UK Data Protection Reform Bill v2: Legitimate Interests, Cookies, and ‘Paperwork’

The UK’s Data Protection and Digital Information Bill (DPDIB) returned to parliament on 8 March with some subtle but significant amendments.

The UK’s Data Protection and Digital Information Bill (DPDIB) returned to parliament on 8 March with some subtle but significant amendments.

The government suggests the new law will save UK businesses “billions”. Campaigners Big Brother Watch call the bill a “bonfire of safeguards”. Industry group TechUK says the proposals will help “boost innovation”.

This article will look at three important areas set to change under the latest draft of the DBDIP: Legitimate interests, cookies, and people and “paperwork”.

Part 1: Legitimate Interests

The DPDIB overhauls the GDPR’s “legitimate interest” provisions in two main ways:

  • Some processing purposes are deemed legitimate by default, with no need for controllers to conduct a “legitimate interests assessment”.
  • Other processing purposes are listed as examples of processing that “may” be considered a legitimate interest. For these purposes, controllers will still need to conduct legitimate interests assessment.


Let’s deal with the first category of processing purposes.

Recognised Legitimate Interests

The DPDIB introduces a new subparagraph to Article 6 GDPR, which sets out the legal bases for processing: 

“Article 6 (1) (ea): Processing is necessary for the purposes of a recognised legitimate interest.”

When processing for a “recognised legitimate interest”, controllers don’t have to conduct a “legitimate interests assessment”. In other words, there is no need to demonstrate that the benefit of the processing outweighs the risks to data subjects’ rights and freedoms.

The DPDIB provides a list of recognised legitimate interests at Annex 1. The recognised legitimate interests include:

Recognised legitimate interest Explanation
Disclosure for purposes of processing described in Article 6(1)(e) This essentially allows controllers to share personal data with another person who:

  • Requests the data, and
  • States that they need it for processing under the “public task” legal basis, and
  • Is subject to UK law per Article 6(3).
National security, public security and defence Processing that is necessary for:

  • Safeguarding national security.
  • Protecting public security.
  • Defence.

These terms are not defined in the bill.

Emergencies Processing that is necessary to respond to an emergency, as defined in the Civil Contingencies Act 2004.
Crime Processing that is necessary for:

  • Detecting, investigating or preventing crime, or
  • Apprehending or prosecuting offenders.
Safeguarding vulnerable individuals “Safeguarding” means protecting a vulnerable individual from neglect or harm, or protecting their wellbeing.

“Vulnerable individual” means either:

  • A child under 18, or
  • A person over 18 that is at risk.

“At risk” means that the vulnerable individual is:

  • In need of care or support,
  • Experiencing or at risk of harm,
  • Unable to protect themselves from harm.
Democratic engagement  Elected representatives may process personal data about people aged over 14 for the purposes of “democratic engagement”.


Notably: the Secretary of State can add or remove new items to the list of recognised legitimate interests via regulation. 

‘Possible’ Legitimate Interests

A new feature of the DPDIB’s latest draft is a list of purposes that “may be” in the legitimate interests of controllers. 

The explanatory notes specify that these examples are “illustrative only and non-exhaustive”. Controllers must still conduct a legitimate interests assessment before relying on “legitimate interests” in respect of these purposes.

The “possible” legitimate interests include processing that is necessary for:

  • Direct marketing.
  • “Intra-group transmission” of personal data for internal admin purposes (sharing data among a group of undertakings or between members of a group of institutions affiliated to a central body).
  • Ensuring the security of network and information systems (as defined under the UK’s NIS Regulations).

Part 2: Cookies

The UK government claims that the DPDIB will reduce the amount of “annoying” cookie pop-ups.

In pursuit of this objective, the DPDIB amends the UK’s implementation of the ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR).

PECR prohibits “a person” from storing information on, or accessing information from, a subscriber or user’s “terminal equipment” unless certain conditions are met,

As a shorthand, we’ll discuss this in terms of “organisations setting cookies on user’s devices”. Remember, though, that the provision is broader than this, covering all types of persons and all sorts of technologies that store or access information.

Default Rule: Cookies Require Notice and Consent

By default, organisations cannot set a cookie on a person’s device unless the person has:

  • Received “clear and comprehensive information” about the cookie’s purposes.
  • Provided consent.

