Services A-Z     Pricing

Data protection law reform: A new direction?

Part One: Fixed and flexible ‘legitimate interests’

18 November 2021

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
 

We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR.

What is the ‘legitimate interests’ basis?

Article 6(1)(f) UK GDPR provides the most flexible lawful basis for processing and is available where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (emphasis added).

A broad range of interests qualify as legitimate interests: ICO guidance clarifies that legitimate interests can be personal, attaching to a third party, commercial as well as wider societal benefits. The UK GDPR specifically mentions by way of examples processing client or employee data, marketing, fraud prevention and IT security.

To rely on the legitimate interests lawful basis a controller must satisfy itself of a three-stage test:

  1. Purpose test: does the processing pursue a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the data subject’s interests override the legitimate interest?

The balancing test requires organisations to weigh the legitimate interest against the data subject’s interest. Both compelling and trivial interests can be legitimate interests but are always subject to balancing; a more trivial interest will be more easily overridden by the data subject’s interests. If there is a particularly serious encroachment on privacy rights, for example the data subject has no reasonable expectation of the processing, the legitimate interest must be particularly compelling to tip the scales. For example, the UK GDPR mentions another possible legitimate interest as disclosing possible criminal acts or security threats to the authorities.

What does the consultation propose?

The Government argues that the ‘balancing’ stage of the three-stage test is unnecessarily complex and uncertain for organisations. As a result, they rely excessively and inappropriately on the ‘consent’ ground under Article 6, leading to concerns about widespread “consent fatigue” amongst data subjects.  The Government proposes a ‘whitelist’ of situations where the balancing test of legitimate interests is disapplied. The proposal is to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without having to balance data subjects’ interests. This proposed ‘whitelist’ includes:

  1. monitoring, detecting or correcting bias in relation to developing AI systems;
  2. audience measurement cookies or similar technologies designed to improve web pages;
  3. improving or reviewing system/network security;
  4. pseudonymisation or anonymisation;
  5. internal research and development or business innovation; and
  6. reporting criminal acts.

The new ‘whitelist’ would provide organisations with a relatively broadly framed basis for processing, albeit for fairly uncontroversial uses.

Disposing with the need for balancing, or for relying on ‘consent’ for these uses, would cut some red tape for businesses which may fit with the Government’s aim to realise a ‘Brexit dividend’ now it is no longer strictly bound by EU regulation. The consultation accepts that the ‘whitelist’ needs to be appropriately generic to “withstand the test of time.” The Government envisages incorporating powers to update the ‘whitelist’ through further regulations, which inevitably will need to be exercised given the limited examples so far on the ‘whitelist’.

Comment

The ICO is right to comment that the “devil will be in the detail” when it comes to the Government’s designs for legitimate interests. While many view the current ‘whitelist’ as unobjectionable, it is limited and proposals are at an early stage. It is crucial that any further uses for which the Government intends (effectively) to sanction pre-authorised processing, without a case-by-case balancing exercise against privacy rights, are well understood and scrutinised. This is especially given that the ‘whitelist’ will be updated by regulation and since the Government also envisages a “sufficiently generic” ‘whitelist’ that will endure.

Further thought also needs to be given to how disapplying the balancing test for ‘whitelist’ uses would interact with data subjects’ right to object to processing, including requiring organisations to reconsider their reliance on legitimate interests.

In developing this detail, the UK Government will be acutely conscious of the delicate line between cutting red tape and risking the European Commission’s recent adequacy decision in favour of the UK (which, if lost, would interrupt the free flow of data between the UK and EU). These proposals in particular do not sit comfortably with the principles underpinning the EU GDPR. It may be, then, that limiting the disapplication of the balancing test to just a few stipulated uses of data is the most sensible way forward, albeit this would also limit the anticipated benefits of these proposed changes.

Further Information

If you have any questions or concerns about the topics raised in this blog, please contact Nick De Mulder, or any member of our Public Law team.

 

Latest blogs & news

Top five takeaways from the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

Requesting Medical Records after a death

Losing a loved one when you think it may be because they received poor medical care is incredibly stressful at a time when family and friends are grieving their loss.  Often, people want to see a written record of the final days of their loved one and what happened to them, or they might want to go through years of records to ascertain whether there was diagnosis that may have been missed, such as cancer.

