26 septembre 2022
September - The UK's Data Protection and Digital Information Bill – 3 de 6 Publications
One of the most fundamental requirements of GDPR compliance is also one of its most challenging aspects: the need to have a lawful basis for all personal data processing. As personal data becomes the most powerful tool for many businesses, the instinct to use it in varied and innovative ways must always be tempered by the need to demonstrate a legal right to make use of data. While individuals are often under the impression that the handling of personal data requires consent, consent has its drawbacks, crucially the constant risk that it will be revoked. As a result, many organisations have come to rely heavily on other legal bases to process personal data, in particular the ‘legitimate interests’ basis found at Article 6(1)(f) of the UK GDPR.
The right to process personal data, where doing so is in the legitimate interests of the data controller or a third party, pre-dates the GDPR and its subsequent absorption into UK law as the UK GDPR. Under the Data Protection Act 1998, as now, the legitimate interests in favour of processing had to be weighed against the risk of prejudice to the rights, freedoms and legitimate interests of the data subject. In its more recent incarnation, the UK GDPR, special attention is drawn to the rights of children, implying a need to weigh their interests carefully, if not more heavily than those of adults.
Despite the caveats, the legitimate interests basis is the most flexible and widely used basis for processing personal data. However, the government has identified the work necessary to rely on legitimate interests as being overly burdensome for business. As a result, Section 5 of the Data Protection and Digital Information Bill (DPDI Bill) creates a list of processing scenarios (set out in Schedule 1 to the Bill which, if the Bill passes, will become Annex 1 to the UK GDPR) that will be deemed automatically to meet the requirements of the legitimate interests basis.
To properly assess the appropriateness of the legitimate interests basis for data processing, controllers must ordinarily carry out a balancing assessment (a “legitimate interests assessment” or LIA) to ensure that the reason for the processing really is legitimate, not overly disadvantageous to data subjects and that the processing is truly necessary to meet the legitimate purpose.
Schedule 1 of the DPDI Bill identifies the following purposes as fulfilling the legitimate interests basis:
The list is likely to disappoint many businesses and other private sector organisations, as it is narrower than was expected following the government consultation that preceded the Bill. Most of the approved purposes are likely to solely or primarily benefit the public sector.
Some organisations may find the inclusion of crime detection investigation and prevention helpful for fraud prevention activities, but limited processing for such purposes is already fairly easy to carry out without the new provision and more extensive efforts will still be subject to an assessment of their reasonableness and proportionality. An employer will not, for example, be able to claim extensive or intrusive surveillance of staff is necessary simply because crime prevention is included in the list of pre-approved processing activities to qualify as a legitimate interest.
The inclusion of processing necessary for “democratic engagement” is notable for being presented with rather more detail than other processing purposes. This entry to the list will allow elected politicians and candidates for office (and individuals working for them) to process personal data of those aged 14 and above (many of whom will not be able to vote for some years) in connection with a vote or election campaign. While there are strong arguments in favour of ensuring that privacy laws do not impede the democratic process, the government is vulnerable to criticism for making it easier for politicians to handle personal data, without giving similar consideration or weight to the arguments of and challenges faced by business, charities and other organisations.
Until the government or the Information Commissioner’s Office produces further guidance setting out how much – or how little – assessment is required to rely on the list of pre-approved legitimate interests processing purposes, it is not clear whether its creation will make any practical difference to most data controllers.
Aside from the need for guidance, it should also be noted that the list is not necessarily exhaustive. The Secretary of State for Digital, Culture, Media & Sport is granted the power to amend or add to it with secondary legislation, so it is possible that further processing purposes will be added in future.
Although Section 5 and Schedule 1 of the Bill seek to make life easier for controllers by creating approved legitimate interest purposes, Section 6(3) creates a new UK GDPR Article 8A which places a new burden on controllers seeking to process personal data for a purpose different to that for which it was originally collected.
The recitals to the UK GDPR state that a new legal basis is not required where secondary processing activities are compatible with the original purpose. However, the DPDI Bill as drafted, requires the establishment of a valid legal basis for the new processing by the controller, unless an exemption applies, or the new purpose is automatically deemed compatible. An assessment of compatibility and a new legitimate interest assessment will probably be required. When assessing compatibility, a controller must consider:
Just as Schedule 1 creates a list of default list of legitimate interests purposes, Schedule 2 (which will become Annex 2 to the UK GDPR) contains a list of processing purposes which will automatically be treated as compatible with the original processing purposes. In addition to processing for scientific and historical research, archiving, and statistical purposes which are already deemed automatically compatible under the UK GDPR, there are a number of additional purposes. The Secretary of State will also have powers to add to or amend the new Annex 2. The new compatible purposes contained in the Bill are:
If the secondary processing is for one of these purposes it will be deemed “compatible” with the original processing, for which the data was first gathered, and the controller will not have to assess its compatibility.
Although the DPDI Bill offers a number of changes to the approach to managing lawful basis, legitimate interests and compatible processing, any significant change in processing activity is likely to attract the attention of a diligent Data Protection Officer or privacy leader within an organisation. Privacy notices will still need updating, as will records of processing (subject to the changes proposed for those) and in many cases risk assessments of some sort will still be essential to determine the necessity of the processing to meet the controller’s purpose (whether original or new but compatible).
Since many controllers will wish to adopt the same practices in the UK and EU, it seems likely that controllers will continue to make thorough legitimate interests assessments even where the purpose falls within a category listed in the new UK GDPR Annex 1. However, controllers will also have to decide whether to adopt a more stringent approach in respect of compatible secondary processing by identifying a legal basis for the processing across the EEA – even though this will only be required in the UK.
Without clear guidance from the government or the ICO around what compliance activities are needed and when they are required, the changes discussed above are likely to add to the confusion experienced by many data controllers, rather than do anything to alleviate the burden on business as the government has sought to do.
Victoria Hordern examines whether the UK's proposed reforms to the use of personal data for research purposes make material changes, and whether they are helpful to researchers.
26 September 2022
par Victoria Hordern
Jo Joyce looks at legitimate interests and purpose limitation provisions in the Data Protection and Digital Information Bill.
26 September 2022
par Jo Joyce
Debbie Heywood looks at the proposed changes to the UK's rules on exporting personal data to third countries under the Data Protection and Digital Information Bill.
26 September 2022
par Debbie Heywood
Megan Lukins looks at the proposed changes to PECR under the UK's Data Protection and Digital Information Bill.
26 September 2022
par Megan Lukins
par plusieurs auteurs