The DPDIB does not remove the ePrivacy Directive’s rules around “essential cookies” that persist across the EU. These cookies can still be set without consent.

However, the bill clarifies which purposes fall within the existing “essential cookies” consent exceptions. Such purposes include preventing fraud, technical faults, and secruity breaches in relation to a requested service, 

Importantly, the DPDIB provides four additional exceptions to the cookie consent rule.

Exception 1: Analytics

Organisations do not need consent to set a cookie if the following conditions are met:

  • The organisation is providing an “information society service” (online service).
  • The “sole purpose” of the cookie is to make improvements to the service. 
  • The cookie collects information “for statistical purposes” about how the service (or a website used to deliver the service) is used.
  • The information collected by the cookie is not shared with any other person, unless that person is assisting with making the improvements.
  • The user gets clear and comprehensive information about the purposes of the cookie.
  • The user gets an easy and free way to opt out.

This essentially means that analytics cookies will not require consent, provided that certain conditions are met.

Exception 2: Responsive Design

Organisations do not need consent to set a cookie if the following conditions are met:

  • The organisation is providing an “information society service” (online service) via a website.
  • The “sole purpose” of the cookie is to either:
    • Adapting the website’s functions or appearance to the user’s preferences, or
    • Enhancing the website’s functionality or appearance.
  • The user gets clear and comprehensive information about the purposes of the cookie.
  • The user gets an easy and free way to opt out.

This provision appears to broaden an existing consent exception for cookies that are necessary for providing a service requested by the user. The explanatory notes suggest that the provision could cover “responsive design”, where a website adapts to a user’s display or device.

Exception 3: Software Updates

Organisations do not need consent to update software already installed on a device if the following conditions are met:

  • Updating the software is the sole purpose of accessing or storing information on the device.
  • The update is necessary for security purposes.
  • The update will not change the user’s privacy settings.
  • The user gets clear and comprehensive information about the purposes of the update.
  • The user gets an easy and free way to opt out.
  • The user can disable or postpone the update before it takes effect.
  • The user can easily uninstall or disable the update.

Exception 4: Emergencies

Organisations do not need consent to access or store information on a device if:

  • The organisation receives a “communication” from the user’s device.
  • The communication is a request from the user for emergency assistance.
  • The sole purpose of the access or storage is to discover the user’s location with an aim to provide emergency assistance.

This essentially means that emergency services (or other organisations) can remotely access the location of a person’s device if the person needs emergency assistance.

Part 3: People and ‘Paperwork’

The government claims that the DPDIB will save UK businesses “billions”, in large part due to a reduction in “paperwork”. Here’s a look at how the bill amends the UK GDPR’s rules on personnel and administration.

Data Protection Officer and UK Representative

The bill eliminates the mandatory requirement on some organisations to appoint a data protection officer (DPO). Organisations previously required to appoint a DPO can instead designate a “senior responsible individual” from the organisation’s senior management. This is optional: having a DPO is still acceptable under the new law.

The tasks and position of the senior responsible individual remain largely similar to those of a DPO. The post of “senior responsible individual” can be shared by two or more people. The senior responsible individual can delegate tasks to other people within the organisation.

Organisations not established in the UK will no longer need to appoint a UK representative under Article 27 of the UK GDPR.

Records of Processing

The DPDIB substantially reduces controllers’ obligations to keep a “record of processing activities” (ROPA).

Under the new proposals, ROPAs only need to cover processing that presents a “high risk to the rights and freedoms of data subjects”. 

The new version of the bill extends the ROPA exemption, which previously only applied to organisations of 250 or fewer employees that did not conduct high-risk processing.

There are other amendments to the information that must be recorded. The latest draft of the bill specifies that organisations only need to record the “categories” of recipients of personal data, rather than the actual identities of the recipients.

Data Protection Impact Assessments

The bill scraps data protection impact assessments (DPIAs) and replaces them with the “assessment of high risk processing”.

The DPDIB removes references to “proportionality” in this section of the UK GDPR. A “systemic description of the envisaged processing operations and the purposes of the processing” will become “a summary of the purposes of the processing”.

Prior Consultation

Organisations will no longer need to consult with the Information Commissioner’s Office (ICO) prior to engaging in high-risk processing.

The proposals would amend Article 36 of the UK GDPR so that “the controller shall consult the Commissioner prior to processing” reads “the controller may consult the Commissioner prior to processing”.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!