In amongst the headline-grabbing right to be forgotten judgments, leading to very long posts, Panopticon gets regular queries from people working in public authorities concerned about how the GDPR is going to affect their ability to use the section 40 personal data exemption in FOIA. A short post on the answer is warranted.How does the problem arise? As you know, Article 6 of the GDPR will replace the processing of personal data conditions currently in Schedule 2 to the DPA 1998. The usual condition used to justify release of personal data in response to a FOIA request is condition 6(1): necessary for the purposes of legitimate interests, so long as the disclosure is proportionate (paraphrasing).
The equivalent to condition 6(1) is Article 6(1)(f). But Article 6(1) specifies that 6(1)(f) cannot be used by a public authority. The intention behind that is that public authorities focus on processing personal data in furtherance of the legal functions under Article 6(1)(e), but that is an inapt way of addressing disclosure of third party data in response to a FOIA request. And the DP Bill makes clear that the problem does arise, because public authorities for GDPR purposes are defined as those who are public authorities for FOIA purposes: clause 7 (currently). The exception in clause 7(2) for where the authority is not acting qua public authority does not assist in the FOIA context.
So what is the answer? Happily, this has not gone unnoticed and it is to be addressed by an amendment to section 40 FOIA made by Schedule 18, para 58 of the DP Bill (currently). It will insert a new subsection (8) which will provide: “In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”
Section 40 FOIA is to be amended to take account of other aspects of the GDPR too – particularly to reflect the right to object – but the most significant issue is to be resolved by the Bill. Now we just have to wait for the Bill to be passed…
Christopher Knight