Recognised Legitimate Interests: The UK Parts Ways with the EU on the Balancing Test
The Data (Use and Access) Act 2025 (DUAA) introduced recognised legitimate interests as a new lawful basis for processing personal data under UK GDPR. The ICO published its guidance on 23 March 2026, two months after the provisions came into force on 5 February. For organisations operating in the UK, this is the most commercially significant change in the DUAA. It is also the point at which UK and EU data protection law diverges most clearly.
As we noted in our March 2026 analysis of the DUAA’s enforcement provisions, the Act reshapes several aspects of UK data protection. This article examines the recognised legitimate interests basis: what it permits, how it differs from the EU position, and why it matters for data-driven businesses.
What the DUAA changes for recognised legitimate interests
Section 70 of the DUAA inserts a new Article 6(1)(ea) into UK GDPR. Processing is lawful under this basis where it is necessary for the purposes of a recognised legitimate interest, as defined in the new Annex 1 to UK GDPR (introduced by Schedule 4 of the Act).
The critical difference from standard legitimate interests under Article 6(1)(f) is that recognised legitimate interests do not require a balancing test. Under Article 6(1)(f), controllers must weigh their interest against the rights, freedoms and interests of the data subject. Under Article 6(1)(ea), that assessment is not required. The necessity test remains: the processing must be necessary for the specified purpose. But the legislature has, in effect, pre-approved the balance for the listed purposes.
Annex 1 lists five categories of recognised legitimate interest. These are all public interest purposes: processing necessary for the prevention or detection of crime; safeguarding vulnerable individuals, including children and adults at risk; responding to emergencies that threaten the life, health or safety of a data subject or another individual; safeguarding national security or supporting defence activities; and disclosing personal data to a person who needs it to perform a task in the public interest or in the exercise of official authority.
The Secretary of State may amend this list by statutory instrument, which means it could expand over time.
Recognised versus standard legitimate interests: the distinction that matters
The DUAA does two separate things for legitimate interests, and conflating them is a common error.
First, Article 6(1)(ea) creates the recognised legitimate interests basis described above, with no balancing test, for five public interest purposes only. This is the narrower provision.
Second, section 70 also inserts new wording into Article 6 that codifies examples of processing that may constitute a legitimate interest under the existing Article 6(1)(f) basis. These codified examples include direct marketing, transmission of personal data within a group of undertakings for internal administrative purposes, and processing necessary to ensure the security of network and information systems. These are not recognised legitimate interests. They still require the full balancing test and a legitimate interests assessment (LIA). What the DUAA provides is statutory confirmation that these activities can, in principle, be legitimate interests. Before the DUAA, they relied on Recital 47 of EU GDPR and ICO guidance. They now have a legislative footing in UK law.
For commercial organisations, the practical value lies primarily in the second category. Direct marketing, intra-group data sharing and network security are everyday processing activities. Statutory confirmation reduces the risk of a regulator or court finding that these interests are not, in principle, legitimate. It does not remove the requirement to conduct an LIA, but it strengthens the starting position.
Where the UK and EU now diverge on recognised legitimate interests
Under EU GDPR, the CJEU confirmed in Case C-621/22 (KNLTB) in October 2024 that purely commercial interests can constitute legitimate interests under Article 6(1)(f). The three-step test remains mandatory: a legitimate interest must exist; the processing must be necessary to pursue it; and the data subject’s rights must not override it. There is no EU equivalent of recognised legitimate interests. Every reliance on legitimate interests under EU GDPR requires the full balancing exercise.
The EDPB’s Guidelines 1/2024 on legitimate interests, adopted in draft in October 2024, reinforce this position. The Guidelines confirm that direct marketing may be a legitimate interest, but that this is not automatic and each case requires individual assessment. Intra-group data transfers are treated similarly: permitted in principle, but with no presumption in favour of the controller.
The UK position after the DUAA is different in two respects. First, the UK has a category of legitimate interest (the five Annex 1 purposes) where no balancing test is needed at all. The EU has no equivalent. Second, the UK has legislated that direct marketing, intra-group transfers and network security are, as a matter of law, capable of being legitimate interests. The EU relies on recitals and case law for the same proposition.
The European Commission’s Digital Omnibus Package, proposed in November 2025, moves in a similar direction. It proposes a specific legitimate interest basis for processing personal data to train AI systems, subject to a documented LIA, the right to object, and appropriate safeguards. But the EU’s approach retains the balancing test. The direction of travel is converging; the mechanisms are not.
The following table summarises the key differences:
| Feature | UK (post-DUAA) | EU (current GDPR) |
|---|---|---|
| Pre-approved purposes (no balancing test) | Yes: five Annex 1 public interest purposes | No equivalent |
| Direct marketing as legitimate interest | Codified in statute (balancing test still required) | Recognised in Recital 47 and EDPB Guidelines (balancing test required, not automatic) |
| Intra-group data transfers | Codified in statute (balancing test still required) | Recognised in Recital 48 (balancing test required) |
| Network/information security | Codified in statute (balancing test still required) | Recognised in Recital 49 (balancing test required) |
| AI training data processing | No specific provision (standard LI applies) | Proposed in Digital Omnibus Package (LIA required) |
| Secretary of State / Commission power to expand list | Yes (statutory instrument) | No (legislative amendment required) |
Commercial and operational implications
For UK-based businesses, the DUAA’s legitimate interests reforms reduce compliance friction in three areas.
First, direct marketing. The statutory codification means that a controller conducting first-party direct marketing by email to existing customers (where the soft opt-in under regulation 22 of the Privacy and Electronic Communications Regulations 2003 applies) now has legislative backing for the Article 6 lawful basis as well as the PECR condition. The LIA still needs to be done, but the threshold argument about whether direct marketing is a legitimate interest at all is now settled in UK law.
Second, intra-group data sharing. PE portfolio companies and corporate groups routinely need to share personal data across group entities for centralised HR, finance, IT security and reporting. Under EU GDPR, each transfer requires a standalone LIA. Under UK GDPR, the DUAA confirms that intra-group transfers for internal administration are a legitimate interest. The balancing test applies, but the legal foundation is clearer. For PE-backed groups restructuring data flows post-acquisition, this simplifies the compliance analysis.
Third, organisations operating in both jurisdictions face a dual-track compliance requirement. The UK reforms do not remove the need to comply with EU GDPR for EU data subjects. An organisation relying on the codified legitimate interest for direct marketing in the UK will still need a full, EU-standard LIA for the same processing involving EU data subjects. Two parallel compliance frameworks add cost, but UK-only processing benefits from reduced uncertainty.
For organisations in regulated sectors, including telecoms operators, payment institutions and fintechs, the recognised legitimate interests basis under Annex 1 has direct application. Processing necessary for the prevention or detection of fraud is a recognised legitimate interest. So is processing to ensure network and information security (under the codified Article 6(1)(f) examples). These are routine compliance activities for regulated firms, and the DUAA gives them a stronger statutory foundation.
Viewpoint
The recognised legitimate interests basis is narrower than early commentary suggested. It applies only to five public interest purposes, not to commercial processing. The real commercial value lies in the codified examples of legitimate interest under Article 6(1)(f), which give statutory backing to activities that most data protection practitioners already treated as legitimate interests. The practical effect is less a new freedom and more a reduced risk of regulatory challenge to established practices.
In our experience advising telecoms operators and payments firms on data processing frameworks, the operational bottleneck has rarely been whether direct marketing or intra-group sharing is a legitimate interest in principle. It has been the time and cost of producing and maintaining LIAs that say much the same thing across dozens of processing activities. The DUAA does not remove that requirement. What it does is reduce the risk that the starting premise of the LIA will be challenged, and that is worth something, particularly for scaling businesses building their compliance frameworks for the first time.
The divergence from EU GDPR is now a permanent feature of the UK data protection regime, not a temporary gap. Organisations should build their records of processing, privacy notices and internal guidance to reflect UK GDPR as a distinct regime, not a copy of the EU original.
Key sources
- Data (Use and Access) Act 2025, section 70 (legislation.gov.uk)
- DUAA Schedule 4 (Annex 1 conditions) (legislation.gov.uk)
- ICO Guidance: Recognised Legitimate Interest (ico.org.uk)
- DSIT Factsheet: UK GDPR and DPA provisions (gov.uk)
- CJEU Case C-621/22 (KNLTB) (eur-lex.europa.eu)
- EDPB Guidelines 1/2024 on Legitimate Interests (edpb.europa.eu)
Get in touch
For advice on how the recognised legitimate interests basis applies to your processing activities, or on structuring dual-track UK/EU compliance frameworks, contact Rob Bratby at Bratby Law.
