The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - Recognised Legitimate Interests (RLIS)

Relevant DUA Act Provision: Schedule 4; amends Article 6(1)(e) UK GDPR

Schedule 4 of the DUA Act introduces the concept of "recognised legitimate interests" (RLIs), a statutory list of pre-approved lawful public interest purposes bases for which personal data may be disclosed under Article 6(1)(e) UK GDPR.  Where a controller discloses personal data to another person who is processing for one of the listed RLIs with a valid legal basis under Article 6(3), the disclosing controller is exempt from conducting a Legitimate Interests Assessment (LIA), including the usual balancing test against the data subject’s rights and freedoms. The necessity requirement still applies and the disclosure must be strictly necessary for the specified purpose.

Both public and private sector controllers may rely on the RLI exemption when disclosing personal data to another party who is processing for a recognised legitimate interest under Article 6(1)(e) with a legal basis in law under Article 6(3). However, only the disclosing controller benefits from the exemption. The RLIs do not permit private controllers to process for these purposes themselves unless they are recipients with a qualifying legal basis in domestic law.

The UK has adopted a fixed list of purposes, currently including:

• National security
• Public security
• Defence
• Responding to emergencies
• Preventing or detecting crime
• Safeguarding children or individuals at risk

The Secretary of State may amend the list of RLIs by secondary legislation, having regard to the fundamental rights and freedoms of data subjects, and the special protection due to children’s data. While this offers flexibility to respond to new public interest risks, it introduces legal uncertainty due to lack of parliamentary scrutiny, raising questions under the rule of law and principle of foreseeability.

By introducing this RLI exemption, the UK seeks to offer legal certainty and reduce administrative burden on controllers for disclosures in the public interest. However, it limits the scope for data subjects to challenge processing on rights-based grounds, since the balancing test is no longer required for listed RLIs.

Divergence

The DUA Act departs from the GDPR’s case-by-case, context-sensitive approach, which relies on Recital 47’s interpretive criteria and the requirement for a full LIA. While RLIs provide legal certainty for UK-based disclosures, multinational organisations must reconcile this UK-specific exemption with the EU’s insistence on contextual balancing, resulting in additional operational complexity. Multinational organisations must reconcile this UK-specific exemption with the GDPR’s continuing insistence on contextual balancing, resulting in additional operational complexity, when operating across both jurisdictions.

ICO commentary

The ICO in its formal response confirmed that Schedule 4 establishes RLIs for which no balancing test is required, using crime prevention and safeguarding as primary examples. The ICO intends to publish new guidance on the new RLIs with a public consultation planned, in Winter 2025/2026.

Recommendations

• Map all processing based on legitimate interests under Article 6(1)(f ) and confirm whether any purposes fall within a Recognised Legitimate Interest as listed in Schedule 4.
• Where the disclosure falls within a RLI under Schedule 4, update privacy notices accordingly and remove the requirement to conduct a balancing test.
• Retain LIAs for all other legitimate interest processing not covered by RLIs, particularly to support compliance with the GDPR.
• Monitor future regulations that expand or restrict the scope of RLIs, as legislative changes could create legal uncertainty or raise public trust concerns.

This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) 2. Purpose limitation  3. Automated Decision-Making (ADM) 4. ADM in Law Enforcement and National Security 5. Data Subject Access Requests (DSARs) 6. Complaints handling 7. Age Appropriate Design Code (AADC or Children’s Code) 8. Scientific, historical and statistical purposes 9. International data transfers 10. Cookies and PECR Reform 11. Information Commissioner’s Office (ICO) Reform 12. Codified convergences with EU Law