With the EU General Data Protection Regulation right around the corner, you have probably heard that there will be six legal bases for processing personal data – consent, performance of a contract, compliance with a legal obligation, vital interests, public interest or official authority, and legitimate interests. At OneTrust, we have had the pleasure of discussing the topic of legal basis with countless organizations who are currently preparing for GDPR, and from those conversations it is clear that there is a strong focus on – as well as some confusion around – legitimate interests, in particular.
What is the Legitimate Interests Basis?
Legitimate interests provides a legal basis for processing personal data where the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”1 Moreover, Recital 47 states that when relying on legitimate interests, controllers should consider “the reasonable expectations of data subjects based on their relationship with the controller” as well as “whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”2
While these may be new developments for those who are new to EU data protection law, these legal bases, including legitimate interests, have actually have been around for quite some time and serve as the same six grounds for lawful processing of personal data under the current EU Data Protection Directive 95/46/EC (the “Directive”), which is set to be replaced by the GDPR on 25 May 2018.
In fact, the Article 29 Working Party (WP29) has already recognized legitimate interests for its “significance and usefulness” as a way to “help prevent over-reliance on other legal grounds” and moreover “should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply.”3 At the same, however, the WP29 makes clear that legitimate interests (under the Directive) “should not be automatically chosen, or its use unduly extended on the basis of a perception that it is less constraining than the other grounds.”4
So, what’s different under the GDPR, and why does everyone appear to be so worked up over legitimate interests? Well, the GDPR has expanded the scope of legitimate interests to include the legitimate interests of third parties as well as wider benefits to society. Legitimate interests under the GDPR also incorporates a broad balancing test that enables added flexibility for organizations in conducting their analysis and requires the legitimate interests to be discussed in privacy notices, where applicable.
Perhaps the biggest change under the GDPR, however, is the necessity to document the legitimate interests assessment in order to demonstrate compliance.
The UK ICO’s Three-Part Test
The UK Information Commissioner’s Office (ICO) breaks this down into a three-part test:
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?
The first step is to identify the legitimate interest you are pursuing. According to the UK ICO, this “can be your own interests or the interests of third parties, and commercial interests as well as wider social benefits.”5 The interest could also be “compelling or trivial, but trivial interests may be more easily overridden in the balancing test.”6
Examples provided in the recitals of the GDPR include direct marketing,7 fraud prevention,8 intra-group transfers of personal data for internal administrative purposes,9 ensuring network and information security,10 and reporting possible criminal acts or threats to public security.11 However, this is not an exhaustive list, and using these examples would still need to undergo an assessment against the interests of data subjects – i.e., just because the GDPR mentions them does not mean that they are “pre-approved.”
Specifically, the UK ICO suggests asking yourself why you want to process the data in the first place (i.e., what is it that you are trying to achieve), who benefits from the processing and in what way, are there any wider public benefits and how important are those benefits, what would the impact be if you were unable to move forward with the activity, and would your use of the data would be considered unethical or unlawful in any way.
The UK ICO states that necessity “means that the processing must be a targeted and proportionate way of achieving your purpose” and “[y]ou cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.”12
In determining whether processing is necessary, the UK ICO suggests that you should ask whether the processing actually helps to further the specified interest, whether it is a reasonable way of going about furthering that interest, and perhaps most notably, whether there is another less intrusive way to achieve the same result.
In the past, the WP29 has placed a particular focus on that question – i.e., “consider whether there are other less invasive means to reach the identified purpose of the processing and serve the legitimate interest of the data controller.”13 In other words, if there is another way of going about it that does invade the data subject’s privacy as much, or if your organization can live without it altogether, then the activity is probably not necessary.
