This article has been written by Karthika R pursuing a Diploma in International Contract Negotiation, Drafting and Enforcement from LawSikho and edited by Koushik Chittella.
Table of Contents
Introduction
The GDPR (General Data Protection Regulation) enacted by the European Union in the year 2018 can be regarded as the Grund Norm for global data privacy legislation. The enforcement of GDPR marked the inception of a whole new system of compliances that are to be followed by organisations for the protection of the personal data of EU residents. Under the GDPR, businesses worldwide are mandated to take proactive measures, both technical and organisational, for the protection of personal data, which they have collected from EU residents, to deliver any sorts of goods or services to them. In this article, we are going to explore the scope and viability of using legitimate interest as the lawful basis for processing personal data under the GDPR.
Compliance and violation
Any violation of the rules of GDPR would invite hefty fines to business owners, amounting to up to 20 million euros or 4% of the global annual turnover, whichever is higher. Therefore, it is essential for businesses to remain compliant with GDPR.
The compliances that are to be followed by an organisation depend on whether the organisation identifies as a data controller who uses the personal data of individuals to offer goods or services to EU residents or as a data processor who processes the personal data of EU residents on behalf of the controller. GDPR permits the lawful processing of personal data of the data subjects by the data controllers and data processors. Article 6 of the GDPR considers only 6 methods as lawful basis for the processing of personal data, and they are consent, contractual, legal obligation, vital interests, public task, and legitimate interest.
Legitimate interest
Legitimate interest, as a lawful basis, can effectively manage the interests of the data controller without compromising on the rights of the data subject. As per Article 6(1)(f) of the GDPR, any processing done by a data controller or a third party for the purpose of pursuing their legitimate interest is considered lawful. However, the processing of personal data by considering legitimate interest as a lawful basis is subject to the exception that such processing shall not violate the fundamental rights and freedoms of data subjects concerning the protection of their personal data.
Public authorities can also use legitimate interest as a legal basis for processing the personal data of individuals if the legitimate interest they are pursuing is anything other than the performance of their duty as a public agent.
When data controllers are involved in any processing of data that falls outside the protection of the first five legal bases provided under Article 6, such processing can be justified using the scope of legitimate interests. The legitimate interest pursued can be either the data controller’s own interest or that of a third party and may include commercial interests, individual interests, or any wider societal benefits. Before the enforcement of GDPR, legitimate interests of data controllers for the processing of personal data were gauged as per Article 7(f) of Directive 95/46/EC.
When compared to the other 5 legal bases for the processing of personal data, legitimate interest is the most flexible one. There are two major situations in which data controllers can rely on legitimate interest as the legal basis for processing data, and they are:
- No other legal basis can be relied upon due to the specific nature and circumstances of the data processing.
- More than one legal basis can be relied upon, but legitimate interest seemed to be the most appropriate one.
Legitimate interest and potential areas for application
Recitals 47 to 50 of the GDPR specify some potential areas of data processing where the data controller can apply legitimate interest as a legal basis after conducting a LIA.
- General corporate operations and due diligence: for day-to-day business operations and strategic growth
- Product development and enhancement.
- Direct marketing and communications
- To run background checks by HR departments
- Fraud detection and prevention: by financial institutions like banks, credit card companies, insurance companies, or any organisation involved in customer service
- Network and information systems security
- Social Media Platforms: Profiling for implementing targeted advertising
- Personalisation for enhancing customer experience.
- Artificial Intelligence: To train Large Language Models (LLMs)
- Automated decision-making based on customer history
- Location-based services
- Data set/information received through M&A transactions.
Legitimate Interest Assessment
A legitimate interest assessment (LIA) is a crucial process undertaken by data controllers to establish the legal basis for processing personal data. When relying on legitimate interest, organisations must demonstrate that their interest in processing the data is valid, necessary, and balanced against the rights of data subjects. Essentially, LIA ensures that data controllers strike the right equilibrium between their objectives and individual privacy rights, thereby complying with data protection regulations.
While performing the LIA, the data controller has to conduct the 3-part test. The 3-part test is derived from the scope of legitimate interest for processing personal data as provided under Article 6(1)(f).
The three-part test includes the following:
- The purpose test
- The necessity test
- The balancing test
Purpose Test
By conducting the purpose test, the data controller can establish the legitimate interest that it has with regard to the processing of data. During this test, the data controller has to delineate the need for processing the data and the benefit that the data controller would receive pursuant to such processing. The data controller shall also assess how important the benefit is and what the likely effect of not processing the data is. Additionally, the data controller has to reveal any benefits received by third parties from the processing of data, including wider societal benefits.
