In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR.
What is the ‘legitimate interests’ basis?
Article 6(1)(f) UK GDPR provides the most flexible lawful basis for processing and is available where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (emphasis added).
A broad range of interests qualify as legitimate interests: ICO guidance clarifies that legitimate interests can be personal, attaching to a third party, commercial as well as wider societal benefits. The UK GDPR specifically mentions by way of examples processing client or employee data, marketing, fraud prevention and IT security.
To rely on the legitimate interests lawful basis a controller must satisfy itself of a three-stage test:
- Purpose test: does the processing pursue a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the data subject’s interests override the legitimate interest?
The balancing test requires organisations to weigh the legitimate interest against the data subject’s interest. Both compelling and trivial interests can be legitimate interests but are always subject to balancing; a more trivial interest will be more easily overridden by the data subject’s interests. If there is a particularly serious encroachment on privacy rights, for example the data subject has no reasonable expectation of the processing, the legitimate interest must be particularly compelling to tip the scales. For example, the UK GDPR mentions another possible legitimate interest as disclosing possible criminal acts or security threats to the authorities.
What does the consultation propose?
The Government argues that the ‘balancing’ stage of the three-stage test is unnecessarily complex and uncertain for organisations. As a result, they rely excessively and inappropriately on the ‘consent’ ground under Article 6, leading to concerns about widespread “consent fatigue” amongst data subjects. The Government proposes a ‘whitelist’ of situations where the balancing test of legitimate interests is disapplied. The proposal is to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without having to balance data subjects’ interests. This proposed ‘whitelist’ includes:
- monitoring, detecting or correcting bias in relation to developing AI systems;
- audience measurement cookies or similar technologies designed to improve web pages;
- improving or reviewing system/network security;
- pseudonymisation or anonymisation;
- internal research and development or business innovation; and
- reporting criminal acts.
The new ‘whitelist’ would provide organisations with a relatively broadly framed basis for processing, albeit for fairly uncontroversial uses.
Disposing with the need for balancing, or for relying on ‘consent’ for these uses, would cut some red tape for businesses which may fit with the Government’s aim to realise a ‘Brexit dividend’ now it is no longer strictly bound by EU regulation. The consultation accepts that the ‘whitelist’ needs to be appropriately generic to “withstand the test of time.” The Government envisages incorporating powers to update the ‘whitelist’ through further regulations, which inevitably will need to be exercised given the limited examples so far on the ‘whitelist’.
The ICO is right to comment that the “devil will be in the detail” when it comes to the Government’s designs for legitimate interests. While many view the current ‘whitelist’ as unobjectionable, it is limited and proposals are at an early stage. It is crucial that any further uses for which the Government intends (effectively) to sanction pre-authorised processing, without a case-by-case balancing exercise against privacy rights, are well understood and scrutinised. This is especially given that the ‘whitelist’ will be updated by regulation and since the Government also envisages a “sufficiently generic” ‘whitelist’ that will endure.
Further thought also needs to be given to how disapplying the balancing test for ‘whitelist’ uses would interact with data subjects’ right to object to processing, including requiring organisations to reconsider their reliance on legitimate interests.
In developing this detail, the UK Government will be acutely conscious of the delicate line between cutting red tape and risking the European Commission’s recent adequacy decision in favour of the UK (which, if lost, would interrupt the free flow of data between the UK and EU). These proposals in particular do not sit comfortably with the principles underpinning the EU GDPR. It may be, then, that limiting the disapplication of the balancing test to just a few stipulated uses of data is the most sensible way forward, albeit this would also limit the anticipated benefits of these proposed changes.