○ ○ ○
How you envisage clarifying the distinction between further processing and new processing What risks and benefits you envisage What limitations or safeguards should be considered
1.4 Legitimate Interests 55.
The UK has been a strong proponent of alternative lawful grounds to consent, recognising that there are a number of common scenarios where it may be appropriate to process personal data without seeking consent. This could be the case, for example, where it would be very difficult or inappropriate to seek the individual’s consent, or where a low risk processing activity is being undertaken without consent, but in line with an individual's expectations.
56.
The UK GDPR requires that all personal data processing is lawful. Therefore, data controllers must identify a lawful ground under the UK GDPR before processing personal data. These lawful grounds are set out in Article 6, which is one of the cornerstones of the UK’s data protection legislation. Indeed, most data protection regimes set conditions for the legality of personal data processing. In particular, processing is permitted where: a. It is based on the consent of the individual b. It is necessary for the performance of a contract c. It is necessary to comply with a legal requirement d. It is necessary for the vital interests of an individual e. It is necessary for the performance of a task carried out in the public interest task or the exercise of official authority (usually by a public authority) f.
It is necessary for the legitimate interest of a data controller where those interests are not outweighed by the data protection rights of individuals
57.
Regulatory guidance in the UK is clear that no one lawful ground should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the UK GDPR. 11 From engagement with stakeholders, however, the government has found that 53% of those who thought that the UK GDPR is unclear stated that they spent a disproportionate amount of time working out the requirements of the UK GDPR and the Data Protection Act 2018. 12 Further, when asked which elements of UK GDPR could be clearer, 42% identified the lawful grounds that allow data processing. 13 The government considers that this uncertainty may have resulted in an over-reliance on consent. This may lower protections for individuals, who suffer from ‘consent-fatigue’ in the face of a large volume of consent requests which they might accept despite not having the time or resources to assess them properly.
58.
The government has heard that one factor driving over-reliance on consent is uncertainty about when it is possible to rely on the lawful ground of legitimate interests under Article 6(1)(f) of the UK GDPR. The government is also aware that some data controllers in the business sector appear to have found using legitimate interests for lawful processing to be more complicated and
11
ICO guidance: Lawful basis for processing Ibid 13 DCMS, ‘UK Business Data Survey 2020 Summary Report’, May 2021 12
21
