“Legitimate interest” may be among the most confusing concepts written into the GDPR, which is not helped by the amount of incorrect interpretations available when you search for the term online. It is also an especially important concept to understand for marketing and sales organizations.
To start, let us contextualize why legitimate interest matters by looking at Article 6(1):
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
For most entities deliberating whether their processing of personal data is lawful, only subparagraphs (a), (b), and (f) will be applicable. For most marketing and sales organizations who are looking to acquire new customers or users that they do not already have a contracted relationship, furthermore, only (a) and (f) will apply. The challenge with (a) is that it is difficult and expensive to actually collect consent, especially given the various requirements such as the consent must be clear, affirmative, freely given, etc. which we outline here. Abiding by all this likely drastically reduces the amount of personal data a controller or processor is able to freely process both due to subjects not opting in and the loss of prior collected data. It’s natural therefore for such organizations to look toward (f) for relief. If they could justify their data processing as a legitimate interest, wouldn’t that mean that consent is unnecessary?
The short answer is no, (a) will apply for the vast majority of marketing and sales instances instead of (f), therefore requiring consent to be collected prior to the lawful collection and processing of personal data. Let’s see why this is the case.
Continuation of the current Directive
It may be helpful to first recognize that legitimate interests is not some new safe harbor introduced by the GDPR. In fact, Article 6 of the GDPR is largely identical to Article 7 of the Directive 95/46/EC that it replaces. The GDPR version tightens the prior version by:
- Calling out stricter protections for child data subjects, and
- Excluding legitimate interests alone from serving as justification for lawful processing for public authorities
Necessity, and legitimate interest vs. interests, fundamental rights, and freedoms
Like all other subparagraphs in this section, (f) sets a high bar that the processing must be necessary. In other words, if an alternative approach could meet the same end without processing personal data, then said processing would not be lawful without consent.
Even when data processing is necessary to the controller, such legitimate interests must be weighed against “the interests or fundamental rights and freedoms of the data subject”. Should data controllers justify processing without consent based on this subparagraph, they will need to be prepared to prove legitimate interests (a higher burden) relative to the implied general interests of data subjects.
For further confirmation, take a look at the April 2017 opinion posted by the Article 29 Data Protection Working Party, an independent advisory body to the EC commissioned by Article 29 of the current Directive (thus the name):
[Emphasis original] In this context, the Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions, and believes that the introduction of open-ended exceptions along the lines of Article 6 GDPR, and in particular Art. 6(f) GDPR (legitimate interest ground), should be avoided.
Note the explicit call-out that the legitimate interest ground under 6(f) in the GDPR should be avoided.
The proper interpretation of Recital 47
Recital 47 mostly clarifies on the weighing of interests to determine if consent is required:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Note the verb “may” in characterizing situations that could, but do not necessarily or automatically, justify lawful data processing. The recital suggests an example where a controller may be able to justify data processing for its customers, provided that the customer “can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”. It goes on to specify that this expectation is not perpetual if the subject would not reasonably expect further future processing.
To demonstrate why this concept is sensible in the real life, consider the case where a data subject makes a pizza purchase online by submitting his delivery address. Here, the data subject is a client of the pizza merchant, who has a legitimate interest in fulfilling the delivery, where the processing of the subject’s personal data (address) also passes the “necessary” requirement. The merchant therefore does not need to add a checkbox during the checkout process that asks for permission to process the subject’s address, since the subject can reasonably expect this processing to take place as he submitted this information. That said, the merchant does not have a blanket, perpetual license to take advantage of this delivery address for other purposes, such as by selling it to the next door Chinese restaurant to send marketing materials to.
The last sentence is therefore deceptive on the surface: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” This does not mean that marketers are able to process personal data without consent; instead, they must abide by the same set of requirements in outlined above as any other party in attempting to establish legitimate interest, whereby they then may have legitimate interest. Contrast the conditional “may” with the prior sentence which states that preventing fraud “constitutes” a legitimate interest. This sentence is therefore more meant to state that direct marketing is not intrinsically unable to constitute legitimate interest provided that all other requirements are met.
Therefore, marketing and sales organizations would be ill advised to skip consent collection and instead rely on legitimate interests to justify, for example, tracking prospects’ online behavior based on site visits, email engagement, IP address location tracking, etc. to show behavioral ads or create sales lead scores.
For those insisting on the possibility of a blanket, categorical affirmative interpretation of this last sentence as absolving all direct marketers of the need to ever obtain consent, Recital 70 firms rejects this possibility:
(70) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
It is therefore unambiguous that direct marketers must obtain consent as a rule, unless they are able to prove legitimate interest in particular cases where data subjects reasonably expect such data processing to take place, as per outlined in Recital 47.
So when will legitimate interests suffice?
Beyond Recital 47 stating that fraud prevention “constitutes a legitimate interest”, Recital 49 states that the necessary and proportionate processing for network security “constitutes a legitimate interest”, and Recital 50 names that sharing evidence of possible criminal acts to the authorities “should be regarded as being in the legitimate interest”. Recital 48 states that groups of affiliated institutions “may have a legitimate interest” (emphasis added) in sharing personal data of clients and employees with each other.
We await for more official guidance to provide clearer interpretations for edge cases. In the meanwhile, below are some related commentaries that we have seen on this matter.
The March 2017 GDPR consent guidance issued by the UK ICO provides one example of what not to do:
A company that provides credit cards asks its customers to give consent for their personal data to be sent to credit reference agencies for credit scoring.
However, if a customer refuses or withdraws their consent, the credit card company will still send the data to the credit reference agencies on the basis of ‘legitimate interests’. So asking for consent is misleading and inappropriate – there is no real choice. The company should have relied on ‘legitimate interests’ from the start. To ensure fairness and transparency, the company should still tell customers this will happen, but this is very different from giving them a choice.
The ICO seems to imply that in this particular instance, starting with “legitimate interests” may have been defensible in credit card companies’ processing of personal data for credit scoring.
An older ICO example may also be of interest. The UK’s Data Protection Act of 1998, which was aimed to bring the UK in line with the EU 95/46/EC Directive, contains similar provisions on legitimate interests. The law firm Slaughter and May cites that a company may not be unwarranted in disclosing the personal data of a customer delinquent in payments to a debt collections agency. See the full example on page 8 of this PDF.
Expert help, at your service
If you find all this overwhelming and don’t know where to start to address your GDPR compliance solution, we can help. Once you are ready to go, we’ll help you get up in running in days, so you don’t have to integrate a bunch of security compliance software tools or hire more people.
Note: I am not a lawyer, not even an aspiring lawyer. This blog does not constitute legal advice, only my interpretation and summary of certain requirements of the GDPR. Readers are encouraged to obtain legal advice from a qualified professional in respect to their organization’s obligations.