As referenced in Dennis’ kick-off post for our General Data Protection Regulation (GDPR) blog series, organizations established or operating in the EU must have a legal basis for processing personal data. The GDPR provides for six legal bases for such processing: consent, legitimate interest, contract, legal obligation, vital interests and public tasks. Most organizations looking to acquire new customers or users will look to consent or legitimate interest as the permissible basis for processing. Last week we heard from Elizabeth, our Privacy Specialist, about consent. This week we’re going to look at “legitimate interest.” There’s been quite a bit of confusion around Legitimate Interest, so we’ll try to clarify and tell you how we’re thinking about it!
First, let’s take a look at the relevant language of GDPR Article 6(1)(f) on legitimate interest:
Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
It’s tempting to think that legitimate interest can be used to cover a broad array of circumstances, obviating the need for consent. But broad interpretations of this section have been openly discouraged: “open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground), should be avoided.” See Article 29 Data Protection Working Party, Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC), adopted 4 April 2017.
So where do organizations draw the line?
Legitimate interest at play
First, let’s consider what is a legitimate interest. The GDPR provides some examples such as processing personal data to prevent fraud, for internal administrative purposes relating to employees and clients, to ensure network and information security, and to report possible criminal acts or threats to public security to a competent authority. In addition, data processing that is necessary to meet internal or external corporate governance or related legal compliance requirements is likely to be considered a legitimate interest.
Perhaps a less obvious example, Recital 47 of the GDPR points to “processing of personal data for direct marketing purposes” as a legitimate interest. A common misunderstanding that we’ve run into here is that this language justifies all marketing and even soft opt-ins. To better understand why this is not the case, it’s helpful first to consider what this wording doesn’t say: this is not saying that all email marketing or all sending of direct marketing material is permitted.
Second, it’s critical to remember that the GDPR doesn’t operate in a vacuum. For purposes of direct marketing, organizations and marketers must keep in mind how the GDPR works with the Privacy and Electronic Communication Directive (ePrivacy Directive), which provides supplemental consent rules for marketing sent over phone, fax, email, SMS and other electronic communication channels, and which is currently in the process of being updated. Under the current ePrivacy Directive, opt-in consent for email and SMS marketing is required unless (i) collection occurred at the point of sale and (ii) an opt-out option was provided at that point. So while some first level marketers have a lawful basis for direct marketing based on sale and opt-out (for now), in all other instances marketers must comply with the opt-in consent requirements, regardless of whether they have a legitimate interest under the GDPR.
What constitutes legitimate interest will become clearer over time with more guidance and decisions by the relevant bodies, and with the publication of the forthcoming amended ePrivacy Directive. In the meantime, we’re using these examples and the parameters established by the GDPR discussed below, as a framework for adhering to the principles of processing on the basis of legitimate interest.
Avoiding legitimate interest pitfalls
To establish with confidence that legitimate interest genuinely exists, organizations should analyze and document both the necessity of the particular processing and their conclusion after balancing the interest of the processing with the rights of data subjects. This is referred to by some as a Legitimate Interest Assessment (“LIA”). As to the necessity of the processing, we suggest getting in the habit of asking: can the same objective be achieved without processing personal data? If the answer is “yes” then the best practice is to move away from legitimate interest as the basis for processing and obtain consent.
If the answer is “no,” the objective cannot otherwise be achieved, a good next step is to ask: is the need for processing outweighed by the interests or rights of the data subjects? When answering this question, it’s important to remember that data subjects have a right to object to legitimate interest as a basis for processing, which objection can be overcome only with “compelling” reasons set out by the processing organization.
Given these constraints, when relying on legitimate interest as the basis for processing we recommend having a process in place to keep a written record of the necessity and balancing conclusions. This is especially important where the data subject is a child. And as a general practice, it will help avoid legitimate interest pitfalls and demonstrate proper consideration was given to the need for processing and the rights and freedoms of the individuals whose data is being processed.
A note on notice
If an organization relies on legitimate interest as the basis for processing the GDPR, it is required that the organization let the individuals whose data is being collected know what the legitimate interests are and that they have the right to object. This can be done at the point of data collection or, in the case of the notice to object, in the section of a privacy notice that deals with individuals’ rights. As with all things GDPR and privacy related, the best way to to do this is to be upfront and transparent about your processing activities.