Data protection law reform: A new direction?

Part 1: Fixed and flexible ‘legitimate interests’

18 November 2021

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.

We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR.

What is the ‘legitimate interests’ basis?

Article 6(1)(f) UK GDPR provides the most flexible lawful basis for processing and is available where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (emphasis added).

A broad range of interests qualify as legitimate interests: ICO guidance clarifies that legitimate interests can be personal, attaching to a third party, commercial as well as wider societal benefits. The UK GDPR specifically mentions by way of examples processing client or employee data, marketing, fraud prevention and IT security.

To rely on the legitimate interests lawful basis a controller must satisfy itself of a three-stage test:

  1. Purpose test: does the processing pursue a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the data subject’s interests override the legitimate interest?

The balancing test requires organisations to weigh the legitimate interest against the data subject’s interest. Both compelling and trivial interests can be legitimate interests but are always subject to balancing; a more trivial interest will be more easily overridden by the data subject’s interests. If there is a particularly serious encroachment on privacy rights, for example the data subject has no reasonable expectation of the processing, the legitimate interest must be particularly compelling to tip the scales. For example, the UK GDPR mentions another possible legitimate interest as disclosing possible criminal acts or security threats to the authorities.

What does the consultation propose?

The Government argues that the ‘balancing’ stage of the three-stage test is unnecessarily complex and uncertain for organisations. As a result, they rely excessively and inappropriately on the ‘consent’ ground under Article 6, leading to concerns about widespread “consent fatigue” amongst data subjects.  The Government proposes a ‘whitelist’ of situations where the balancing test of legitimate interests is disapplied. The proposal is to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without having to balance data subjects’ interests. This proposed ‘whitelist’ includes:

  1. monitoring, detecting or correcting bias in relation to developing AI systems;
  2. audience measurement cookies or similar technologies designed to improve web pages;
  3. improving or reviewing system/network security;
  4. pseudonymisation or anonymisation;
  5. internal research and development or business innovation; and
  6. reporting criminal acts.

The new ‘whitelist’ would provide organisations with a relatively broadly framed basis for processing, albeit for fairly uncontroversial uses.

Disposing with the need for balancing, or for relying on ‘consent’ for these uses, would cut some red tape for businesses which may fit with the Government’s aim to realise a ‘Brexit dividend’ now it is no longer strictly bound by EU regulation. The consultation accepts that the ‘whitelist’ needs to be appropriately generic to “withstand the test of time.” The Government envisages incorporating powers to update the ‘whitelist’ through further regulations, which inevitably will need to be exercised given the limited examples so far on the ‘whitelist’.


The ICO is right to comment that the “devil will be in the detail” when it comes to the Government’s designs for legitimate interests. While many view the current ‘whitelist’ as unobjectionable, it is limited and proposals are at an early stage. It is crucial that any further uses for which the Government intends (effectively) to sanction pre-authorised processing, without a case-by-case balancing exercise against privacy rights, are well understood and scrutinised. This is especially given that the ‘whitelist’ will be updated by regulation and since the Government also envisages a “sufficiently generic” ‘whitelist’ that will endure.

Further thought also needs to be given to how disapplying the balancing test for ‘whitelist’ uses would interact with data subjects’ right to object to processing, including requiring organisations to reconsider their reliance on legitimate interests.

In developing this detail, the UK Government will be acutely conscious of the delicate line between cutting red tape and risking the European Commission’s recent adequacy decision in favour of the UK (which, if lost, would interrupt the free flow of data between the UK and EU). These proposals in particular do not sit comfortably with the principles underpinning the EU GDPR. It may be, then, that limiting the disapplication of the balancing test to just a few stipulated uses of data is the most sensible way forward, albeit this would also limit the anticipated benefits of these proposed changes.

Further Information

If you have any questions or concerns about the topics raised in this blog, please contact Nick De Mulder, or any member of our Public Law team.


About the Author

Nick De Mulder is an Associate in Kingsley Napley’s Public Law team advising on public law, information law and business and human rights. He acts for a range of clients at Kingsley Napley including individuals, charities, public bodies and businesses.

Nick has been instructed on a variety of information law matters. He assists clients of the criminal and regulatory defence teams with information law advice connected to criminal and regulatory cases. He advises on GDPR and Data Protection Act compliance and on subject access requests (SARs); he has experience of advising on complex SARs connected to law enforcement and safeguarding.


Latest blogs & news

Data protection law reform: A new direction? Part 1: Fixed and flexible ‘legitimate interests’

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.

We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR. 

The UK’s Data Protection Reform Consultation – Good News for Employers?

On 10 September 2021 the UK Government launched a Consultation on proposed changes to data protection law with the aim to “create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards”. The proposals are designed to build on the UK’s existing data protection regime (contained in the General Data Protection Regulation (as it applies in the UK post-Brexit) (UK GDPR) and the Data Protection Act 2018).

