Identifying what ground you are relying on in order to lawfully process personal data hasn't necessarily been something that many UK controllers have worried about up till now. So long as the data is
Identifying what ground you are relying on in order to lawfully process personal data hasn't necessarily been something that many UK controllers have worried about up till now. So long as the data is not sensitive, in many if not most instances, a responsible controller can be reasonably certain that they can argue that collecting and processing the data is necessary for legitimate interests either pursued by them or by a third party. The only limitation on this ground is where the processing is unwarranted by reason of prejudice to the rights and freedoms of the individual concerned. Or it may be the case that the processing of data happens in a contractual situation and therefore a controller can rely on the ground that processing such data is necessary for the performance of the contract. By relying on these grounds, the controller can usually side-step having to obtain the consent of individuals and having to deal with the complexity of issues that consent can give rise to (although consent may be unavoidable when data is sensitive).
Although legitimate interests remains a key ground that a controller (presumably any controller despite there being no reference to third party controllers as there is under the Directive) can rely on, it comes as no surprise that under the draft EU Data Protection Regulation the rules on legitimate interests have shifted somewhat. So, relying on the legitimate interests ground becomes harder when processing children's data (due to the specific protection afforded to children) and impossible for public authorities since, the Regulation states, it is for the legislator to provide by law the legal basis for public authorities to process data. Clearly the Information Commissioner's Office is concerned by the implications of this latter point since it states in its initial analysis on the Regulation that this approach will 'prevent public bodies carrying out processing that may well be necessary although not specifically provided for by law'. Partly this is due to the different legal cultures within the EU where many if not most EU member states have a codified legal system (unlike the UK) that specifies what public authorities can do.
The Regulation envisages that a controller will be much more transparent about his legitimate interests. Under the Regulation, a controller must explicitly inform individuals of the legitimate interests pursued, document these legitimate interests and remind individuals of their right to object. These further requirements if enacted may prompt UK controllers to be more circumspect than formerly when seeking to rely on the legitimate interests ground.
But it's not all bad news. The fact that the draft Regulation specifies that certain data processing strictly necessary to ensure network and information security constitutes a legitimate interest provides some comfort to controllers. Additionally the draft Regulation would enable organisations to make more incidental transfers of personal data (from the EU to outside the EU) if necessary for a controller or processor's legitimate interests.
But perhaps of greatest import is the power that the draft Regulation gives the EU Commission to specify the conditions in various sectors and data processing situations for reliance on the legitimate interests ground. Italian controllers may be used to the idea that a separate authority (in the Italian's case, the data protection authority, the Garante) specifies the conditions for relying on the legitimate interests condition but UK controllers are not.
It remains to be seen whether these changes to the legitimate interests ground are adopted as part of the final Regulation and what impact such changes will have.
Although legitimate interests remains a key ground that a controller (presumably any controller despite there being no reference to third party controllers as there is under the Directive) can rely on, it comes as no surprise that under the draft EU Data Protection Regulation the rules on legitimate interests have shifted somewhat. So, relying on the legitimate interests ground becomes harder when processing children's data (due to the specific protection afforded to children) and impossible for public authorities since, the Regulation states, it is for the legislator to provide by law the legal basis for public authorities to process data. Clearly the Information Commissioner's Office is concerned by the implications of this latter point since it states in its initial analysis on the Regulation that this approach will 'prevent public bodies carrying out processing that may well be necessary although not specifically provided for by law'. Partly this is due to the different legal cultures within the EU where many if not most EU member states have a codified legal system (unlike the UK) that specifies what public authorities can do.
The Regulation envisages that a controller will be much more transparent about his legitimate interests. Under the Regulation, a controller must explicitly inform individuals of the legitimate interests pursued, document these legitimate interests and remind individuals of their right to object. These further requirements if enacted may prompt UK controllers to be more circumspect than formerly when seeking to rely on the legitimate interests ground.
But it's not all bad news. The fact that the draft Regulation specifies that certain data processing strictly necessary to ensure network and information security constitutes a legitimate interest provides some comfort to controllers. Additionally the draft Regulation would enable organisations to make more incidental transfers of personal data (from the EU to outside the EU) if necessary for a controller or processor's legitimate interests.
But perhaps of greatest import is the power that the draft Regulation gives the EU Commission to specify the conditions in various sectors and data processing situations for reliance on the legitimate interests ground. Italian controllers may be used to the idea that a separate authority (in the Italian's case, the data protection authority, the Garante) specifies the conditions for relying on the legitimate interests condition but UK controllers are not.
It remains to be seen whether these changes to the legitimate interests ground are adopted as part of the final Regulation and what impact such changes will have.