The Government proposes that the “Legitimate Interests” balancing test between controller and data subject in A.6(1)(f) is changed so that the controller’s legitimate interests always prevails in a limited number of pre-defined circumstances.
As far as I can see, this proposal is based on a false data protection analysis and illustrated by examples that show that no change is needed.
If the controller’s legitimate interests always prevails, it follows that the data subject’s right to object to the processing and other related rights are also negated. The impact of these negated rights is missing from the DCMS analysis.
In short, if enacted, this proposal will take away rights of those data subjects who could face substantial distress by the processing of their personal data. The proposals are found in section 1.4 of the DCMS Consultation document (“Data: a new direction”).
How the “balance of interests” works
The balance of interests test found in Article 6(1)(f) of the UK_GDPR states that personal data can be lawfully processed when the ...
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject….” (my emphasis).
There are four important observations about Article 6(1)(f):
- the legitimate interest lawful basis is a “safety net” lawful basis for the controller/third party if the processing cannot be justified in terms of any other lawful basis (e.g. necessary for a contract with the data subject, legal obligation, public interest task).
- the legitimate interest of the controller/third party cannot be an interest that causes significant detriment to the data subject’s interests (as the data subject’s interests will override those of the controller). The controller/third party interest thus has to be an uncontroversial interest which any data subject can see as being legitimate and reasonable (e.g. profitability, efficiency of the controller).
- the legitimate interest of the controller/third party does not negate the interests of the data subject in preserving his/her privacy, data protection rights and does not cause, for example, unwarranted distress to the data subject.
- the processing of personal data has to be necessary to pursue that legitimate interest (i.e. the processing cannot be excessive in achieving that legitimate objective; any processing has to be proportionate).
Note that the controller’s legitimate interests have to be overridden by the interests of the data subject if the data subject’s interests are to prevail. So one can see that the balance of interests is initially tipped in favour of the controller.
It follows that if the controller’s interests are not overridden then the processing is lawful. More importantly, if there is no impact on, or significant detriment to, the data subject, the processing by the controller can also occur lawfully.
Secondly, use of this lawful basis expects that the “fundamental rights and freedoms of the data subject” to be protected. This is achieved by complying with the UK_GDPR. For example, the controller/third party:
- establishes procedures that deal with data subject’s rights;
- complies with the Principles (data minimisation, accuracy, purpose limitation, retention and security); and
- is transparent, accountable and meets other obligations (e.g. DPIA if required).
The real problem when using this lawful basis arises as the controller is not in a position to recognise all the relevant “interests” of the data subject. The controller can have a good guess at what these interests are, but in general, the controller cannot identify the specific circumstances, unique to the data subject, that are likely to cause unwarranted distress to the data subject etc as only the data subject knows what these are.
This explains why the right to object in A.21 is so important.
Adding the right to object
The right to object in A.21 allows each data subject to inform the controller of grounds relating to his/her specific circumstances (which the controller is not in the position to identify). The objective is for the controller to repeat the balancing test for this specific data subject when given this new information. If the revised balance is in favour of the data subject, then the processing ceases for that specific data subject.
For example, suppose a controller is placing details of employees on the intranet to facilitate efficient contact at work (the controller’s legitimate interest). Suppose further a particular employee has a security problem that emerges following the intranet posting (e.g. a woman has escaped from a violent relationship).
That woman could exercise the right to object to the processing and get her details (and only her details) removed from the employers intranet site (e.g. as she does not want friends of her abuser who work for the employer to tip off the abuser).
Other rights (A.18 and A.19) augment the right to object (A.21). All these rights do not feature in the Consultation’s analysis yet as explained above they are central to the legitimate interests test.
Other issues with the DCMS analysis
The Consultation states that many controllers have found the balancing test difficult to perform; it reports that:
“When relying on legitimate interests as a lawful ground, the UK_GDPR requires organisations to show that the processing is necessary and to document how their interests outweigh the rights of data subjects. Assessing whether the organisation’s interests outweigh the rights of individuals appears to cause the most uncertainty for data controllers” (para 58; my emphasis)
Note that the above quote assumes the controller’s interests have to outweigh the data subject’s whereas the lawful basis itself is founded on the reverse assumption (i.e. the data subject’s interests have to outweigh the controller’s).
Additionally, the Consultation also does not mention that the same balancing test was incorporated into the First Data Protection Principle of the DPA1998; hence the Consultation is reporting difficulties that, presumably, have encountered by these controllers for at least two decades.
What do you think would happen if a driver was stopped by the police for going through a red traffic light, and explained the error as follows: “Do you know what? I have had difficulty with this part of the Highway Code for 23 years now; the Code must be wrong”.
