Recognised legitimate interests: a new lawful basis

This is the fourth update in our series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers. This post will focus on a new lawful basis: the recognised legitimate interest.

The new basis would apply where:

‘processing is necessary for the purposes of a recognised legitimate interest’

While this new lawful basis uses the familiar language of a ‘legitimate interest’, it is separate from that existing legitimate interest basis.

The existing legitimate interest basis requires a controller to assess whether a given interest in processing personal data is ‘legitimate’ based on an assessment of the purpose and necessity of the processing, then balancing whether an individual’s interests override the legitimate interest of the controller. By contrast, the ‘recognised legitimate interest’ is limited to the six specified interests listed below.

Further, the recognised legitimate interest basis does not require the controller to balance the interest being pursued against the rights and interests of the data subjects. This is another divergence from the existing legitimate interest basis, which only applies if the legitimate interest is not outweighed by the rights and interests of the data subject. The Government’s response to the consultation ahead of the Bill suggested that organisations’ concerns about whether they were doing the balancing test correctly were deterring some organisations from relying on legitimate interests, which ‘could lead to inappropriate reliance on consent’. The introduction of recognised legitimate interests is likely a move to alleviate those concerns.

One way that the current legitimate interest basis is similar to the recognised legitimate interest basis is that neither can be relied upon by a public authority in the performance of its public tasks.

We will examine each recognised legitimate interest in turn:

1. Disclosure for purposes of processing described in Article 6(1)(e) (the public task basis)

This recognised legitimate interest makes it easier for private organisations to share data that is requested by organisations that are carrying out public tasks. For example, if a public authority requests data from a private organisation and tells that organisation that the information is necessary for the performance of that authority’s public tasks, then the private organisation will be able to rely on this recognised legitimate interest as a basis for disclosing that data to the public authority.

Currently, an organisation receiving such a request may not have a clear lawful basis to rely on in this situation. The organisation may feel that disclosing the data without a clear lawful basis puts it at risk of breaching the UK GDPR, and therefore the safer course would be to avoid that risk by refusing to disclose the data. This recognised legitimate interest will spare an organisation from being put in that tough situation. The organisation would still have to consider the purpose limitation, but as we touched on in our second post in this series, the Bill seeks to make this more straightforward as well.

2. National security, public security, and defence

Given that the new recognised legitimate interest basis is not designed to be used by public authorities, this raises some interesting questions about the circumstances in which private sector and third sector organisations might want to rely on this recognised legitimate interest. Organisations in the defence industry may well want to rely on this basis, but the reference to public security means this might be relevant to a wider range of organisations as well. For example, it may be relevant for private organisations involved in surveillance of public places, such as shopping centres, sports stadiums, or cultural venues.

3. Emergencies

This is a narrower recognised legitimate interest that will only apply where the processing is necessary for responding to an emergency, as defined in the Civil Contingencies Act 2004. This provision is aimed at serious national or regional emergencies.

4. Detecting, investigating, or preventing crime, or apprehending or prosecuting offenders

The intention of this recognised legitimate interest is presumably to make it more straightforward for private organisations to establish a lawful basis for sharing data with the police or adopting their own crime-prevention measures, such as operating CCTV systems.

5. Safeguarding vulnerable individuals

The language used in the Bill here mirrors language found elsewhere in the Data Protection Act 2018 regarding the use of special category data when safeguarding vulnerable people. When private organisations are involved in safeguarding work, this recognised legitimate interest will generally make it simpler for them to record and share data for safeguarding purposes. In particular, it will be helpful in situations where safeguarding a vulnerable person involves sharing data about other people. For example, a charity sharing data to safeguard a child would no longer need to weigh that safeguarding objective against the privacy interests of the child’s carers.

6. Democratic engagement

This basis will only be available where the data subject is aged 14 or over. Again, this recognised legitimate interest is quite niche, as it would only be available to certain categories of data controllers, notably political parties, elected representatives, and candidates for election. However, the term ‘democratic engagement’ is defined broadly, with the intention seeming to be to enable those categories of controllers to use data more freely to analyse their electorate and target political messages.

Legitimate interests

It is also important to note the clarification the new Bill gives to the existing legitimate interest basis. The Bill gives some examples of what will be considered a legitimate interest, although this is not an exhaustive list. The examples include processing for direct marketing, intra-group transmission of personal data for internal administrative purposes, and ensuring the security of networks and information systems. The balancing act of weighing up the controller’s interests against those of the data subject will still apply.

Key takeaways

• The new lawful basis of recognised legitimate interests is aimed at a limited set of situations, but in those situations, the Bill will make it easier to establish a lawful basis for processing. As the controller would not need to balance their interests against those of the data subject, it will be harder for data subjects to challenge the controller’s decisions in those situations.
• This recognised legitimate interest still requires the controller to show that the processing is ‘necessary’ for the recognised legitimate interest. We may see attention shifting from the balancing test to the test of whether the processing is necessary.
• The Bill enables the Secretary of State to create more recognised legitimate interests, so we may see an expansion of the list in the future.