11 February 2020
One of the most ambiguous and controversial components of the GDPR to date is the term "legitimate interests," particularly in Article 6.
In this article we will delve into the sections of the GDPR that use the phrase "legitimate interests" and determine what this phrase means and how it affects you and your business.
While it may seem inconsequential on the whole, a misinterpretation of this term could result in breaking compliance and facing legal repercussions.
Section 1 of Article 6 states the following:
The term "legitimate interests," seen here in point (f), is used in several Recitals and Articles of the GDPR, and there has been much discussion about what these two words mean or imply.
Let's take a look at each of these recitals and articles.
Recital 47 begins with the statement that a "legitimate interest" of the controller may constitute a legal basis for processing the data of a data subject, so long as it does not outweigh that individual's rights and interests.
This is a pretty standard usage of the term, which at first seems fairly straightforward.
However, when we probe the topic further, it soon becomes obvious that the term has some ambiguity.
Your definition of "legitimate interest" may vary from my definition of "legitimate interest," and what a company considers "legitimate interest" could certainly be very different from what a data subject might consider "legitimate interest." This is the heart of the discussion about this phrase, with a variety of interpretations being offered.
In Recital 47 we can assume that the "legitimate interests of a controller" essentially means "the reasons a company might want to do something." In this case, that "something" is processing someone's personal data.
Here's an example:
A video game company is releasing a sequel to one of their most successful games. Their marketing team is tasked with reaching out to buyers of the original game to let them know about the sequel and offer a pre-order special.
The company has contact information collected prior to the GDPR in the form of account email addresses for online game services, mailing addresses from the delivery of previous games, and a fan club with emails for the company newsletter.
Would the legitimate interests of the company allow them to use these avenues to contact these individuals to inform them about the new game? The best answer we currently have is maybe, depending on the specifics of the situation.
Contacting individuals via their online game service account email address simply for playing their previous game may or may not be considered a legitimate interest that outweighs the rights and interests of the individual as described in Recital 47.
This all depends on the purpose of the communication.
For example, if the individuals were contacted through their game service account simply to be told about the new game being for sale, this would likely not be a legitimate interest to justify the communication without an opt-in or consent to do so.
However, if the same users were contacted in the same way to be notified about a game update for security reasons, this would likely be reasonable enough to justify the contact. Security is more of a legitimate interest than trying to make a sale.
While there is no clear answer to this question, it boils down to a question of if your argument would hold up in court if challenged.
Assuming someone would be interested in a sequel simply because they played the previous game is probably not the strongest case (maybe they didn't like the original, maybe video games are no longer a hobby of theirs, etc.). The fact is that you received no consent to use their online game service account in this manner and the assumption is not abundantly clear or reasonable that every individual who played the original game would want to be contacted about its sequel.
The same probably goes for the mailing address of those who purchased previous games.
Sending unsolicited mail about the new game may not be in the interest of some of those who ordered the original (maybe they ordered it as a gift, etc.). Same as in the above case, it would probably not be a solid argument to use the ordering of a previous game as a case of legitimate interest to send marketing material about its sequel.
The third scenario, a fan club email newsletter, is a much stronger case for legitimate interest.
Though this email address was collected prior to the GDPR, a good case could be made for continuing to use it as the data subject has shown interest in receiving news and information about your company by signing up for a fan club newsletter.
Best practice would be to send an email to those users who signed up prior to GDPR enforcement asking them to give compliant consent in light of the new privacy laws. This is known as a re-permission campaign.
Here's an example of such an email:
At the very least, these individuals should be given an obvious option to opt-out if they no longer wish to be contacted in that way.
Recital 47 provides us with plenty to discuss about the meaning of the term, but let's take a look at the other usages.
Recital 48 states that data controllers may have a legitimate interest to transfer data within their organization. For example, a branch of a company may transfer data to another branch or a central entity for the purposes of internal administration or to complete expected tasks.
This sounds like a reasonable case and is permissible under Recital 48 of the GDPR.
Recital 49 states that security and fraud prevention are considered legitimate interests for data controllers.
Essentially, processing data under the basis of legitimate interest is acceptable when there is a security concern regarding the company or the data subject.