Yet the Government is basing its proposals on comments like this from controllers. This just adds to my view that the DCMS analysis in this area is incomplete and the product of this analysis suspect.
Examples of the new approach
The Consultation suggests several examples where the legitimate interests of the controller will always prevail (paragraph 61).
Several of these examples do not have any measurable impact on the data subject so it follows that the legitimate interests of the controller would prevail without any change in the law (e.g. when correcting bias in AI systems, enhancing security perhaps by using pseudonymised personal data, making personal data anonymous, improving services or safety of a product, business innovation, efficiency).
Other examples listed are better justified using lawful basis other than Article 6(1)(f) (e.g. disclosures of personal data to third party authorities; statutory public consultation, delivery of statutory notices, public health messages).
Even if Article 6(1)(f) did apply in disclosure to an authority, the third-party’s legitimate interest would inevitably prevail. For instance, what do you think if the data subject said: “the police should not have received the personal data because my interests in not being apprehended for a crime, outweigh the police’s interests in pursuing an investigation?”.
One example is a requirement of the Accuracy Principle (e.g. maintaining accuracy of a database) – so I am ignoring it.
However, a few examples listed (e.g. “business innovation”, “improving” service delivery) could be interpreted as straying into a marketing or market research purpose. If such straying occurred, then the right to object to marketing, whether data subject consent for the marketing purpose is required, and transparency obligations would become data subject “rights and freedoms” that would have to be addressed prior to relying on A.6(1)(f).
However, I am concerned that some respondents will read these elements of the Government’s list as including marketing-type initiatives and will respond enthusiastically in favour of them, especially as the data subject's right to object is negated.
This uncertainty adds to the unreliability of the evidence collected in support of the proposals in Section 1.4 of the Consultation.
Singaporean Model (debt recovery)
It appears the Government might emulate Singaporean DP law to say that debt recovery is always in the legitimate interest of the controller. This allows me to show why this could cause severe problems for a few data subjects.
Suppose someone “does a runner” and fails to pay for a service and the controller starts debt recovery processing. Do you think the data subject’s interests will be able to prevail with the following argument: “the controller should not process my personal data because my interests in not paying outweigh the controller’s interests in being paid for services I have used?”. Can we agree that the right to object will not prevail?
However, suppose the controller has mixed up personal data so there are two data subjects with the same name and very similar addresses whose personal data are confused, so much so, that one data subject is being pursued remorselessly (i.e. harassed) for the debts of the other data subject.
Suppose further the controller fails to take any notice of the data subject who has been pursued for the debt (who will probably make repeated representations about not being responsible for the debt). I should add this kind of problem has happened in the UK..
In these kinds of circumstances, the UK_GDPR permits a data subject to exercise three rights in A.21, A.17 and A.18. The essence of the letter to the controller is as follows:
“Your failure to identify the correct data subject with a debt is causing me so much grief that I am exercising my right:
-
- to object to the processing of the debt information; (A.21)
- to restrict your processing until you have completed the necessary rebalancing test in accordance with A.18(1)(d); and
- to obtain a list of recipients to whom your rubbish personal data have been disclosed” (A.17).
If the Government’s proposals are enacted, this protection for data subjects who experience these kinds of extreme circumstances is gone.
Concluding comment
At the beginning of the blog I said that the DCMS proposals “if enacted will take away rights of those data subjects who could face substantial distress by the processing of personal data”. The debt example above makes this statement understandable.
In most circumstances the DCMS has identified, the legitimate interests of the controller will prevail and no change in the law is needed. However, there may be a specific and rare combination of circumstances where the data subject’s interests should prevail.
After all, there are 60 million data subjects in the UK and it is reasonable to expect that all sorts of mysterious combinations of circumstances will interact with any controller’s processing of personal data.
The proposals that a controller’s legitimate interests should automatically prevail do not simplify the law. They expose a few data subjects to suffer unwarranted substantial distress and who are left to swing in the wind.
So the answers to Q1.4.1 and Q1.4.2 are strongly disagree for the reasons above; Q1.4.3 is that no change is needed to safeguard the data subject’s interests.
Data Protection Practitioner Course (Autumn)
Because of Indian variant, fuel crisis and the continuing COVID pingdemic uncertainty, the course can be attended in person, or via Zoom, or as a mixture if you get pinged (it's up to you).
- The Data Protection Foundation Course is in London, and starts Tuesday, November 16 (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
- The Data Protection Practitioner Course is in London, and starts Monday, December 6 (5 days); Full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.