The European Data Protection Board (“EDPB”) recently published draft Guidelines 1/2024 concerning the processing of personal data based on legitimate interests under Article 6(1)(f) GDPR (the “Guidelines”). The Guidelines were subject to public consultation until 20 November 2024.
The Guidelines build on and update the previous Working Party Opinion 06/2014 on legitimate interests in light of the GDPR, and rulings by the Court of Justice of the European Union (“CJEU”). They consider how a legitimate interests assessment (“LIA”) should be carried out in practice, including in certain specific contexts such as fraud prevention, direct marketing, information security, where legitimate interests may be considered as a lawful basis.
The Guidelines aim to help controllers in their assessments of whether Article 6(1)(f) GDPR may be invoked as a valid legal basis for the processing of personal data. Article 6(1)(f) provides a lawful basis for processing where ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’.
The Guidelines emphasise that identifying a legitimate interest alone is not sufficient to rely on Article 6(1)(f) GDPR. Controllers must also ensure the processing is strictly necessary for pursuing that interest, and does not override the fundamental rights, freedoms or interests of the data subject.
Three-step Process for Assessing Applicability of legitimate interests
The Guidelines set out a three-step process for assessing whether legitimate interests can be invoked as a valid legal basis under Article 6(1)(f) GDPR, including: (1) identify a legitimate interest pursued by the controller or by a third party; (2) ensure processing of the personal data is necessary for the purposes of the legitimate interest(s) pursued; and (3) balance and ensure the interests or fundamental freedoms and rights of the data subjects concerned do not override the legitimate interest(s) of the controller or of a third party. We look at each of these steps in more detail below. An LIA, which addresses each of these three steps, should be documented by the controller before carrying out the relevant processing activities, in line with the Article 5(2) GDPR accountability principle.
Step 1: The pursuit of a legitimate interest by the controller or by a third party
The first step in identifying whether legitimate interests under Article 6(1)(f) GDPR can serve as a valid legal basis is identifying whether the interests of the controller or third party are “legitimate”.
Both the GDPR and the CJEU have expressly recognised various interests as being legitimate, for example, having access to information online, ensuring the continued functioning of publicly accessible websites, product improvement and assessing a person’s creditworthiness. The Guidelines note that an interest may be regarded as “legitimate” if the following cumulative criteria are met:
- Lawfulness: The interest must be lawful and not contrary to any EU or Member State law.
- Clearly and precisely articulated: The interest must be clearly and precisely articulated.
- Real and present: The interest must be real and present, and not speculative.
Generally, the interest pursued by the controller should be related to the actual activities of the controller. For instance, the CJEU has found that, even though the sharing of information with law enforcement agencies to prevent, detect and prosecute criminal offences is a legitimate interest as such, it is not a legitimate interest pursued by a controller whose main activity is economic and commercial in nature, given that it is unrelated to its economic and commercial activity. That said, Article 6(1)(f) GDPR also refers to an interest pursued by a ‘third party’, indicating that a controller may rely on Article 6(1)(f) GDPR to legitimise processing activities which pursue the interest(s) of specific third parties, balancing such interest(s) against the data subject’s interests or fundamental rights and freedoms. The Guidelines note that the legitimate nature of the third party’s interest must be assessed following the same criteria which apply with respect to the controller’s own interests.
Step 2: Analysis of the necessity of the processing to pursue the legitimate interest
The next step, having identified a “legitimate interest”, is determining whether processing personal data is “necessary” to pursue that interest. The Guidelines emphasise that the concept of what is “necessary” for the purposes of the legitimate interests pursued by the controller or by a third party does not cover simply what is useful to pursue such an interest. Rather, in EU law, the concept of “necessity” has its own independent meaning, which must be interpreted in a way that fully reflects the objectives of data protection law. In practice, this means considering whether the legitimate interest could be pursued by a less privacy intrusive means, that would restrict the fundamental rights and freedoms of data subjects to a lesser degree. If there are reasonable, just as effective, but less intrusive alternatives, the processing may not be considered to be “necessary”.
The CJEU (4 July 2023, Case C-22/21, Meta v Bundeskartellamt) has also ruled that the “necessity” for processing must be examined in conjunction with the “data minimisation” principle enshrined in Article 5(1)(c) GDPR, in accordance with which personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Accordingly, the controller must ensure that any personal data processed is essential for pursuing the legitimate interest, and that no excessive data is processed.
Step 3: The balancing exercise to determine whether data subjects’ interests or fundamental rights override the legitimate interest pursued
Having determined that the interest pursued by the controller is “legitimate”, and that the processing is “necessary” for the purposes of that interest, the controller must weigh its legitimate interest(s) or those of a third party against the rights and freedoms of the data subjects. This “balancing exercise” must be performed for each processing activity that is based on legitimate interests as a legal basis. The controller cannot rely on legitimate interests as a legal basis in the event that the data subjects’ rights and freedoms override the legitimate interest(s) of the data subjects, and no sufficient mitigating measures can be taken.