Are personal details in asylum claims kept confidential? Protecting the privacy of asylum seekers and safeguarding confidentiality

Asylum seekers often find themselves in a vulnerable position, sharing sensitive and confidential information with the Home Office to support their asylum claims. Their cooperation is required to substantiate their claim and they rely on the understanding that this information will remain confidential and, most crucially, will not be shared with the authorities of their country of nationality.

The evolving challenge of data protection laws

Emily Carter explores anticipated developments in the realm of data protection.

The UK-US Data Bridge: A Shift in Transatlantic Data Sharing

On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.

Data Subject Access Requests: Should organisations expect the burden of responding to ease?

Emily Carter asks whether the proposed reforms within the  Data Protection and Digital Information (No. 2) Bill (‘the Bill’) are likely to simplify the challenges of responding to Data Subject Access Requests (‘DSARs’) or whether this is an area which is only going to get more complicated and time consuming.  

UK data protection reform: Some much needed clarity

After many months waiting for further clarity, Emily Carter outlines what we now know about the direction of data protection reform in the UK following publication of the Data Protection and Digital Information (no. 2) Bill.

After the Government’s consultation in September 2021 and publication of the Data Protection and Digital Information Bill in July 2022, the data reform process was paused last Autumn following the country’s change in prime minister to enable ministers to consider the legislation further. Since this time, with Michele Donelan appointed as the responsible secretary of state, there have been mixed messages with respect to how significant the further amendment to the draft bill would be. In her speech at the Conservative party conference in October, Donelan stated that the GDPR would be ‘replaced’ with a business and consumer friend data protection system, raising the prospect of an entirely new approach to data protection.

ICO regulatory update: The only constant is change Spring 2023

The Information Commissioner’s Office (ICO) regulates every organisation which deals with personal data and official data in the UK (and sometimes overseas). Its remit extends across the public and private sector, including multinationals, SMEs, public authorities and charities.

A new police approach is needed to tackle overwhelming delays to digital forensics

A damning report published by His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) has found police forces to be “overwhelmed and ineffective” in relation to digital forensics. The HMICFRS found that there were more than 25,000 devices waiting to be examined – and this is without taking into account all the devices already in the system.

Data Protection reform: A new direction for charities?

Following the UK’s departure from the EU, the Government wishes to reform the data protection legislation within this country in order to ‘unlock the power of data.’ For charities, does this mean the painful prospect of reworking their existing GDPR compliance regime or the promise of a lighter regulatory load?

Data: A New Direction - Research, Re-use and Responsibility

High on the Government’s wish list for data protection reform is the reduction of legislative barriers to ‘responsible innovation,’ particularly within the field of scientific research. Due to perceived complexity and lack of clarity, it is feared that organisations either choose not to conduct research at all or rely on unnecessarily burdensome consent processes. This blog considers the likely impact of the Government’s ideas

Consultation on ICO Powers Shows the Breadth of the Regulator’s Powers

On 20 December 2021 the ICO launched a consultation seeking views on three documents, which together demonstrate its wide-ranging powers to undertake investigatory, regulatory and enforcement action.  

Data: A new direction - Access to personal data

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way

Data: A New Direction - Unleashing the transformational power AI?

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.

Data protection law reform: A new direction?

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.

We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR. 

The UK’s Data Protection Reform Consultation – Good News for Employers?

On 10 September 2021 the UK Government launched a Consultation on proposed changes to data protection law with the aim to “create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards”. The proposals are designed to build on the UK’s existing data protection regime (contained in the General Data Protection Regulation (as it applies in the UK post-Brexit) (UK GDPR) and the Data Protection Act 2018).

What is Next for GDPR in the UK, is Change on the Horizon?

The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.

ICO enforcement action – key considerations for charities in the GDPR era

It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.

COVID-19 and contact tracing apps: A test of public confidence in data privacy?

Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.

ICO enforcement – key considerations for businesses and organisations in 2020

On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.

Share insightLinkedIn X Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

Skip to content Home About Us Insights Services Contact Accessibility