This makes sense as both the data controller and data subject should be concerned about such an issue.
Recital 50 states that the processing of personal data for purposes other than those which it was initially collected for should only be allowed when the processing is compatible with those original purposes. When the new purpose is compatible, no additional and separate legal basis aside from the original basis is required.
Some potential compatible purposes include if the processing is:
However, it states that this data should not be further processed if it violates legal, professional or other obligations of secrecy.
Recital 69 states that individuals have the right to object or challenge a company's interpretation of legitimate interests in comparison to their own rights and interests.
Essentially, if a company says they processed an individual's data based on legitimate interests, that individual could challenge the legality of the company's actions in light of their own rights and interests.
For example, if a company contacted a former customer via direct marketing under the veil of legitimate interests when the customer has had no interactions with that company in a span of years, that individual has the right to object and challenge that the company's decision was not proportional to the individual's rights of privacy in that they have not shown interest in the company for an extended period of time and did not wish to be contacted.
If the customer was not expecting any communication from the company nor given an easy way to opt-out of communications, this objection would certainly be justified and could result in penalties against the company if it is discovered that they are acting outside of the guidelines of the GDPR. This is a perfect example of how misinterpretation of the term "legitimate interests" could be dangerous to a company!
Article 69 goes on to say that it is the responsibility of the data controller to demonstrate that their compelling legitimate interest overrides the rights, freedoms, and interests of the data subject (no easy feat).
Recital 88 uses the term in an entirely different way, referring to the legitimate interests of law enforcement officials in the event of data breaches. This odd instance is likely not relevant to your business.
Recital 111 touches on scenarios where data transfer may be necessary (such as legal claims).
It goes on to mention that data requested lawfully may be transferred, but only the data necessary should be transferred to those with a legitimate interest. It also mentions that such data transferring should also take into account the interests and rights of the data subject involved.
While the checks and balances here are similar, it seems the term is used slightly differently as it is not the legitimate interest of the data controller, but another entity.
Recital 113 reinforces much of what was already said in Recital 47, adding instances where non-repetitive transfers take place concerning a limited number of data subjects, and also goes on to state that data controllers should give consideration to transfers in regard to the country of origin, final destination, and anywhere the data is handled in between to ensure sufficient protections are in place.
Article 6: Lawfulness of processing covers under what scenarios the processing of personal data is lawful and allowed. Section 1(f) says the following:
This use of the term "legitimate interests" is similar to the use in Recital 47, but with the added focus on the interests and rights of a child.
This addition emphasizes that the legitimate interests of the data controller must be weighed against the rights and interests of the data subject to determine lawfulness, and suggests that companies must be even more discerning when dealing with children.
This is not the first case where the GDPR extends extra protections to minors and children, and goes to show that great care should be taken in situations regarding them.
Let's take our example from above about the video game company, but apply it in a case where it is being marketed to children.
Once again, children who (probably with the consent of their parents) have joined a fan club newsletter would probably be a safe bet for claiming legitimate interest by both the company and data subject. This individual has expressed interest in the past in your company's products and provided contact information to receive news and updates.
However, if you sent an email to their online gaming account or direct mail to their residence marketing a new game without express consent from that individual or their parent, you can imagine how this could be construed poorly.
Article 13 deals with consent, providing guidelines for what must be shared with data subjects upon the collection and processing of their personal information. In Section 1(d), it refers to Article 6, stating that the data subject must be informed where processing is based on legitimate interests of the controller.
Essentially, this means that if data is being processed on the grounds of legitimate interests of the company, this must be disclosed to the data subject. This is along the lines of the GDPR's focus on transparency and would make it easy for data subjects to object to or challenge these decisions as we discussed previously in Recital 69.
So in addition to a helpful guideline informing us what needs to be disclosed to users upon the collection of their data, this point highlights the importance of having a strong reason for using legitimate interests as a lawful reason for processing an individual's data. Since data subjects must be informed where this reasoning is used, it would be very easy for them to challenge that such a claim violates their own rights and interests.
Legitimate interests are mentioned in Article 14 as a piece of information that data subjects should be provided with when their data is processed and has not been obtained directly from the data subjects.
