Governments' Lawful Excuses: Consent Never Applies

which lawful basis never applies to governments

The lawful basis for processing personal data is a critical step in complying with privacy regulations and laws. The General Data Protection Regulation (GDPR) outlines six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. However, one of these bases, public task, is reserved for public bodies and never applies to governments. Public task processing is necessary for carrying out a task in the public interest or for the exercise of official authority and has a clear basis in law. While governments may rely on the other five lawful bases depending on their specific purposes and context, public task is exclusively applicable to public bodies.

Characteristics Values
Lawful basis Legitimate interests
Applies to Private businesses
Not applicable to Public bodies

lawshun

For consent to be considered informed, the individual must be notified of the identity of the controller, the type of data that will be processed, how it will be used, and the purpose of the processing operations. They must also be informed of their right to withdraw consent at any time, and this process should be as simple as giving consent.

To be considered unambiguous, consent requires either a statement or a clear affirmative act, such as ticking a box or clicking a button. It cannot be implied and must always be given through an opt-in, a declaration, or an active motion.

When determining the lawful basis for processing personal data, it is important to consider the specific purpose of the processing, the type of data involved, and the relationship with the data subject. In situations where there is an uneven distribution of power, such as in an employer-employee relationship, it is best to avoid consent as a legal basis for processing.

lawshun

Contractual necessity

To rely on contractual necessity as a lawful basis, it must be demonstrated that:

  • There is a contract with the individual.
  • The processing of personal data is necessary to comply with the obligations under the contract.
  • If there is no contract yet, the individual has requested something as a first step (e.g. a quote) and personal data needs to be processed to fulfil this request.

It is important to note that contractual necessity does not apply if:

  • You need to process one person's details but the contract is with someone else.
  • You collect and reuse customer data for your own business purposes, even if permitted under standard contractual terms.
  • You take pre-contractual steps on your own initiative, to meet other obligations, or at the request of a third party.

The processing must also be necessary, meaning that it must be more than just useful or standard practice. It must be a targeted and proportionate step that is integral to delivering the contractual service. If there are other reasonable and less intrusive ways to deliver the service, then contractual necessity does not apply.

The European Data Protection Board (EDPB) has a narrow interpretation of contractual necessity. They state that processing must be objectively necessary for a purpose that is integral to delivering the contractual service. For example, processing credit card information and billing addresses for payment purposes by online retailers is necessary. However, building a profile of user tastes and lifestyle choices is not necessary to carry out the contract and would require a different legal basis.

Organisations should carefully evaluate the specific purpose of processing, the type of data involved, and their relationship with the data subjects to determine if contractual necessity is the most suitable lawful basis.

lawshun

Legitimate interests

There are three elements to the legitimate interests basis:

  • Identify a legitimate interest.
  • Show that the processing is necessary to achieve it.
  • Balance it against the individual's interests, rights, and freedoms.

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests, or broader societal benefits. The processing must be necessary, and if the same result can be reasonably achieved in another, less intrusive way, then legitimate interests will not apply.

You must balance your interests against the individual's interests. If they would not reasonably expect the processing or if it would cause them unjustified harm, their interests are likely to override your legitimate interests.

When relying on legitimate interests, your processing will usually have to be 'necessary' for a specific purpose. This means you can't achieve your purpose without the processing.

lawshun

Vital interests

The "vital interests" lawful basis applies when processing personal data is necessary to protect someone's life. This basis is intended to cover only interests that are essential for someone's life and is therefore limited in scope, generally applying only to matters of life and death.

For example, it would be relevant when a person requires emergency medical care but is unconscious or otherwise unable to give consent for their data to be processed. In such a case, their employer or another individual could provide their health information to medical professionals, as this disclosure would be necessary to protect their vital interests.

The "vital interests" basis is less likely to be appropriate for planned medical care, where another lawful basis, such as "public task" or "legitimate interests", would be more applicable. It is also less likely to be the appropriate basis for processing on a larger scale, although it may be relevant in situations such as monitoring epidemics or responding to humanitarian emergencies.

It is important to note that if an individual is capable of giving consent, even if they refuse, the "vital interests" basis cannot be relied upon for health data or other special category data. Additionally, when processing special category data, it is necessary to identify a condition for doing so under Article 9, which applies specifically to such data.

Overall, the "vital interests" lawful basis is a critical component of data protection regulations, ensuring that personal data can be processed when necessary to protect someone's life, while also outlining important limitations and considerations for its application.

lawshun

Public task

The "public task" lawful basis for processing personal data applies when the processing is necessary for a task in the public interest or for official functions. This typically applies to public authorities but can also apply to any organisation that exercises official authority or carries out tasks in the public interest.

To rely on this lawful basis, the task, function, or power must have a clear basis in law, and the processing must be necessary. If the task can reasonably be performed in a less intrusive way, this lawful basis does not apply.

For example, a government agency with statutory powers to conduct research about the online shopping habits of consumers can process personal data under the "public task" lawful basis. However, if the agency requests personal data from retailers, the retailers cannot share the information under the agency's public task basis as they are not subject to the agency's statutory function.

The "public task" lawful basis is relevant to the following:

  • Administration of justice
  • Parliamentary functions
  • Statutory functions
  • Governmental functions
  • Activities that support or promote democratic engagement

It is important to note that this list is not exhaustive, and other official non-statutory functions or public interest tasks can also fall under the "public task" lawful basis as long as the underlying legal basis is clear and foreseeable.

Frequently asked questions

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment