UK, EU Take Separate Paths on Legitimate Interest
While both the EU and U.K. use legitimate interest as a basis for processing personal data, the U.K. Data Use and Access Act (DUAA) has introduced "something interesting" -- a more flexible standard that can reduce administrative burden in some cases, said Daniel Vinerean, managing director of law firm David and Baias, during a webinar Thursday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Separately, a #RISK Digital Global panel said that among trends emerging in the U.K. are data subjects acting as their own advocates and a rise in data-protection prosecutions.
Under guidelines being finalized by the European Data Protection Board (EDPB), Vinerean said, organizations seeking to use legitimate interest as the basis for personal data processing must conduct a balancing test. That involves justifying the legitimacy of organizations' interest in processing the data and the need to do so against data subjects' rights and freedoms. These rights can include not only privacy but also financial or other interests, he said during a session hosted by Sypher, a privacy management and compliance software provider.
DUAA, however, established the legal basis of "recognized legitimate interest," for which no balancing assessment is required, Vinerean said. Recognized legitimate interest, which can be used in situations such as processing for crime prevention and fraud, eases the administrative burden of using legitimate interest, he said.
There are no exemptions from the balancing test in the EU, Vinerean noted. Europe's approach is more rigid, while the U.K. permits a more constructive use of the legal basis.
Asked if there's any interest in the EU in creating a recognized legitimate interest basis for processing, Vinerean told us he doesn't see it happening soon. However, he said, such a change would be beneficial because the U.K. approach is more flexible and adapted to reality. Recognized legitimate interest would be good for data processors and business in general, he added, because the GDPR can be quite rigid in some respects.
Regulators want companies to follow the EDPB approach, Vinerean said, including a "proper balancing test" that's objective, with risks identified and appropriate measures to address those risks.
The AI Effect
Another development in the U.K. is that data subjects are increasingly forced to be their own privacy advocate, owing to a lack of action by data controllers, said Henry Davies, data protection officer for health care technology service provider Birdie, during a #RISK Digital Global webinar Thursday.
Davies also cited a "considerable uptick" in the number of data access requests received, along with more criminal prosecutions, such as the decision by the U.K. ICO to fine a care home director for refusing to respond to an access request (see Ref:2509040010]).
Asked whether the U.K. is finally beginning to find GDPR compliance easier, Davies said he's seeing a strong appetite for the use of AI in ways that aren't very controlled. Senior management is pushing for AI use, and that's difficult to square with GDPR principles of purpose limitation and data minimization, he said.
There's huge pressure on some organizations to save money by using AI, said Bates Wells data privacy attorney Eleonor Duhs, but there's also a lack of good-quality discussion about how AI is affecting individuals' rights.
The shadow over all this is the U.S., said James Leaton Gray, director of the Privacy Practice, a consultancy. U.S. tech companies announced major AI investments in the U.K. this week, he noted.
The U.S. is a key influence affecting where the U.K. goes next on AI, said Duhs. She questioned what the price will be for all the U.S. tech coming to Britain. There's not much business appetite for looking for European solutions, Davies added.