Insight Local Government Lawyer Insight February 2018 25 position quite so straightforward as it appears? In a specific local government context, the Local Government Act 2000 gave local authorities the power to do anything which they considered was likely to promote or improve the economic, social or environmental well-being of their area, and then the Localism Act 2011 extended this yet further to a "general power of competence" to "do anything that individuals generally may do". The result of the exercise of these powers has been, in some areas, the setting up of companies to trade for commercial purposes or for spending local authority funds on particular purposes. Furthermore, there are some things which public authorities do which, in effect, all organisations need to do - such as employ and manage staff, manage buildings or other property and operate IT systems. Some or all of these functions will necessarily involve the processing of personal data and may not be able to avail themselves of the other legitimising conditions in data protection law - if so, is GDPR proposing that public authorities might not be able to do these things? Surely not, and the answer to the conundrum may lie in closer analysis of GDPR's wording. In its 2014 Opinion on "the notion of the legitimate interests of the data controller" the Article 29 Working Party (the representative body of data protection authorities of the EU) alluded to “the general principle that public authorities, as a rule, should only process data in performance of their tasks if they have appropriate authorisation by law to do so” But it also noted the wording of the then draft GDPR, and the fact that what became article 6(1) ousted public authorities from relying on a legitimate interests condition. And it offered two differing interpretations. First, if article 6(1) were to be interpreted strictly, as not permitting public authorities ever to rely on the legitimate interest condition, then other conditions in article 6 would have to be construed more expansively. Specifically: “If this provision is enacted and will be interpreted broadly, so as to altogether exclude public authorities from using legitimate interest as a legal ground, then the ‘public interest’ and ‘official authority’ grounds of Article 7(e) would need to be interpreted in a way as to allow public authorities some degree of flexibility, at least to ensure their proper management and functioning” Second, in the alternative, “the terms 'processing carried out by public authorities in the performance of their tasks' [could] be interpreted narrowly. This narrow interpretation would mean that processing for proper management and functioning of these public authorities would fall outside the scope of 'processing carried out by public authorities in the performance of their tasks'. As a result, processing for proper management and functioning of these public authorities could still be possible under the legitimate interest ground” The finalised text of article 6(1) of the GDPR does not differ in any substance from that of the original draft. So on the basis of that 2014 Working Party Opinion, there might be a lack of certainty or clarity. However, the domestic Data Protection Bill, introduced in the House of Lords in September, suggests that the UK may be taking the latter of the Working Party's options (despite the fact that at the Bill’s initial reading the opposite view obtained). In recent debate the Lords agreed an amendment to the effect that an authority or body is only to be considered a public authority (and thus constrained from relying on the “legitimate interests” condition) when it is performing a task carried out in the public interest or in the exercise of official authority vested in it. This amendment, and the debate which led up to its agreement, largely focused on the status of higher education bodies, and their ability to undertake processing activities which could not obviously avail themselves of the “public interest” and “official authority” grounds. Notwithstanding this, the position under FOIA would remain problematic: responding to a FOIA request clearly is performing a task carried out in the public interest or in the exercise of official authority vested in a data controller. So how might public authorities effect disclosure of personal data under FOI? The answer here lies in Schedule 18 to the Data Protection Bill, which deals with "minor and consequential amendments". Paragraph 7 of that Schedule proposes to amend the Freedom of Information Act 2000 (FOIA) so that, when determining the lawfulness of FOI disclosure of personal data, a public authority can (and only in those circumstances) in fact rely on the legitimate interests condition. Such a proposed amendment would presumably help to meet the UK's obligation under GDPR to reconcile the right to the protection of personal data with the right to freedom of expression and information (Article 85), although query whether it is a permissible variation to the GDPR (which the Bill effectively seeks to incorporate into domestic law, as a precursor to a desired finding by the European Commission of data protection adequacy, once the UK becomes a "third country" under Brexit). Such an apparently small detail might not trouble the Commission greatly, but too wide a divergence in the Bill from the GDPR’s provisions may have the effect of making an adequacy determination less likely. Jon Baines is Chair of NADPO, the National Association of Data Protection Officers. Many of the functions of public bodies will necessarily involve the processing of personal data and may not be able to avail themselves of the other legitimising conditions in data protection law - if so, is GDPR proposing that public authorities might not be able to do these things?