When carrying out the balancing exercise, the Guidelines recommend that the controller identifies and describes:
- The data subjects’ interests, fundamental rights and freedoms (which include not only the right to data protection and privacy, but also other rights, such as the right to liberty and security, freedom of expression and information, which may be impacted by the processing, either directly or indirectly).
- The impact of the processing on data subjects, including:
- the nature of the data to be processed,
- the context of the processing, and
- any further consequences of processing.
- The reasonable expectations of the data subject (i.e. data subjects should not be unduly surprised by the processing or by its consequences or implications).
- The final balancing of opposing rights and interests (if the data subject’s interests, rights and freedoms seem to override the legitimate interest(s) being pursued, the controller may consider introducing mitigating measures to limit the impact of the processing on data subjects).
The purpose of the balancing exercise is not to avoid any impact on data subjects’ interests and rights, but to avoid a disproportionate impact and assess the weight of these aspects in relation to each other.
Relationship between Legitimate Interests as a legal basis and Data Subject Rights
The Guidelines note that while complying with the GDPR provisions on data subject rights is a legal obligation (and therefore not something that controllers can consider as a mitigating measure in a balancing exercise), some of the rights laid down in Articles 12-22 GDPR are subject to specific conditions. Going beyond what is strictly required under the GDPR may be seen as an additional safeguard that could be considered in the balancing test.
Transparency and Right of Access
The Guidelines note that controllers undertaking processing activities based on legitimate interests under Article 6(1)(f) GDPR, must also comply with their transparency obligations under Articles 12, 13 and 14 GDPR. This includes, providing information to data subjects on the specific legitimate interest(s) pursued.
The Guidelines acknowledge that there is no explicit obligation pursuant to Article 15(1) GDPR, which concerns the right of access, to provide information regarding the legal basis for processing. However, the EDPB has recommended that controllers also provide this information, or at least indicate where it can be found, in a response to a data subject access request. Recital 60 GDPR makes it clear that the controller should provide the data subject with any further information necessary in order to ensure fair and transparent processing. The Guidelines note that without knowing the legal basis for the processing, the data subjects would in some cases not be in a position to assess what data subject rights they can exercise, since some of those rights depend on the applicable legal basis.
Right to object
When processing is based on legitimate interests under Article 6(1)(f) GDPR, the data subject has the right to object to such processing, on grounds relating to his or her particular situation, under Article 21(1) GDPR. However, the fact that the data subject has not elaborated much on their “particular situation” in their objection is not sufficient to dismiss the objection. If the controller has doubts as to the “particular situation” of the data subject, it may ask the data subject to further specify the request.
After an objection, controllers must not process the personal data unless there are overriding compelling legitimate grounds which take precedence over that data subject’s interests and rights and freedoms. The Guidelines state that if a data subject has invoked their right to object against a processing based on Article 6(1)(f) GDPR, it is not sufficient for the controller to just demonstrate that its earlier legitimate interest assessment regarding that processing was correct. Rather, the balancing test to be made under Article 21(1) GDPR is to be carried out in view of the particular situation of the data subject and requires the legitimate grounds invoked by the controller to be “compelling”, implying a higher threshold for overriding data subject objections.
As a result, not all conceivable legitimate interests that may justify processing under Article 6(1)(f) GDPR will be relevant in this context. Only interests that can be recognised as “compelling” may be balanced against the rights, freedoms and interests of the data subject to assess whether there are grounds for processing that take precedence, despite the objection of the data subject. In essence, the grounds invoked should be essential to the controller (or to the third party in whose legitimate interest the data are being processed) to be considered compelling. This might be the case, for example, if a controller is compelled to process the personal data in order to protect its organisation or systems from serious immediate harm or from a severe penalty which would seriously affect its business. The presence of compelling legitimate grounds necessitates a case-by-case assessment linked to a specific objection.
Once the controller has identified the relevant compelling legitimate grounds, they should proceed to assess whether these override the interests, rights and freedoms of the data subject who has objected to the processing in question. This balancing exercise needs to be documented in accordance with the GDPR accountability principle.
Right to erasure
Under the GDPR, data subjects enjoy a right to obtain from the controller the erasure of their personal data. This right may often be exercised also when the controller relied upon Article 6(1)(f) GDPR to process the data.
The Guidelines note that, generally, the criteria to determine whether an objection or erasure request should be granted are essentially the same under Articles 17 and 21 GDPR (i.e. the request should be granted unless one can demonstrate “overriding legitimate grounds”). This implies that, as a rule, if an objection under Article 21(1) GDPR is granted, a related erasure request pursuant to Article 17(1)(c) GDPR should also be granted.
The Guidelines comment that, while the GDPR does not specify how controllers should ensure deletion, they must be able to demonstrate that the right to erasure has been entirely complied with in accordance with the principle of accountability laid down in Article 5(2) GDPR, and that the data subject may lodge a complaint or initiate a legal action concerning the erasure.
