There’s no doubt that some parts of the UK Data Protection Act and the EU Data Protection Directive are badly out of date and need revising. The world they were drafted for in the early 1990s has changed. One area that has worn much better is the six justifications for processing personal data: those still look like a comprehensive set of permissions, each containing the necessary protection for individuals whose personal data whose personal information is processed under them. The justifications still appear to me to cover any legitimate data processing activity, with little overlap between them. The fact that the protections are tailored to match the justifications is significant, because it means that if you use the wrong justification then you may well be applying the wrong protection too.
I doubt that the justifications occurred to the drafters in the order in which they appear in the Act and Directive, and I think their operation is clearer if they are presented in a different sequence, as three pairs:
- First are the two situations that the drafters already knew about and where the required protections were already clear: “necessary in the vital interests of the data subject” and “necessary for the purposes of a contract”. Here the data subject is protected by the narrow definitions of vital interests and contract, and the fact that any processing must be necessary for those ends. Anything that isn’t necessary can’t be done under these justifications;
- Then there’s a pair of justifications where the original drafters left space for later legislators and regulators to adapt to new situations: “necessary to fulfil a legal duty” and “necessary in the public interest”. These are sometimes seen as applying respectively to the private and public sectors. Creating legal duties and declaring public interests is what parliaments and governments do, so the activities permitted under these justifications will change in time. But data subjects are still protected by the “necessary”, and parliaments and governments may (and do) add additional protections at the time they create the new duties or public interests;
- Finally there’s a pair of justifications that allow data subjects and data processing organisations to declare new purposes: “consent” and “necessary in the legitimate interests”.
- Consent appears particularly wide, because it’s the only justification that isn’t limited to “necessary” processing. However even where data subjects consent, they are protected by the requirement that their consent must be “free and informed”. The Information Commissioner has noted that is “not particularly easy to achieve”. In particular, the requirement that consent be freely given means, I think, that it can’t be used if any of the other five justifications apply, because if processing is “necessary” then it’s unlikely that I’m really free to give or withhold my consent to it;
- “Legitimate interests” also appears wide but again is constrained by “necessary”. In addition it is the only justification that is explicitly limited by the fundamental rights of the individual. So, as the Article 29 Working Party have recently explained, every use of “legitimate interests” involves a balancing test, which will often mean that processing that is both necessary and for a legitimate purpose is still prohibited because it involves too great an interference with the individual’s rights.
As the Article 29 Working Party’s Opinion on Consent notes (on page 8), some processes will involve different activities to which different justifications apply. It may well be that core parts of a process are subject to one of the “necessity” justifications while optional extras are covered by “consent”. So when you are considering processing personal data look at all six of the justifications, pick the right ones, and ensure that you apply the matching privacy protection measures. If you find you have to stretch the definition of a justification to fit your application then you’ve probably chosen the wrong one (or your processing may not be legitimate!). Stretching the definition is also likely to involve stretching the protective measures, quite possibly weakening the protection they are supposed to offer to individuals.