Authors: Elena Cioponea, Iurie Cojocaru
Some of our day-to-day activities involve conducting legitimate interest assessments. In this context, we have repeatedly dealt with the question “What makes an interest ‘legitimate’?”.
Until now, it was commonly known that a purely commercial interest could have been qualified as legitimate interest under the GDPR. The Dutch data protection authority’s strict interpretation of legitimate interest, however, has recently raised concerns across the EU, including at the EU Commission level.
The Dutch data protection authority sanctioned a controller for unlawfully processing personal data, as it considered that the controller’s purely commercial interests are not legitimate under the GDPR.
The authority considered that a legitimate interest may only be a “legal interest” (meaning that it should derive from the law) and did not further assess the elements of a legitimate interest assessment.
The highest administrative court in Netherlands annulled such decision, but did not reveal its perspective on the matter, as it found that the controller could have relied on other legitimate interests as well, and those legitimate interests were not purely commercial. It also did not refer the question to the Court of Justice of the European Union (CJEU).
Furthermore, the EU Commission has published a letter to the Dutch data protection authority arguing that the authority’s strict interpretation is not compliant with the GDPR, the guidelines of the Article 29 Working Party (currently replaced by the European Data Protection Board (EDPB) – the European body reuniting representatives of all the EU data protection authorities), and the case law of the CJEU.
The question whether a purely commercial interest may be considered legitimate interest under the GDPR, thus, remains debatable.
Keeping that in mind, let’s dive a little deeper into the matter.
Some of our thoughts
Under the GDPR, you should always have a legal ground for processing personal data. When relying on legitimate interest (particularly when such interest is essentially commercial), there are some aspects to be borne in mind:
- Under the GDPR, you may successfully ground your processing activity on legitimate interest when the following conditions are met:
- There is a legitimate interest pursued by you or by a third party behind the processing.
- The processing is necessary for attaining the purposes of that legitimate interest.
- Such interest should not be overridden by the interests or fundamental rights and freedoms of the data subjects.
- Although not expressly mentioned in the GDPR, to rely on legitimate interest you should pass this three-part test mentioned above. This approach is not new, as it resulted from the CJEU case law before the GDPR (Rigas case).
- Also, while the freedom to conduct a business is provided by the EU Charter, recital 4 of the GDPR states that the right to the protection of personal data is not an absolute right. This means that pursuing a purely commercial interest is not prohibited under the law and may be considered legitimate.
- Recital 47 of the GDPR further provides that “processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. This underlines that the purpose of the GDPR was not to preclude a business from growing, but rather to ensure data protection while conducting a business.
- Article 29 Working Party issued its Opinion 06/2014, stating that “the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward or more controversial”. It further emphasized that a legitimate interest should be “acceptable under the law” and such condition should be interpreted in the broadest sense.
- This was the common approach across the EU, before the Dutch data protection authority came with its different opinion.
Legitimate interest across Europe
While the EU is struggling with the qualification of “purely commercial interest” as legitimate interest under the GDPR, the UK intends to simplify the matters and regulate certain situations when carrying out a legitimate interest assessment will no longer be required. The UK government introduced the Data Protection and Digital Information Bill to Parliament, which, amongst others, provides certain “recognized legitimate interests” and the possibility for such list to be further amended – we don’t know whether it will also cover (purely) commercial interests in the future.
It remains to be seen whether and how the position of the Dutch data protection authority will influence the optic of other national authorities, EDPB, CJEU case law, and reconcile with the EU Commission’s point of view. It will also be quite interesting to keep an eye on whether the proposed changes in the UK will be implemented and whether they will ultimately influence the approach at EU level.
- Your purely commercial interest may qualify as a legitimate interest as long as it overrides the data subjects’ interests or fundamental rights and freedoms.
- Self-assessment is essential under the GDPR. Carefully consider all your interests when carrying out a legitimate interest assessment – you may discover, following a more detailed analysis, some additional interests to rely on.
- Your interests should not be the only aspect assessed when relying on legitimate interest as a legal ground. You should also consider the necessity of the processing for pursuing that legitimate interest, as well as the balance between your legitimate interest and the data subjects’ interests or fundamental rights and freedoms.