Specifically, it refers to section (f) of Article 6, Section 1, stating that data subjects should be informed if their personal data is being processed for the reason of legitimate interests.
Furthermore, along with transparency and fairness, data subjects should be informed how legitimate interests justify further processing of their personal data.
Section 5 has a few exceptions to this:
Here we see legitimate interests referred to on the end of the data subject rather than the data controller, adding further confusion to the term.
Article 22 mentions legitimate interests in Section 2(b) where it states that individuals have the right to not be subject to automated decisions which could have legal or otherwise significant effects. It simply states that this can be overridden in cases where the Union or Member State law authorizes such an action with suitable safeguards in place concerning the data subjects rights, freedoms, or legitimate interests.
Similar to Article 14, this is a case where the GDPR requires that the legitimate interests of the data subject are considered when policies are made.
Section 3 of Article 22 also declares that the legitimate interests of the data subject should be protected by methods such as requiring human intervention and the right to object to automated processes.
Part 4 of Article 22 states that special categories of data should not be used in automated decisions except in certain scenarios, in which case safeguards need to be in place yet again for the data subject's legitimate interests.
Article 35 requires that assessments be made prior to the usage of new procedures or technologies as they could potentially include new risks to the privacy of data subjects involved.
Among other concerns that should be addressed in such an assessment, the legitimate interest of the controller is required to be described along with the operations and purpose of processing.
Section 7(d) once again mentions that that assessment should take into account the legitimate interests along with the rights and freedoms of the data subjects.
Article 40 encourages the drafting of codes of conduct to assist in the enforcement and understanding of the GDPR.
Second among a list of 11 points in Section 2 is "the legitimate interests pursued by controllers in specific contexts." This shows the weight given to legitimate interests among other concerns, holding it in relatively high regard.
Article 49 discusses situations when data can be transferred to another country or territory.
Among the stipulations given are cases where the data controller can demonstrate a legitimate interest. Further on in the paragraph it mentions "purposes of compelling legitimate interests pursued by the controller."
We can see by this point that legitimate interests have started to become more specific with adjectives like "compelling" being added to show that legitimate interests must be convincing and proportional if they are used to process data where compliant consent was not previously obtained.
At the end of that paragraph it is stated that the data subject must be informed of such a transfer and the compelling legitimate interests pursued. This reinforces the fact that data subjects have the right to challenge or object to legitimate interests, so they better be convincing.
Article 49 goes on to mention when legitimate interests are sufficient for a transfer to take place and states that only the data necessary be transferred, not the entire file or registry.
The last mention of legitimate interests in the GDPR is in Article 88 which deals with the processing of the personal data of employees.
Here, once again, it lists the legitimate interests of the employees next to their human dignity and fundamental rights as something that must be considered and safeguarded when processing data about those individuals.
Once again we see the language become a bit more colorful, but the point remains the same: the legitimate interests of data subjects must be protected as much as their rights and freedoms.
After exploring every usage of the term "legitimate interest" found in the GDPR, we can see that there are two distinct uses of this term.
The first is as a lawful basis for companies to process personal data.
The second refers to the legitimate interests of the data subject as a consideration that data controllers must take into account and safeguard.
As if this term wasn't already problematic and unclear, the fact that it is used in two distinct manners is quite confusing.
In the first usage, the conclusion we can draw is that if data controllers have a good and compelling reason, they may process data without another legal basis so long as it does not infringe on the rights, freedoms, or interests of the data subject.
This is not, however, a free ticket to carelessly process data collected without GDPR-qualifying consent.
The GDPR states that data subjects have the right to challenge these cases which can land businesses in hot water if they do not have a good reason for processing that data.
The second usage of the term pertains to data subjects, where the company must consider the legitimate interests of the individual before processing their data. The company must weigh the rights, freedoms, and legitimate interests of that individual against their reason for processing the data to ensure that it is fair and proportional.
While it only adds to the confusion to use this term in two distinct ways, this article should help clarify what this term means for your business.
Another important thing to remember is that using legitimate interest as your legal basis for data processing can be a risky decision, and if there is any doubt you should strive to use another legal basis from Article 6 as your legal basis for data processing.