Necessity Test
The necessity test helps the data controller establish how the processing of data is necessary for pursuing the legitimate interest. In this test, the data controller has to prove that the processing of data done by it is in proportion to the intended purpose (legitimate interest) that is sought to be achieved. During this test, the data controller has to find out whether the processing can be done using less data or through less intrusive methods.
Balancing Test
The balancing test is the final and most important part of a LIA. It also represents the pivotal stage of an LIA. For data controllers to rely on legitimate interest as their legal basis for processing personal data, they must demonstrate that individual rights and freedoms do not outweigh the legitimate interest they seek to pursue. In essence, the controller must prove that data processing does not unduly impact data subjects’ rights, ensuring a delicate equilibrium between organisational objectives and privacy considerations.
For the purpose of conducting this test, the data controller has to ascertain the specific nature of data, such as a special category of data or data related to children, etc. Additionally, the data controller has to delineate that the processing of the concerned data falls below the reasonable expectation that the data subject has against the controller concerning the goods and services delivered. Finally, the data controller has to evaluate the impact of the data processing on the data subjects and the safety measures adopted by it to mitigate any potential risks posed by the processing.
Thereafter, the data controller shall make an intelligible decision as to whether to continue with the data processing on the basis of legitimate interest or not. After completing the LIA, the data controller has to record the outcome for justifying compliance.
Result of the balancing test
Generally, if the balancing test turns out to be negative, the data controller cannot rely on their legitimate interest for processing the data. To continue pursuing the legitimate interest, the data controller can attempt to redefine the scope and nature of the processing or incorporate more efficient safety measures, both technical and organisational, to mitigate the impact created through the processing. Following this, the data controller can rerun a balancing test. If the result turns out to be negative once again, the data controller should stop relying on such data processing or rely upon any other legal basis for it.
Effect of legitimate interest on GDPR principles and data subject rights
While processing personal data based on legitimate interest, the data controller or third party has to comply with the principles of data processing prescribed under Article 5 of GDPR, like transparency, purpose limitation, data minimisation, etc.
As far as the transparency principle is concerned, similar to the case of data processing based on consent, while using legitimate interest, detailed privacy notices as prescribed under Article 13 and Article 14 shall be issued to the data subjects. These privacy notices shall inform the data subjects that the processing of personal data is being done based on legitimate interest as the legal basis.
Conducting a proper LIA would help organisations to comply with principles like purpose limitation and data minimization. Nonetheless, if the result of legitimate interest assessment is not in favour of the data controller and the third party, the organisation will fail to comply with the accountability principle under GDPR. When personal data processing relies on legitimate interest, most data subject rights remain fully applicable. These include the right to access, rectify, erase, restrict, and object to processing. However, there’s one exception: the right to data portability. Additionally, data subjects are protected from decisions based solely on automated processing. In essence, legitimate interest strikes a balance between organisational needs and individual rights.
Having said that, it is important to note that some of these rights cannot be exercised unconditionally. For instance, the right to erasure does not come off as a natural corollary to the processing of data based on legitimate interest. This right comes into existence only in instances where the data subject has raised an objection against the processing of data and the controller could not establish a legitimate interest with respect to such processing in a justifiable manner.
Similarly, if the processing of data is done in association with fraud prevention or network and information systems security, the objection raised by the data subject may not be considered sufficient enough to outweigh the legitimate interest of the controller. Nevertheless, data subjects can exercise the right to object, absolutely against processing of data associated with direct marketing.
Relevant case laws
Rynes Case
This is a famous case law in which the CJEU upheld the legitimate interest possessed by a house owner when he installed a surveillance camera outside his home, which monitored the entrance to his home, a small portion of the public way, and the entrance to the house opposite to him. The dispute arose when one of the two suspects, who had broken a window of Mr. Rynne’s home, challenged the legality of the video submitted as evidence during the criminal trial, which was recorded by Mr. Rynne’s surveillance camera. The suspect had challenged the recording on the ground that it was unlawful processing of his data since he did not consent to it and he was also not notified about the existence of a camera.
