One of the most fundamental requirements of GDPR compliance is also one of its most challenging aspects: the need to have a lawful basis for all personal data processing. As personal data becomes the most powerful tool for many businesses, the instinct to use it in varied and innovative ways must always be tempered by the need to demonstrate a legal right to make use of data. While individuals are often under the impression that the handling of personal data requires consent, consent has its drawbacks, crucially the constant risk that it will be revoked. As a result, many organisations have come to rely heavily on other legal bases to process personal data, in particular the ‘legitimate interests’ basis found at Article 6(1)(f) of the UK GDPR.
The right to process personal data, where doing so is in the legitimate interests of the data controller or a third party, pre-dates the GDPR and its subsequent absorption into UK law as the UK GDPR. Under the Data Protection Act 1998, as now, the legitimate interests in favour of processing had to be weighed against the risk of prejudice to the rights, freedoms and legitimate interests of the data subject. In its more recent incarnation, the UK GDPR, special attention is drawn to the rights of children, implying a need to weigh their interests carefully, if not more heavily than those of adults.
Despite the caveats, the legitimate interests basis is the most flexible and widely used basis for processing personal data. However, the government has identified the work necessary to rely on legitimate interests as being overly burdensome for business. As a result, Section 5 of the Data Protection and Digital Information Bill (DPDI Bill) creates a list of processing scenarios (set out in Schedule 1 to the Bill which, if the Bill passes, will become Annex 1 to the UK GDPR) that will be deemed automatically to meet the requirements of the legitimate interests basis.
Balancing acts – whose interests win?
To properly assess the appropriateness of the legitimate interests basis for data processing, controllers must ordinarily carry out a balancing assessment (a “legitimate interests assessment” or LIA) to ensure that the reason for the processing really is legitimate, not overly disadvantageous to data subjects and that the processing is truly necessary to meet the legitimate purpose.
Schedule 1 of the DPDI Bill identifies the following purposes as fulfilling the legitimate interests basis:
- processing personal data for the purpose of detecting, investigating, or preventing crime
- safeguarding national security, protecting public security and defence purposes
- responding to emergencies
- safeguarding vulnerable individuals
- disclosures to people carrying out tasks in the public interest, and
- processing necessary for the purposes of “democratic engagement”.
The list is likely to disappoint many businesses and other private sector organisations, as it is narrower than was expected following the government consultation that preceded the Bill. Most of the approved purposes are likely to solely or primarily benefit the public sector.
Some organisations may find the inclusion of crime detection investigation and prevention helpful for fraud prevention activities, but limited processing for such purposes is already fairly easy to carry out without the new provision and more extensive efforts will still be subject to an assessment of their reasonableness and proportionality. An employer will not, for example, be able to claim extensive or intrusive surveillance of staff is necessary simply because crime prevention is included in the list of pre-approved processing activities to qualify as a legitimate interest.
The inclusion of processing necessary for “democratic engagement” is notable for being presented with rather more detail than other processing purposes. This entry to the list will allow elected politicians and candidates for office (and individuals working for them) to process personal data of those aged 14 and above (many of whom will not be able to vote for some years) in connection with a vote or election campaign. While there are strong arguments in favour of ensuring that privacy laws do not impede the democratic process, the government is vulnerable to criticism for making it easier for politicians to handle personal data, without giving similar consideration or weight to the arguments of and challenges faced by business, charities and other organisations.
Until the government or the Information Commissioner’s Office produces further guidance setting out how much – or how little – assessment is required to rely on the list of pre-approved legitimate interests processing purposes, it is not clear whether its creation will make any practical difference to most data controllers.
Aside from the need for guidance, it should also be noted that the list is not necessarily exhaustive. The Secretary of State for Digital, Culture, Media & Sport is granted the power to amend or add to it with secondary legislation, so it is possible that further processing purposes will be added in future.
Second time lucky - compatibility with an original purpose
Although Section 5 and Schedule 1 of the Bill seek to make life easier for controllers by creating approved legitimate interest purposes, Section 6(3) creates a new UK GDPR Article 8A which places a new burden on controllers seeking to process personal data for a purpose different to that for which it was originally collected.
The recitals to the UK GDPR state that a new legal basis is not required where secondary processing activities are compatible with the original purpose. However, the DPDI Bill as drafted, requires the establishment of a valid legal basis for the new processing by the controller, unless an exemption applies, or the new purpose is automatically deemed compatible. An assessment of compatibility and a new legitimate interest assessment will probably be required. When assessing compatibility, a controller must consider:
- any link between the original purpose and the new purpose;
- the context in which the personal data was collected, including the relationship between the data subject and the controller;
- the nature of the personal data, including whether it is a special category of personal data or relates to criminal convictions and offences;
- the possible consequences of the intended processing for data subjects; and
- the existence of appropriate safeguards (for example, encryption or pseudonymisation).
Just as Schedule 1 creates a list of default list of legitimate interests purposes, Schedule 2 (which will become Annex 2 to the UK GDPR) contains a list of processing purposes which will automatically be treated as compatible with the original processing purposes. In addition to processing for scientific and historical research, archiving, and statistical purposes which are already deemed automatically compatible under the UK GDPR, there are a number of additional purposes. The Secretary of State will also have powers to add to or amend the new Annex 2. The new compatible purposes contained in the Bill are:
- processing personal data for the purpose of detecting, investigating, or preventing crime or apprehending offenders
- protecting public security
- responding to emergencies
- safeguarding vulnerable individuals
- disclosures to people carrying out tasks in the public interest
- protecting the vital interests of an individual
- the assessment or collection of tax, and
- compliance with legal obligations.
If the secondary processing is for one of these purposes it will be deemed “compatible” with the original processing, for which the data was first gathered, and the controller will not have to assess its compatibility.
Although the DPDI Bill offers a number of changes to the approach to managing lawful basis, legitimate interests and compatible processing, any significant change in processing activity is likely to attract the attention of a diligent Data Protection Officer or privacy leader within an organisation. Privacy notices will still need updating, as will records of processing (subject to the changes proposed for those) and in many cases risk assessments of some sort will still be essential to determine the necessity of the processing to meet the controller’s purpose (whether original or new but compatible).
Since many controllers will wish to adopt the same practices in the UK and EU, it seems likely that controllers will continue to make thorough legitimate interests assessments even where the purpose falls within a category listed in the new UK GDPR Annex 1. However, controllers will also have to decide whether to adopt a more stringent approach in respect of compatible secondary processing by identifying a legal basis for the processing across the EEA – even though this will only be required in the UK.
Without clear guidance from the government or the ICO around what compliance activities are needed and when they are required, the changes discussed above are likely to add to the confusion experienced by many data controllers, rather than do anything to alleviate the burden on business as the government has sought to do.