GDPR and FOI requests: keep calm and carry on!

As the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018) come into force today, there are a number of technical changes to the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) to reflect the new legal regime.

For FOIA/ EIR practitioners who are well versed in applying the Section 40 and Regulation 13 exemptions to requests for third party personal data, you will be pleased to know that despite GDPR, there is no substantive change to the approach required to apply these exemptions.

In particular, it is worth noting that the restriction under Article 6(1) of GDPR to the legitimate interests condition of processing which prevents a public authority relying on this legal basis when processing personal data as part of its public task, does not apply when considering whether disclosure of third party personal data under FOIA/EIR would be fair and lawful under Article 5(1)(a) of GDPR. This is due to the new section 40(8) of FOIA and Regulation 13(6) of EIR inserted by the DPA 2018, which disapplies this restriction in these circumstances.

"In determining for the purposes of this section [regulation] whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”   [1]