CJEU made some notable observations in the case when they held that video surveillance will not fall under the exemption provided to processing of data in relation to a household activity if it “covers even partially a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner.” However, the CJEU held that in the instant case it is necessary for Mr. Rynes, as the data controller, to engage in the processing of personal data based on the legitimate interest of a house owner to protect the property, health, and life of his family members and himself.
Google Spain Case
In this landmark case, a Spanish citizen named Costeja Gonzalez requested a newspaper to remove an article about his bankruptcy from its online website, and a similar request was made to Google Spain to take down all the links that appeared when his name was entered into the search engine. Both the newspaper and the newspaper refused the same. This led the applicant to file a case against the Spanish Data Protection Authority. The data protection authority decided that the newspaper is not under any obligations to remove the content owing to journalistic exceptions, but Google is under the duty to remove it. Google challenged the decision of the Spanish Data Protection Authority before the European Court of Justice, citing lack of jurisdiction since Google is a company based in California, US, the legitimate interest held by Google based on which they processed the personal data of the applicant, and the legitimate interest held by internet users in accessing information.
The ECJ, after applying the balancing test to the right to privacy and data protection of the data subject against the legitimate interest of the search engine operator and the general public in accessing information, held that the fundamental rights of the data subject generally overrule the economic interest of the controller and the interest of the third parties to have access to information and therefore to let the applicant exercise his right to erasure.
Italian SA’s order against Open AI.
In March 2023, the Italian Data Protection Supervisory Authority (SA) took a critical step against OpenAI and its large language models (LLMs). The Authority ordered an immediate restriction on processing data of Italian citizens’ due to concerns about how personal data was being used to train algorithms behind ChatGPT. The Supervisory Authority questioned the legal basis for collecting and processing this data.
Following the order, OpenAI adjusted its privacy policy in April 2023. They clarified that their legitimate interest now serves as the legal basis for training their algorithms.
Challenges
- It could be used as a legal basis only when the organisation has a persuasive reason for the processing.
- Although legitimate interest is the most flexible legal basis for processing personal data, it could be used only in cases where the processing of personal data is done in ways that the individuals reasonably expect and that affect the privacy of individuals in the least possible manner.
- One of the major challenges associated with using legitimate interest as a legal basis is that, if the processing is not done by complying with all the necessary measures associated with Article 6(1)(f), the processing of data will not have a legal basis, making it unlawful, which will eventually invite hefty fines against the organisation.
- More often than not, the right to object and erase data subjects overrides the legitimate interests possessed by the data controllers, with only some exceptions like fraud prevention and network and information system security. This may lead to organisations suffering from potential losses.
Overcoming challenges in using legitimate interest as a legal basis.
- Before investing in the processing of personal data based on legitimate interest, make sure that it involves a compelling justification.
- Conduct LIAs in an unbiased manner by complying with provisions associated with legitimate interest under the GDPR and documenting it properly.
- Stick to the GDPR principles associated with data processing.
- Keep the data subjects informed about the processing of personal data and the legitimate interest associated with it.
- Implement both technical and organisational measures to mitigate the impact of the processing on the data subjects.
- LIAs should be reviewed and updated if the processing activity changes or develops over the course of time.
Conclusion
If used properly, legitimate interest as a legal basis offers great flexibility to businesses for pursuing various organisational needs and attaining strategic growth through the processing of personal data. If the data controller is not sure whether the data subject’s rights outweigh the legitimate interest they are trying to pursue, it’s better to find another lawful for processing of the personal data. Legitimate interest may not be the most suitable basis if the processing of data involves high risk or if it falls outside the reasonable expectation of the data subjects. Unwarranted use of legitimate interest as a legal basis for the processing of data violates the rights of the data subjects. Processing personal data unlawfully invites huge fines, and it is detrimental to both the reputation and financial status of the organisation.
References
- https://gdprhub.eu/index.php?title=CJEU_-_C-212/13_-_Franti%C5%A1ek_Ryne%C5%A1
- https://eur-lex.europa.eu/eli/dir/1995/46/oj
- https://gdpr-info.eu/recitals/no-47/
- https://gdpr-info.eu/art-6-gdpr/
- https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9874702#english
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131
- https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=ecli%3AECLI%3AEU%3AC%3A2014%3A2428
- https://dpnetwork.org.uk/wp-content/uploads/2023/08/DPN-Legitimate-Interests-Guidance-2018.pdf
- https://gdpr-info.eu/recitals/no-39/#:~:text=The%20principle%20of%20transparency%20requires,and%20plain%20language%20be%20used.