What is Next for GDPR in the UK, is Change on the Horizon?

The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.

Coaching, Teaching and Support Work in Lockdown: Safeguarding and Data Protection considerations when working with children online

The COVID-19 crisis has forced sports clubs, schools, universities and charities to rapidly change their approaches to coaching, teaching and support work. The regulations on social distancing have forced organisations to innovate; services which had previously been offered mostly or wholly in person were rapidly shifted online during “lockdown 1” and will return online at least for the duration of “lockdown 3”.  If the vaccine rollout has the desired effect there will no doubt be some return to “traditional” methods, but it seems very unlikely that the changes brought about by the pandemic will be completely reversed.  In this blog, Claire Parry from Kingsley Napley’s Regulatory team and Fred Allen from the Public Law team look at the challenges organisations face engaging with children online.

ICO enforcement action – key considerations for charities in the GDPR era

It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.

The privacy dilemma surrounding the coronavirus contact tracing app

In late April we blogged about the NHSX developing a contact tracing app to help stop the spread of coronavirus and highlighted some of the privacy concerns that will need to be considered in the course of its development. Unfortunately, at the time of writing, the app is still yet to be released nationwide, although a beta version is being trialled on the Isle of Wight and development continues. In this blog we provide an update on the proposed functionality of the app and the privacy issues caused by that functionality which are delaying its release.

COVID-19 and contact tracing apps: A test of public confidence in data privacy?

Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.

ICO enforcement – key considerations for businesses and organisations in 2020

On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.

An early Christmas present for the tech sector from the CMA?

The Competition and Markets Authority (“CMA”) has today (18 December 2019) given the tech sector an early Christmas present by publishing its interim report on its market study, commenced earlier this year, into online platforms and digital advertising.

Data protection for your business after a no-deal Brexit

At the time of writing, it is possible that the UK could exit the EU on 31 October 2019 (“exit date”) without a deal which means immediately leaving EU institutions such as the European Court of Justice without an agreement over what happens next.

“WhatsApp” with Dominic Grieve’s motion for Brexit communications?

Monday night’s marathon session in Parliament saw a number of issues debated into the small hours and further defeats for the government. While many raised important political and legal issues, one of particular interest to information lawyers, followers of Parliamentary procedure and journalists alike was the endorsement of a “Humble Address” motion brought by former Attorney General, Dominic Grieve.

Overhaul of SARS regime to be welcomed

The Law Commission has this week made an important intervention in the world of anti-money laundering with its report on the Suspicious Activity Report (SARs) regime, including an analysis of weaknesses of the current system and a series of recommendations to make things streamlined, clearer and above all more workable

WhatsApp messages: a treasure trove of evidence in team moves

The Court of Appeal’s judgement in Forse & ors v Secarma Ltd & ors is an important case on springboard injunction applications in employee competition and team move cases. It is also a prime example of how WhatsApp messages can provide crucial evidence in such cases.

How to respond to a subject access request: a step by step guide for organisations

Any individual dissatisfied with the speed or content of an organisation’s response to a SAR will find it quick and easy to complain to your organisation or the ICO. This guide is intended to make responding to SARs as straightforward as possible.

Innovation and data protection compliance: when opposites attract

Getting your black letter law data protection specialists to join your post-it wielding innovators on their bean bags might be challenging but it is important. Perhaps try breaking the ice with some table tennis and piano-led house music (a scientifically proven method).  

Our current Brexit options and the consequences for UK data protection law

EU leaders are due to meet today (1700 GMT) for an emergency summit dedicated to Brexit at which it is rumoured that they will grant an extension to the UK’s departure from the EU.  The infographic below sets out the possible Brexit options and what this might mean for UK data protection law. 

GDPR Compliance for US Companies

Focussing upon US companies considering their privacy policies and procedures in Silicon Valley and beyond, in this blog we consider the geographic scope of GDPR and the core business functions it impacts upon.

Brexit Update: EU-US Privacy Shield

On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit (which is due to take place on 29 March 2019). By way of a reminder, Privacy Shield is a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.

GDPR for the UK: Brexit and international transfers of personal data

With the UK due to leave the EU on 29 March 2019, UK Parliament is working towards creating new regulations to ensure that the UK’s data protection standards will be equivalent to EU law post-Brexit. The UK would use this as the basis for securing an adequacy decision from the European Commission meaning that our legal framework is deemed to provide adequate protection for individuals’ rights and freedoms over their personal data. As discussed in our previous blog, this would facilitate cross-border transfers of personal data and business continuity as the UK aims to trade with the single market on equal terms.

Care homes take heed: if you have failed to pay the ICO data protection fee you could be breaking the law

The Information Commissioner’s Office (ICO) has commenced formal enforcement action against care homes that have failed to pay the data protection fee.

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

Skip to content Home About Us Insights Services Contact Accessibility