Automated individual decision-making, including profiling
Article 22 GDPR prohibits automated processing, unless one of the exceptions in Article 22(2) GDPR applies. For the sake of clarity, the Guidelines emphasise that Article 6(1)(f) GDPR should not be considered Union law authorising automated decision-making within the meaning of Article 22(2)(b) GDPR.
In any event, even when this kind of automated processing is authorised in the cases referred to in Article 22(2) GDPR, the processing will be lawful only if the controller is also able to identify a valid legal basis for the processing in Article 6(1) GDPR.
Where profiling is involved, the Guidelines set out certain elements which are relevant when performing the balancing exercise prior to invoking Article 6(1)(f) GDPR as a legal basis, regardless of whether or not the profiling would lead to solely automated decision-making falling under Article 22 GDPR. These elements include:
- the level of detail of the profile (a data subject profiled within a broadly described cohort such as “people with an interest in English literature”, or segmented and targeted on a granular level);
- the comprehensiveness of the profile (whether the profile only describes a small aspect of the data subject, or paints a more comprehensive picture);
- the impact of the profiling (the effects on the data subject);
- the possible future combination of profiles; and
- the safeguards ensuring fairness, non-discrimination and accuracy in the profiling process.
Right to rectification
The GDPR provides data subjects with the right to request a controller to correct any inaccurate data which it holds about them. This right can be invoked regardless of which legal basis for processing applies. The Guidelines note that the assessment of whether personal data is accurate and complete must be made in view of the purpose for which that data was collected. Accordingly, controllers should therefore consider those purposes when considering the accuracy and completeness of the relevant personal data. The data subject can only successfully invoke the right to rectification where they can substantiate that the processed data is objectively incorrect or incomplete. The right may not be used to ensure that the certain evaluations reflect the personal opinions of the data subject are reflected.
Right to restriction of processing
The Guidelines highlight that one of the instances in which the right to restriction may be invoked is when the processing is based on Article 6(1)(f) GDPR. A data subject has the right to obtain restriction of processing when they have objected to processing based on Article 6(1)(f) GDPR, in accordance with Article 21(1) GDPR. The restriction is limited in time, as it applies only pending verification of whether the controller’s legitimate grounds override the data subject’s rights, interests and freedoms. Following that assessment, the data should be either deleted (if the data subject’s interests, rights and freedoms prevail), or the restriction may be lifted (if the controller can demonstrate compelling legitimate grounds to continue processing the data which override the data subject’s interests, rights and freedoms).
Contextual Application of Legitimate Interests
The Guidelines discuss a number of contextual scenarios where the legitimate interests’ legal basis under Article 6(1)(f) GDPR may or may not be relied on. In particular, the Guidelines consider the application of legitimate interests when processing children’s personal data; processing by public authorities; processing for the purposes of preventing fraud; processing for direct marketing purposes; processing for internal administrative purposes within a group of undertakings; and processing for network and information security purposes. In regard to the latter purpose, in particular, the CJEU has found in Meta v Bundeskartellamt, that it has to be ascertained whether and to what extent the processing of personal data collected from sources outside a social network is actually necessary to ensure that the internal security of that network is not compromised. It must be verified whether the legitimate interest pursued can reasonably be achieved just as effectively by some other less privacy intrusive means, and whether the data minimisation principle has been observed.
Finally, the Guidelines consider the extent to which legitimate interests may be relied on in respect of the transmission of personal data to competent authorities. The CJEU found in Meta v Bundeskartellamt that, in principle, collecting and sharing personal data with law enforcement authorities in order to prevent, detect, and prosecute criminal offences is not an objective that is capable of constituting a legitimate interest pursued by a private business operator whose activity is essentially economic and commercial in nature. On the other hand, however, the EDPB note that if the controller does not collect and store personal data in a systematic manner specifically to be able to provide such data to law enforcement authorities, but rather wishes to report to law enforcement authorities possible criminal acts or threats it may occasionally become aware of, that it might consider relying on legitimate interests to do so.
The Guidelines also note that a controller may, in certain instances, rely on legitimate interests to comply with a request to disclose personal data to a third country authority, in particular where the controller is subject to third country legislation and non-compliance with such a request would entail sanctions under foreign law.
The Guidelines do not discuss applicability of legitimate interests when processing data for AI purposes, such as the training or deployment of AI systems. However the EDPB is due to adopt an Article 64(2) Opinion on AI models by 23 December 2024, which should provide controllers with some guidance in relation to the appropriate legal basis to ground such processing.
Comment
The Guidelines provide helpful guidance on how to assess whether “legitimate interests” may be invoked as a valid legal basis for processing personal data. They serve as a reminder that legitimate interests cannot be considered as a legal basis “by default”. Rather before relying on this legal basis, the controller must perform a careful assessment of the planned processing following a specific methodology.
Contact Us
For more information, or if you would like advice on whether legitimate interests can be relied upon for your data processing activities, please contact Davinia Brennan, Anne-Marie Bohan, Sarah Jayne Hanna, Carlo Salizzo, or your usual Matheson contact.