The goal of this article, as stipulated by its title, is to bring this complex notion to the understanding of every privacy stakeholder. The protection of personal data has been a major preoccupation of the European legislators in recent years. Apart from data protection being a fundamental Human Right, it is worth noting that almost all the other fundamental Human Rights rely on personal data. For instance, if a person’s personal data such as name, address, bank details and location falls into wrong hands as a result inappropriate data protection policies, the damages may range from financial losses to bodily harm-thus affecting the individual’s right to property, life et cetera. It is for these reasons that the General Data Protection Regulation lays down conditions under which personal data must be processed, grants a list of rights to data subjects and fixes very heavy fines that await defaulters.
Among the lawful grounds for processing personal data, is the legitimate interest pursued by the controller. This ground is mostly used by online marketing companies. Considering that the GDPR gives no clear definition of "legitimate interest", this article provides a clear understanding of such interest, the circumstances under which it may arise, as well as a balancing exercise and guiding factors that would help in understanding whether the legitimate interest pursued by the controller actually overrides the fundamental rights and freedoms of the data subject-a precondition for processing personal data under such grounds.
Table of Contents
1. INTRODUCTION
1.1. Processing Personal data
1.2. Lawfulness of the processing
1.3. Legitimate interest: not necessarily that of the controller
2. AN UNDERSTANDING OF LEGITIMATE INTEREST
2.1 The GDPR and the notion of legitimate interest
2.2 The WP29 and the notion of legitimate interest
3. WHEN SHOULD PERSONAL DATA BE PROCESSED UNDER LEGITIMATE INTEREST?
3.1 The balancing exercise
3.2 Factors determining the outcome of the balancing exercise
4. THE BALANCING TABLE
5. CONCLUSION
BIBLIOGRAPHY
1. INTRODUCTION
In force since May 25 2018, the General Data Protection Regulation (GDPR)1 is no doubt the world’s most severe privacy law, at least for the moment. Its severity is could be seen from the huge administrative fines (up to 20 million Euros) that await defaulters, and its extraterritorial scope and application to seemingly every situation makes matters even more complicated.2 The GDPR protects all data subjects located the EU, be they nationals, residents, refugees or mere tourist. And being a Regulation, the GDPR is directly applicable in all EU Member States, and as such, unlike a Directive, it creates rights and obligations for individuals.3
In order to effectively protect personal data, the GDPR does not only grant numerous rights to data subjects,4 but it equally lays down conditions for processing personal data. Among these conditions, is the lawfulness requirement, which legitimate interest is one of such lawful grounds.5 Legitimate interest ground is regularly used by marketing companies in the online environment, and the complex nature of this lawful ground has made it difficult for some data controllers to actually understand it. The goal of this article, as stipulated by its title, is to bring this complex notion to the understanding of every privacy stakeholder.
1.1. Processing Personal data
According to the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.6 It equally gives a “processing” a broad definition, by stating that: “‘ processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.7
Before deciding to comply with the legality (lawfulness) requirement, controllers must first determine whether their activity amounts to the processing of personal data. There is no doubt when a direct identifier such as a person’s name, email address or telephone number is used. However, the use of remote indirect identifiers pose a challenge, especially as an individual may not be easily identified by such identifiers. The GDPR provides: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”8 However, the mere fact that an individual can be identified by such remote identifiers does not automatically qualify such identifiers as personal data. According to the GDPR, to determine whether an identifier amounts to personal data, objective factors such as the state of technology, the cost and time of such identification would be taken into account. This means that, if it would be very expensive and takes much time to identify an individual through the use of a certain remote identifier or group of identifiers, then the latter may not amount to personal data, because such would rather fall under anonymous data which lies outside the scope of the GDPR.9 Once it is ascertained that the identifiers involved amount to personal data, then the controller must therefore look for a lawful ground for processing such personal data.
1.2. Lawfulness of the processing
According to Art.6 GDPR, for a processing to be lawful, it must receive either the consent of the data subject concerned or the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or the processing is necessary for compliance with a legal obligation to which the controller is subject; or the processing is necessary in order to protect the vital interests of the data subject or of another natural person; or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.10
1.3. Legitimate interest: not necessarily that of the controller
A good understanding of the concept of legitimate interest could be obtained from the former Data Protection Directive and its Working Party 29. It is however worth noting that the legitimate interest must not necessarily be that of the controller, the person determining the purpose and means of the processing. It could as well be that of third parties, no doubt the GDPR talks of “the legitimate interests pursued by the controller or by a third party”. The WP29 in opinion 06/2014 gave examples of situations where personal data can be processed under the legitimate interest of third parties.
