On 9 April, the Article 29 Working Party (“WP29”) adopted an Opinion on the notion of legitimate interests of the data controller under Article 7(f) of the EU Data Protection Directive 95/46/EC (the “Opinion”). The Opinion has two main objectives: to ensure correct interpretation and implementation of the “legitimate interest” ground for data processing at present, and to provide policy recommendations as part of the ongoing data protection law reform.
Article 7(f) is one of six alternate legal grounds for processing under the Data Protection Directive (other grounds include, for example, consent and the processing being necessary for the performance of a contract). It allows processing of personal data for the legitimate interests of the data controller or third parties to which data are disclosed. The seemingly flexible wording of Article 7(f) has resulted in great divergence in its application across Member States. As the Opinion notes, the legitimate interest ground is seen by many as an “open door” and an easy way to avoid compliance with data protection law. In light of this, the WP29 stresses that the legitimate interest ground should not be seen as less restrictive, or as a means to legitimize data processing for unusual situations or when other grounds do not apply.
To help clarify the scope of the legitimate interest ground, the WP29 explains that three conditions must be satisfied before a data controller can rely on this ground: (i) the data controller must have a legitimate interest; (ii) the processing must be necessary for that interest, and (iii) the interests of the data controller must outweigh the interests and fundamental rights of the data subjects — the so-called “balancing test”.
The Opinion goes on to clarify that in order to be considered “legitimate” under Article 7(f), a data controller’s interest must be lawful (i.e., in accordance with EU and national law), sufficiently specific to allow the balancing test to be carried out against the interests and fundamental rights of the data subject, and must represent a real and present interest (i.e., not be speculative). Even where the controller has a legitimate interest and the processing is necessary for that interest, it is the outcome of the balancing test that will largely determine whether the legitimate interest ground can be relied upon.
Application of the balancing test
According to the WP29, the key factors to be considered when applying the balancing test are:
- Assessing the nature and source of the legitimate interest. The controller’s legitimate interest can include the exercise of a fundamental right (e.g., freedom of expression, freedom to conduct a business, the right to an effective remedy and a fair trial, etc.), may coincide with a public interest (e.g., combatting financial crime), or may otherwise benefit from social, cultural or legal recognition in the community concerned. That said, the Opinion is clear that “private enforcement” of the law should not be used to legitimize intrusive practices.
- Impact on the data subjects. Data controllers should also consider the nature of the data, the way that data are being processed, the reasonable expectations of the data subject, and the controller’s relationship with the data subject (i.e., the balance of power). Processing of sensitive data or large-scale processing that involves combining personal data with other data for profiling should be approached with care. When assessing potential impact, data controllers are encouraged to consider the likelihood that the risk materializes and the severity of the consequences. The WP29 stresses, however, that such assessment should not be a purely mechanical exercise, and requires careful analysis.
- Provisional balance. Measures taken by data controllers to ensure compliance with the Directive’s broader requirements, including the principles of transparency and proportionality, would contribute to ensuring that the potential negative impact on individuals is reduced and, as such, that the data controller meets the requirements under Article 7(f). However, compliance with the horizontal provisions of the Directive would not automatically guarantee that balance will be tipped in favour of the data controller. When a clear determination cannot be made, a further analysis will be required to determine if additional safeguards need to be put in place to enable reliance on the legitimate interest ground.
- Additional safeguards to prevent any undue balance on the data subjects. The more significant the impact on data subjects, the greater consideration should be given to the implementation of additional safeguards. Such safeguards may include anonymization, aggregation, use of privacy enhancing technologies, increased transparency, unconditional opt-out mechanisms, data portability, and technical and organizational measures to ensure that data cannot be used to take decisions or other actions with respect to individuals. Interestingly, the WP29 recommends that — as an additional safeguard — providers of “free” services should make it clear that such services are not free in practice, and that consumers pay for them with their personal data.
Policy recommendations
To ensure continued consistency in the application of the legitimate interest ground after the adoption of the draft Data Protection Regulation (the “Regulation”), the WP29 makes three recommendations:
- In the interest of legal certainty, WP29 recommends that a non-exhaustive list of key factors to consider when applying the balancing test be included as a recital in the Regulation. If adopted, this would result in an enhanced obligation of accountability for data controllers who will need to demonstrate that their interest is not overridden by the interests and fundamental rights of the data subject.
- The WP29 also recommends that a recital be added to the Regulation to require data controllers to document their assessment so as to demonstrate in practice their enhanced accountability obligation. Such requirement should be scalable.
- Finally, the WP29 recommends that a provision be included in the Regulation requiring data controllers to explain to individuals why they consider their interests would not be overridden by data subjects’ interests and fundamental rights. This will allow objection by individuals and possible additional justification on a case-by-case basis by the controller of the prevailing interests. Any additional safeguards adopted to enhance data security, as well as the possibility to opt-out of processing (where appropriate) should also be communicated to individuals.
It remains to be seen whether legislators will include any of the above recommendations in the draft text of the Regulation going forward.