The EU General Data Protection Regulation is finally here, and while its arrival has been long awaited, the discussion on how to implement its requirements does not end here. In fact, this is likely to be the start of an ongoing discussion for years to come, especially given the risk-based approach to compliance that is mandated by the GDPR.
Out of all six legal bases for processing offered by the GDPR, two in particular have stood out—consent and legitimate interests—and a question we have commonly heard at OneTrust is: which of these should I rely on for the purpose of sending direct marketing emails? This is a difficult question to answer, and as most lawyers will tell you: “it depends.”
At OneTrust, we have discussed the topic of legal basis with countless organizations as they have prepared for, and implemented, the GDPR. Under the GDPR, one of the ways in which personal data may be processed is where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”1 Implicit in this legal basis, and in combination with Article 5’s ‘accountability’ principle, is the need to document a legitimate interests assessment (LIA).
The UK Information Commissioner’s Office (ICO) breaks this down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The completed LIA can then be used to demonstrate to a supervisory authority, if necessary, that full consideration was given to the interests of all affected parties, including to the potential benefits and harms that could stem from the activity.
It is true that legitimate interests provides flexibility to data controllers, but it is important to note that with flexibility comes risk that a supervisory authority might disagree with your LIA and thus your reliance on legitimate interests as a legal basis for a given processing activity. Therefore, reliance on legitimate interests requires a certain level of comfort with uncertainty.
Consent, on the other hand, can provide a great deal more certainty. To put it simply, consent is a data subject’s indication of agreement to the processing of their personal data, and thus putting control in the hands of the data subject.
Consent has historically been one of the most common legal bases relied upon for the processing of personal data. However, under the GDPR, additional conditions will need to be met, making consent more difficult to rely on as a legal basis for processing. Under Article 4(11) of the GDPR, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Additionally, under Article 7(1), data controllers must also be able to “demonstrate that the data subject has consented to processing of his or her personal data” and according to the Article 29 Working Party “[c]ontrollers are free to develop methods to comply with this provision in a way that is fitting in their daily operations.”2
According to the WP29, one way of doing this is to “keep a record of consent statements received” in order to show how and when consent was obtained, what information was provided to the data subject, and the workflow behind ensuring that the consent included each of the requisite elements.3 This could mean “retain[ing] information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time”4 and consent management tools can assist with generating and managing such records.
Direct Marketing Under the GDPR
Direct marketing is a common purpose of processing, and it includes a number of different activities—e.g., collecting personal data from potential customers, creating profiles about those potential customers and their preferences, and then sending personalized communications to them.
Consent and legitimate interests are the legal bases most likely to be relied upon to justify direct marketing. Where the direct marketing involves electronic communications, however, is where things get muddy.
Consent vs Legitimate Interests
Recital 47 of the GDPR states that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Thus, legitimate interests can be used to satisfy the GDPR’s legal basis requirement—but there is more to the story.
Direct electronic marketing (e-marketing) is currently regulated under the ePrivacy Directive, which generally requires opt-in consent before engaging in such activity. This means, that in most cases, even if you are relying on legitimate interests to satisfy the GDPR, the ePrivacy Directive would still mandate consent. However, there is an exception—marketing emails may be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service,”5 but this exception has also been implemented differently by the EU member states.
In fact, 11 EU member states actually allow for business-to-business (B2B) e-marketing on an opt-out basis at any time, regardless of whether it is in the context of a sale (for details, see this report by Fieldfisher). In the UK, for example, “you can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body)” without first needing to obtain consent.6
So, this means that a company with B2B customers could potentially rely on legitimate interests for sending e-marketing to recipients in certain countries, while relying on consent in others. However, this could prove difficult from an operational standpoint.
The Right to Object
With this in mind, it is important to note that Article 21 of the GDPR states that “[w]here personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing” and that “[w]here the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.” Moreover, this right must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.”7
In other words, even if opt-in consent is not required before sending marketing emails, the GDPR nevertheless requires that the recipient always be provided with an opportunity to opt-out of receiving such emails.
Swapping Legal Bases
In determining whether to rely on consent or legitimate interests, data controllers should also take into account that, according to the Article 29 Working Party, they are “not allowed to retrospectively utilize the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent.”8 This suggests that data controllers need to think hard about the legal basis they rely on as “it is not possible to swap between one lawful basis and another” in the event that things do not work out.9
EU e-marketing rules can be difficult to navigate, and deciding whether to rely on opt-in consent, legitimate interests, or a combination of the two, is no easy task and can have immense impact on business operations. Therefore, the decision-making process should include multiple stakeholders, including legal, privacy, marketing and executive management, to name a few, as cooperation between these groups will be vital to success.
1 GDPR, Article 6(1)(f).
2 Article 29 Working Party, “Guidelines on Consent” (WP 259), 28 November 2017, http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48849.
3 WP 259.
4 WP 259.
5 Directive 2002/58/EC, Article 13(2).
7 GDPR, Article 21(5).
8 WP 259.
9 WP 259.