On 8 October 2024, the European Data Protection Board (EDPB) recently published draft guidelines for the processing of personal data based on the legal basis of legitimate interest under Article 6(1)(f) General Data Protection Regulation (GDPR).
Under Article 6(1)(f) GDPR, a legal basis to process personal data exists where it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the relevant data subject(s).
The draft guidelines are useful in the context of the recent CJEU decision of Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (C-621/22), in which the CJEU clarified that the legal basis of legitimate interest can be relied on for a ‘purely commercial interest’. As there is no definition of what constitutes a ‘legitimate interest’ under the GDPR legislation (but indicative information in recital 47), the guidelines provide welcome insight to controllers on how and in what circumstances this legal basis can be relied on. In the main, the guidelines build on previous guidance from the former Article 29 Working Party (now the EDPB).
Reliance on Legitimate Interest as a Legal Basis
The draft guidelines emphasise that Article 6(1)(f) GDPR is not intended to be a ‘last resort’ in circumstances where other legal bases for processing personal data are deemed not to apply: it must be applied ‘judiciously’. In this regard, the legitimate interest basis should not be automatically chosen, nor should its application be extended to circumvent specific legal requirements.
The 3 Step Test: Legitimate Interest Assessment
To rely on Article 6(1)(f) GDPR a controller must assess whether three conditions are met:
- There is a legitimate interest of the controller or of a third-party
There must be an interest pursued that is legitimate. For an interest to be considered ‘legitimate’, it must be lawful, present and not merely speculative. Its scope of application should be clearly set out. If the interest relates to a future project which may or may not materialise, or if its scope is open-ended, it will fail this part of the test. Also, where the processing is in the controller’s interest, the interest should relate to the activities of the controller. The guidelines provide examples of the main contexts where the processing of personal data in the interest of a third-party may be legitimate.
- The processing is necessary for the purpose of achieving the legitimate interest
The processing must be more than useful in achieving the legitimate interest pursued, it must be ‘necessary’. If the interest could be achieved as effectively in a manner which is less restrictive on the rights and freedoms of data subjects, the processing of personal data may not be deemed ‘necessary’. The guidelines re-iterate the importance of the data minimisation principle in relying on Article 6(1)(f) GDPR: the personal data being processed should be adequate, relevant and limited to what is strictly necessary for the purposes of processing.
- The legitimate interest must not be overridden by the interests or fundamental rights and freedoms of the data subject (the ‘balancing exercise’)
The controller must undertake a balancing exercise to ensure that the processing activities do not have a disproportionate impact on the data subjects’ rights. In this regard, the controller must:
- identify and describe the data subjects’ interests, fundamental rights and freedoms, bearing in mind that ‘interests’ can comprise several potential interests, whether financial, social or personal.
- assess the impact of the processing on the data subject, taking into consideration:
- the type of personal data involved (e.g. is any special category data being processed?);
- the context of the processing (e.g. the status of the controller via-a-vis the data subject); and
- potential further consequences of the processing (e.g. the possible production of legal effects for the data subject).
- take into account the reasonable expectations of the data subject(s), which the guidelines note may be distinct in a given sector based on what is considered common practice.
- adopt mitigating measures where required (including appropriate safeguards such as an opt-out mechanism) to reduce any negative impact on data subjects identified. The assessment should be re-completed to assess whether the mitigating measures sufficiently remedy the imbalance. If there are no mitigating measures to reduce the impact on the data subjects, the processing cannot be based on the legal basis of necessity to pursue the controller’s (or a third party’s) legitimate interest.
Interaction with Data Subject Rights under the GDPR
The guidelines emphasise that organisations must ensure the principle of transparency and uphold data subject rights which are protected under the GDPR when processing personal data under Article 6(1)(f) GDPR. This includes providing clear information about the legitimate interests pursued and facilitating the exercise of rights (such as access, rectification, erasure, and objection). As compliance with the GDPR is a legal obligation, it in itself cannot be considered a mitigating measure in the balancing exercise. Going beyond what is strictly required, however, may serve as an additional safeguard that can be taken into account. An example of this would be allowing a data subject the right to erasure of their data in circumstances where the grounds for erasure under Article 17 GDPR do not strictly apply.
Contextual Examples
The guidelines also provide a number of contextual scenarios where the legitimate interest basis may be relied on. They look at specific issues to consider in respect of each, including clarification on whether other legal bases under Article 6 GDPR would be more appropriate in a given set of circumstances. One area which was not explored specifically is the applicability of Article 6(1)(f) GDPR in the field of artificial intelligence (AI). For the moment, pending guidance and an Article 64(2) GDPR opinion from the EDPB, controllers must apply a strict interpretation of the 3-step test to determine if the legal basis may be relied on for their individual processing activities related to AI, such as the training or deployment of AI systems.
Conclusion
The draft EDPB guidelines consolidate and build upon recent developments in case law relating to legitimate interest and so provide a useful resource to guide controllers on its applicability as a legal basis for processing personal data. The guidelines however serve as a reminder that while legitimate interest is often seen as a flexible legal basis, reliance on it cannot be a legal basis of last resort and requires a careful and documented analysis. Controllers must meet several thresholds and demonstrate compliance with a variety of obligations. The contextual examples provided demonstrate that certain factors may be more relevant in one context than in others, meaning careful consideration of the legal basis must be undertaken for each processing activity.
The guidelines are open to public consultation until 20 November 2024.For advice on whether the legal basis of legitimate interest can be relied on for a specific processing activity, or for clarification on the legal basis in general, please contact Leo Moore, Rachel Hayes or your usual William Fry contact.
Contributed by Louisa Muldowney