I was interested to spot that the Article 29 Working Party visited the question of “public authorities” back in 2014, on page 23 of their Opinion on Legitimate Interests. There they note that there are two possible interpretations of the (then draft) General Data Protection Regulation’s (GDPR) rule that public authorities may not use legitimate interests in the performance of their tasks: a narrow interpretation of both “public authority” and “task”, which leaves legitimate interests available for most of the body’s activities; and a wide view that means that all activities of those bodies should be performed under the alternative “public interest” justification. The working party’s discussion of “authorities” and “tasks” on page 21 suggests they favoured the narrow approach.
However so long as those are indeed the two alternatives that regulators will consider now the GDPR is law, it seems to mean that universities and other organisations that might be classed – under the wide definition – as public authorities can continue to design their processes to use legitimate interests where that provides the best protection for their data subjects. If regulators subsequently decide that public interest should be used instead, the same processes should satisfy that justification, too. Though considering the rights and freedoms of data subjects would then become optional. In either case there should be no need for the radical re-design of process (and torture of statutory wording) that would be required to replace a legitimate interests process with one based on consent.
[UPDATE: a blog post from CASE Europe suggests that the ICO and DCMS are indeed inclined to allow universities and colleges to use both legitimate interests and public interest as justifications for non-core and core functions respectively. So there should be no need to squeeze “consent” onto activities for which it’s clearly unsuitable.]