As the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018) come into force today, there are a number of technical changes to the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR) to reflect the new legal regime.

For FOIA/ EIR practitioners who are well versed in applying the Section 40 and Regulation 13 exemptions to requests for third party personal data, you will be pleased to know that despite GDPR, there is no substantive change to the approach required to apply these exemptions.

In particular, it is worth noting that the restriction under Article 6(1) of GDPR to the legitimate interests condition of processing which prevents a public authority relying on this legal basis when processing personal data as part of its public task, does not apply when considering whether disclosure of third party personal data under FOIA/EIR would be fair and lawful under Article 5(1)(a) of GDPR. This is due to the new section 40(8) of FOIA and Regulation 13(6) of EIR inserted by the DPA 2018, which disapplies this restriction in these circumstances.

"In determining for the purposes of this section [regulation] whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”   [1]

This means that in the new world of GDPR, the long established approach of considering whether disclosure of third party personal data would satisfy the legitimate interests condition of processing, now under Article 6(1)(f) of GDPR, still applies. Therefore public authorities should largely continue to assess whether the Section 40/Regulation 13 exemption applies in the same way they did before. The ICO's guidance on Section 40 and Regulation 13 has not yet been updated to refer to the GDPR but I am sure will be shortly.


In the meantime, whilst your data protection colleagues are getting to grips with GDPR and DPA 2018, the FOIA/EIR practitioners can largely keep calm and carry on as you did before!

[1] See paragraphs 58 and 307 of Schedule 19 DPA 2018