With the EU General Data Protection Regulation right around the corner, you have probably heard that there will be six legal bases for processing personal data – consent, performance of a contract, compliance with a legal obligation, vital interests, public interest or official authority, and legitimate interests. At OneTrust, we have had the pleasure of discussing the topic of legal basis with countless organizations who are currently preparing for GDPR, and from those conversations it is clear that there is a strong focus on – as well as some confusion around – legitimate interests, in particular.
What is the Legitimate Interests Basis?
Legitimate interests provides a legal basis for processing personal data where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”1 Moreover, Recital 47 states that when relying on legitimate interests, controllers should consider “the reasonable expectations of data subjects based on their relationship with the controller” as well as “whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”2
While these may be new developments for those who are new to EU data protection law, these legal bases, including legitimate interests, have actually have been around for quite some time and serve as the same six grounds for lawful processing of personal data under the current EU Data Protection Directive 95/46/EC (the “Directive”), which is set to be replaced by the GDPR on 25 May 2018.
In fact, the Article 29 Working Party (WP29) has already recognized legitimate interests for its “significance and usefulness” as a way to “help prevent over-reliance on other legal grounds” and moreover “should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply.”3 At the same, however, the WP29 makes clear that legitimate interests (under the Directive) “should not be automatically chosen, or its use unduly extended on the basis of a perception that it is less constraining than the other grounds.”4
So, what’s different under the GDPR, and why does everyone appear to be so worked up over legitimate interests? Well, the GDPR has expanded the scope of legitimate interests to include the legitimate interests of third parties as well as wider benefits to society. Legitimate interests under the GDPR also incorporates a broad balancing test that enables added flexibility for organizations in conducting their analysis and requires the legitimate interests to be discussed in privacy notices, where applicable.
Perhaps the biggest change under the GDPR, however, is the necessity to document the legitimate interests assessment in order to demonstrate compliance.
The UK ICO’s Three-Part Test
The UK Information Commissioner’s Office (ICO) breaks this down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The first step is to identify the legitimate interest you are pursuing. According to the UK ICO, this “can be your own interests or the interests of third parties, and commercial interests as well as wider social benefits.”5 The interest could also be “compelling or trivial, but trivial interests may be more easily overridden in the balancing test.”6
Examples provided in the recitals of the GDPR include direct marketing,7 fraud prevention,8 intra-group transfers of personal data for internal administrative purposes,9 ensuring network and information security,10 and reporting possible criminal acts or threats to public security.11 However, this is not an exhaustive list, and using these examples would still need to undergo an assessment against the interests of data subjects – i.e., just because the GDPR mentions them does not mean that they are “pre-approved.”