Finally, there must be balance. In particular, if the data subject would not reasonably expect your organization to use their data in the way you are planning to, or if it would cause them “unwarranted harm,” then their interests would likely override yours.14 “However, your interests do not always have to align with the individual’s interests” and where there is conflict “your interests can still prevail as long as there is a clear justification for the impact on the individual.”15
Here, the UK ICO suggests that you should consider the nature of your organization’s relationship with the data subject, whether any of the data is particularly sensitive or private, whether data subjects would expect you to use their data in such a way and whether you would feel comfortable explaining the use to them, whether some data subjects are likely to object or find the processing intrusive, what the possible impact is and how severe it is, whether the data of children is being processed, whether any data subjects are considered to be vulnerable, as well as whether any safeguards can be adopted to minimize the impact and whether an opt-out can be offered.
For example, when it comes to data processing in the workplace, the Article 29 Working party has acknowledged that “whilst the use of [new] technologies can be helpful in detecting or preventing the loss of intellectual and material company property, improving the productivity of employees and protecting the personal data for which the data controller is responsible, they also create significant privacy and data protection challenges” and “[a]s a result, a new assessment is required concerning the balance between the legitimate interest of the employer to protect its business and the reasonable expectation of privacy of the data subjects: the employees.”16
Documentation and Notice
Relying on legitimate interests should be accompanied by a documented assessment that can be used to demonstrate to a regulator, if necessary, that full consideration was given to the interests of all affected parties, including the potential benefits and harms that could stem from the activity. Privacy management tools, such as those offered by OneTrust, offer template questionnaires incorporating regulator guidance like the UK ICO’s three-part test, and can be used to streamline and improve the assessment process.
Additionally, controllers need to include details about the legitimate interests assessment when fulfilling its notice obligations under Articles 13 and 14. In particular, the Article 29 Working Party has stated that this notice should include “[t]he specific interest in question” and “[a]s a matter of best practice . . . the information from the balancing test, which should have been carried out by the data controller . . . .”17 This is why, from a business perspective, it is important that organizations have a stance that is defensible not only to supervisory authorities, but to data subjects as well.
Data Subject Rights
Moreover, relying on legitimate interests “opens the door” to the exercise of a data subject’s right to object18 and possible subsequent restriction19 or erasure.20 This is because, under Article 21, processing based on legitimate interests is subject to the right to object, which can then be followed up by a request to exercise right to restriction or erasure under Articles 18 and 17, respectively. However, in this instance, a request to exercise a right to object can be denied where a controller can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject.21 As you can see, this places a burden on the data controller to be able to defend their decision to rely on legitimate interests and on their assessment thereof.
According to the UK ICO, “[i]n the run up to 25 May 2018, you need to review your existing processing to identify your lawful basis and document where you rely on legitimate interests, update your privacy notice, and communicate it to individuals.” Thus, where organizations already rely on legitimate interests under the current EU Data Protection Directive, those organization should review those activities to ensure that a documented assessment is available and that the assessment is aligned with the GDPR’s risk-based approach to the legitimate interests analysis. Additionally, public authorities currently relying on legitimate interests will need to identify a different legal basis under the GDPR.
A legitimate interests assessment is not just about privacy interests; it’s also about harm, more broadly, and that includes harm to the rights and freedoms of individuals – e.g., free speech and expression, etc. It is not “a straightforward balancing test consisting merely of weighing two easily quantifiable and comparable ‘weights’ against each other.”22 Instead, it is contextual and subjective, and “requires full consideration of a number of factors”23 – perhaps most notably, the reasonable expectations of data subjects (in particular, based on their relationship with the controller), whether a less privacy-invasive alternative is available to achieve the same aim, and the measures put in place to reduce risk to data subjects.
The term “legitimate” shows up 42 times in the GDPR. The repeated use of such an ambiguous and subjective term highlights the GDPR’s risk-based-approach to privacy and data protection, as well as the importance of identifying legitimacy of processing activities, regardless of the chosen legal basis. This means that before relying on legitimate interests as a legal basis for processing, it is necessary need to be comfortable with uncertainty – yes, legitimate interests provides flexibility, but with flexibility comes risk that your assessment might not satisfy a supervisory authority. Luckily, if you do plan to utilize legitimate interests as a legal basis, there are tools that can help with thinking through and documenting the legitimate interests assessment.