will need to identify what activities are carried out in the public interest or derived from official powers). For example, reliance on legitimate interests needs to be explained in an organisation’s privacy notice, and gives rise to certain other rights.
It is therefore important that organisations know which legal basis applies to which processing activities and record that in their register of data processing activities.
We will be updating our handy guide to the GDPR for public authorities to reflect this amendment.