According to WP29, the publication of data for purposes of transparency and accountability is one of those important context where Article 6(f) may be relevant is the case of publication of data for purposes of transparency and accountability (for example, the salaries of top management in a company). In such a situation, it can be observed that the public disclosure is done primarily not in the interest of the controller who publishes the data, but instead, in the interest of other stakeholders, such as employees or journalists, or the general public, to whom the personal data are disclosed.11 Also, another important context where disclosure in the legitimate interests of third parties may be relevant is historical or other kinds of scientific research, particularly where access is required to certain databases. In that case, such publication cannot be said to be for the sole interest of the controller.12 Lastly, According to WP29, the legitimate interest of third parties may also be relevant in a different way. This is the case where a controller - sometimes encouraged by public authorities - is pursuing an interest that corresponds with a general public interest or a third party's interest. For instance, in situations where a controller makes disclosures to assist in law enforcement or private stakeholders in their efforts to combat illegal activities, such as money laundering, child grooming, or illegal file sharing online.13 However, the GDPR imposes no obligation for controllers to make such disclosures. The ECJ ruled that: “Article 7(f) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not imposing the obligation to disclose personal data to a third party in order to enable him to bring an action for damages before a civil court for harm caused by the person concerned by the protection of that data. However, Article 7(f) of that directive does not preclude such disclosure on the basis of national law”.14
Processing personal data under legitimate interest has been well elaborated by the WP29 under the Data Protection Directive, and equally provided for by the GDPR. However, considering the complexity of the concept, controllers really have to be prudent when processing personal data under such grounds.
2. AN UNDERSTANDING OF LEGITIMATE INTEREST
The definition of what may fall under the legitimate interest of the controller can be construed from certain provisions of the GDPR as well as from the interpretation given to it by the Working Party 20.
2.1 The GDPR and the notion of legitimate interest
Legitimate interest is a lawful ground that is regularly used by controllers to process personal data in the online environment, especially when doing digital marketing. As a complex topic, the concept has received several interrogations in recent years. Art 6(1)(f) GDPR states: “Processing shall be lawful only if and to the extent that at least one of the following applies:.. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”15
However, the GDPR gives no clear definition of “legitimate interest”, and Recital 47 GDPR only provides but examples of such situations, including: where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller and the client reasonably expects such processing to take place; where the processing of personal data strictly necessary for the purposes of preventing fraud; and where the processing of personal data is done for direct marketing purposes.16
2.2 The WP29 and the notion of legitimate interest
Created by Art.29 of the Data Protection Directive (DPD)17, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, usually referred to as WP29, constituted of representatives the respective supervisory authorities designated by their Member States and the respective representatives of the authorities established for the Community institutions and bodies, and of a representative of the Commission.18 In addition to other functions, the WP29 had the powers to examine any question covering the application of the national measures adopted under this Directive in order to contribute to the uniform application of such measures and to, on its own initiative, make recommendations on all matters relating to the protection of persons with regard to the processing of personal data in the Community.19 It is worth mentioning that the WP29, since May 2018, has been replaced by the European Data Protection Board, with similar role and functions under the GDPR.20 However, despite this succession, the opinions of the WP29 still remain valid in construing the meaning of legitimate interest.
The WP29 gave a long non-exhaustive list of some of the most common contexts in which the issue of legitimate interest in the meaning of Article 7(f) Data Protection Directive (now Art. 6(f)GDPR) may arise.21 It is presented here without prejudice to whether the interests of the controller will ultimately prevail over the interests and rights of the data subjects when the balancing is carried out.
WP29 equally added: “To illustrate: controllers may have a legitimate interest in getting to know their customers' preferences so as to enable them to better personalise their offers, and ultimately, offer products and services that better meet the needs and desires of the customers. In light of this, Article 7(f) may be an appropriate legal ground to be used for some types of marketing activities, on-line and off-line, provided that appropriate safeguards are in place (including, among others, a workable mechanism to allow objecting to such a processing under … However, this does not mean that controllers would be able to rely on Article 7(f) to unduly monitor the on-line or off-line activities of their customers, combine vast amounts of data about them from different sources that were initially collected in other contexts and for different purposes, and create - and, for example, with the intermediary of data brokers, also trade in - complex profiles of the customers' personalities and preferences without their knowledge, a workable mechanism to object, let alone informed consent. Such a profiling activity is likely to present a significant intrusion into the privacy of the customer, and when this is so, the controller's interest would be overridden by the interests and rights of the data subject.”22
[...]
1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2 The GDPR does not only apply to controllers and processors located in the EU (regardless of where the processing takes place), but it equally applies to non-EU establishments that offer goods or services to data subjects located in the EU, or monitors the behavior of such data subjects. See Art. 3 GDPR
3 TFEU Art. 288. Regulations have horizontal direct effect, and so individuals can sue another private individual for violating a Regulation. But since Directives have just vertical direct effect, they are applicable only to the state, and as such do not create rights and obligations for individuals. But since states are required to implement directives into their national laws, an individual who suffers damage resulting from the failure to implement a directive may sue the state for such failure. In Francovich v. Italy and Van Gend en Loos cases, the ECJ ruled that Member States who failed to implement a directive could incur liability to pay damages to individuals and companies who had been adversely affected by such non-implementation
4 GDPR, Arts. 12-22
5 Id, Art. 6(1)(f)
6 Id, Art. 4(1)
7 Id, Art. 4(2)
8 GDPR, Recital 30
9 Id, Recital 26
10 Id, Art.6(1)(a)-(f)
11 WP29, Opinion 06/2014
12 Id
13 Id
14 ECJ preliminary ruling in Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v. Rīgas pašvaldības SIA ‘Rīgas satiksme’ , Case C‑13/16, 4 May 2017
15 Id, Art.6(1)(f)
16 Id, Recital 47
17 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
18 Id, Art 29(1)&(2)
19 Id, Art.30(1)&(3)
20 GDPR, Arts.68, 69 & 70
21 See p.9
22 WP29 Opinion 06/2014