6 minute read
1.4 Legitimate Interests
○ How you envisage clarifying the distinction between further processing and new processing ○ What risks and benefits you envisage ○ What limitations or safeguards should be considered
1.4 Legitimate Interests
Advertisement
55. The UK has been a strong proponent of alternative lawful grounds to consent, recognising that there are a number of common scenarios where it may be appropriate to process personal data without seeking consent. This could be the case, for example, where it would be very difficult or inappropriate to seek the individual’s consent, or where a low risk processing activity is being undertaken without consent, but in line with an individual's expectations.
56. The UK GDPR requires that all personal data processing is lawful. Therefore, data controllers must identify a lawful ground under the UK GDPR before processing personal data. These lawful grounds are set out in Article 6, which is one of the cornerstones of the UK’s data protection legislation. Indeed, most data protection regimes set conditions for the legality of personal data processing. In particular, processing is permitted where:
a. It is based on the consent of the individual
b. It is necessary for the performance of a contract
c. It is necessary to comply with a legal requirement
d. It is necessary for the vital interests of an individual
e. It is necessary for the performance of a task carried out in the public interest task or the exercise of official authority (usually by a public authority)
f. It is necessary for the legitimate interest of a data controller where those interests are not outweighed by the data protection rights of individuals
57. Regulatory guidance in the UK is clear that no one lawful ground should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the UK GDPR.11 From engagement with stakeholders, however, the government has found that 53% of those who thought that the UK GDPR is unclear stated that they spent a disproportionate amount of time working out the requirements of the UK GDPR and the Data Protection Act 2018.12 Further, when asked which elements of UK GDPR could be clearer, 42% identified the lawful grounds that allow data processing.13 The government considers that this uncertainty may have resulted in an over-reliance on consent. This may lower protections for individuals, who suffer from ‘consent-fatigue’ in the face of a large volume of consent requests which they might accept despite not having the time or resources to assess them properly.
58. The government has heard that one factor driving over-reliance on consent is uncertainty about when it is possible to rely on the lawful ground of legitimate interests under Article 6(1)(f) of the UK GDPR. The government is also aware that some data controllers in the business sector appear to have found using legitimate interests for lawful processing to be more complicated and
11 ICO guidance: Lawful basis for processing 12 Ibid 13 DCMS, ‘UK Business Data Survey 2020 Summary Report’, May 2021
risky than other grounds. When relying on legitimate interests as a lawful ground, the UK GDPR requires organisations to show that the processing is necessary and to document how their interests outweigh the rights of data subjects. Assessing whether the organisation’s interests outweigh the rights of individuals appears to cause the most uncertainty for data controllers. This is referred to as the balancing test and the ICO has issued guidance on how to complete this test using a Legitimate Interest Assessment.
59. Ensuring appropriate use of lawful grounds is important so that organisations are empowered to use data responsibly for legitimate purposes and to provide the best outcomes to individuals. Other countries are innovating here; for example, Singapore has defined types of processing activity that would be regarded to be in the legitimate interests of the data controller, such as for investigation of proceedings, debt recovery, provision of personal and domestic services, and employment purposes. The government believes a similar approach may work well in the UK, whereby there is a definite list of processing activities that are not subject to the balancing test when relying on legitimate interests as a legal ground.
60. The government therefore proposes to create a limited, exhaustive list of legitimate
interests for which organisations can use personal data without applying the balancing test in order to give them more confidence to process personal data without unnecessary
recourse to consent. The processing would still have to be necessary for the stated purposes and proportionate. For those activities not on the list, the balancing test would still be applied. The balancing test could also be maintained for use of children’s data, irrespective of whether the data was being processed in connection with an activity on the list. The government is mindful that Article 6(1)(f) of the UK GDPR recognises that particular care should be taken when data controllers are relying on the legitimate interests lawful ground to process data relating to children.
61. Any list would also need to be sufficiently generic to withstand the test of time, although the government envisages it could be updated via a regulation-making power. In that respect, the list would be similar to the approach in Section 8 of the Data Protection Act 2018 for the public tasks processing condition. For example, it could cover processing activities which are necessary for:
a. Reporting of criminal acts or safeguarding concerns to appropriate authorities
b. Delivering statutory public communications and public health and safety messages by non-public bodies
c. Monitoring, detecting or correcting bias in relation to developing AI systems (see section 1.5 for further details)
d. Using audience measurement cookies or similar technologies to improve web pages that are frequently visited by service users
e. Improving or reviewing an organisation’s system or network security
f. Improving the safety of a product or service that the organisation provides or delivers
g. De-identifying personal data through pseudonymisation or anonymisation to to improve data security
h. Using personal data for internal research and development purposes, or business innovation purposes aimed at improving services for customers
i. Managing or maintaining a database to ensure that records of individuals are accurate and up to date, and to avoid unnecessary duplication
62. The government considers this approach could create a better balance between protecting individuals and not impeding responsible data use in these specific circumstances. Broader data protection principles and safeguards would also continue to apply where appropriate, including safeguards in relation to the processing of any sensitive data and data relating to children.
The government welcomes views on the following questions:
Q1.4.1. To what extent do you agree with the proposal to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q1.4.2. To what extent do you agree with the suggested list of activities where the legitimate interests balancing test would not be required? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, indicating whether and why you would remove any activities listed above or add further activities to this list.
Q1.4.3. What, if any, additional safeguards do you think would need to be put in place?
Q1.4.4. To what extent do you agree that the legitimate interests balancing test should be maintained for children’s data, irrespective of whether the data is being processed for one of the listed activities? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
