The Article 29 Working Party – the grouping of data protection authorities from across Europe – has recently published an opinion on the use of the legitimate interests condition for data processing (Opinion). This less used condition for the processing by a data controller is an alternative to the consent basis for processing personal data. The Opinion provides data controllers with an informed basis on which to invoke the option to process data on their legitimate interests and thus helpfully clarifies what has been one of the vaguer areas of data protection law.
Background to the condition
The legitimate interests condition is rooted in Article 7(f) of the EU Data Protection Directive and section 2A(1)(d) of the Irish Data Protection Acts (DPA). It serves as one of the alternatives to consent but has tended to be less frequently used than other conditions provided by the legislation. The processing of personal data under this condition is permitted where necessary for the purposes of the “legitimate interests” pursued by the data controller.
What is “legitimate”?
The interest must cumulatively fulfil a number of conditions:
be sufficiently specific (to allow the balancing test to be carried out); and
be a real and present (as opposed to speculative) interest.
The Opinion includes a range of examples of possible legitimate interests, including: processing for research purposes, exercise of the right to freedom of expression or information, conventional direct marketing and the prevention of fraud or misuse of services. However, this is only the first step in determining whether data can be processed on the basis of the legitimate interest.
Restrictions on the condition
The condition is restricted where the processing prejudices the fundamental rights and freedoms or legitimate interests of the data subject. This is where a balancing of interests comes into play. The DPA also provide data subjects with the option to request that the data controller stop processing their data where that processing is done on foot of the legitimate interests ground. This can be done where the processing itself, the purposes or the manner in which the data is processed is causing or likely to cause substantial and unwarranted damage or distress to him or her or to another person.
Balancing of interests
Aside from a number of UK cases concerning publications by the media, there had previously been little guidance or case law to dictate the boundaries of the “legitimate interests” of a data controller. As such, the condition has rarely been used in Ireland. However, the recent Opinion provides more context.
The primary concern, as identified in decisions of the UK Courts and the ICO (the UK data protection authority), is the balance to be struck between the legitimate interests of the data controller and the interests or fundamental rights of the data subject. The Opinion states that the condition should not be a “‘last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply”. In balancing the respective interests, the Working Party suggests the following should be taken into account:
the type and basis of the legitimate interest;
the category of data involved;
the reasons the processing is necessary; and
the impact on the data subject.
The Working Party notes there should be particular consideration of “the way” data is processed, such as whether it is large scale, data mining or profiling. In considering the balancing of interests, the Working Party also notes that the “reasonable expectations” of the data subject should be taken into account.
The Working Party encourages the taking of additional safeguards and use of privacy-enhancing technologies to tip the balance in favour of the data controller. These include steps such as data minimisation, “functional separation” to ensure that the data cannot be used to take decisions or other actions with respect to individuals, wide use of anonymisation techniques, and increased transparency and opt-out measures for data subjects.
To conclude, the Working Party has described the ‘test’ which brings together the analysis in the Opinion. Data controllers should follow this structure where they wish to invoke the legitimate interests ground for processing:
the interest qualifies as “legitimate”;
the processing is necessary for this interest (depending whether there are other less invasive means);
a provisional balance can be demonstrated;
establishing a final balance having taken additional safeguards; and
compliance is demonstrated in a transparent manner.
This test should provide a handy guide for data controllers who are seeking to assess whether or not they can justify certain processing activities on foot of their legitimate interests.
For more information, contact a membr of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.