Much confusion around the concept of Legitimate Interest justifying Personal Data Processing. Worth going back to the roots.
Article 6(1) of the GDPR sets out the conditions that must be met for the processing of personal data to be lawful. They are:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
These conditions are all equally valid, regardless the order of appearance. Organisations should assess which of these grounds are most appropriate for different processing activities and then fulfil any further requirements the GDPR sets out for these conditions (GDPR Article 5).
Many organisations have been wrongly advised to opt for consent. The new regulation that entered into force on May 2018 requires a higher standard of consent. That explains the deluge of re-consent emails sent out around May last year. The other inconvenient of consent is the requirement to keep a register of all granted consents, with the risk that at anytime the data subject could withdraw its consent to processing. Imagine an individual giving consent for his image to be used in a commercial movie. at anytime, this person could revise its position and withdraw its consent, The organisation will have to pull out the movie. That should explain why consent is not always the most appropriate basis.
The UK ICO website explain : “Legitimate interests is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to potentially rely on it in many different circumstances.
It may be the most appropriate basis when:
- the processing is not required by law but is of a clear benefit to you or others;
- there’s a limited privacy impact on the individual;
- the individual should reasonably expect you to use their data in that way; and
- you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
However, it must be clear that Legitimate Interest is not simply the interest of the organisation. It is framed within strict conditions. A three part assessment that needs to be carefully conducted and communicated to the data subject at the time the data is collected. The jurisprudence has based the conditions of necessity and the respect of rights and freedoms of individuals. Legitimate Interest, when validly demonstrated, can exempt from requesting formal consent. In a way, consent can be implicite as the data controller will be processing the data the way it is expected to act.
Extracts of the UK ICO website, for processing for marketing purposes to be lawful : “You still need to show that your processing passes the necessity and balancing tests.
You may also need to be more specific about your purposes for some elements of your processing in order to show that processing is necessary and to weigh the benefits in the balancing test. For example, if you use profiling to target your marketing.“
“When looking at the balancing test, you should also consider factors such as:
- whether people would expect you to use their details in this way;
- the potential nuisance factor of unwanted marketing messages; and
- the effect your chosen method and frequency of communication might have on more vulnerable individuals.“
Rowenna Fielding – a “Professional Data Protection Nerd, Information Governance” as she describes herself on her Linkedin profile – published a very useful reminder that hopefully will help to clarify some of the misinformation around Legitimate Interest. I could not say it any better, so I reproduce this here with her authorisation.
10 Legitimate Interests Lessons for Marketers :
1. Just because you’re interested, doesn’t make it legitimate.
2. You can’t use LI to avoid getting consent when you suspect the answer will be “No”
3. Whether LI can be applied depends on your own assessment of what you’re doing, why and how – which you will be expected to justify and defend.
4. LI is not ‘unclear’ or ‘ambiguous’; it requires thinking to be done and a decision to be made.
5. Publish your Legitimate Interests Assessments (LIA) if you anticipate/plan to reject objections to processing.
6. If a law says you have to get consent for a processing activity, then forget about LI. You can’t use it. Move on.
7. LI is only a valid lawful basis for processing personal data if you’re adhering to all of the principles. It’s not a loophole around compliance.
8. If your LIA is post-hoc rationalisation of something you won’t consider ceasing to do even though you suspect it’s a bit dodgy; then you wasted your time. Just make sure you have funds set aside to deal with complaints, regulatory action and reputation damage when you get found out.
9. The ICO is not responsible for your continuing professional development 10. No-one else can do your thinking for you.
The same way that consent is not a universal panacea, Legitimate Interest has to be balanced and where there is a contract to justify the processing of personal data it can be better suited. The UK ICO has an online interactive tool that helps select the most appropriate lawful base of processing.
UPDATE by the UK ICO :
The ICO has published a report highlighting major data protection concerns in the advertising industry and the real time bidding (online advertising space sold to bidders almost instantaneously). Data about users, including personal data collected from cookies is shared, in real time, in order for marketplace participants to be informed about viewers of the advertising space . The data is being used without a lawful basis and that appropriate consent to deploy cookies under PECR has not been obtained.
The ICO has flagged an incorrect reliance on legitimate interests as the lawful basis for processing personal data. When personal data is collected from cookies, consent is the only appropriate lawful basis under the GDPR and consent is nevertheless also a prerequisite under PECR for the associated cookies to be placed. The report highlights issues with transparency and accountability, control and supervision by market participants over the flows and sharing of data. Here is the full report.
Contact us at Data@DataRainbow.eu if you need further assistance to take you trough some of these complexities.
This publication is licensed under a Creative Commons Attribution 4.0 International
More information on the licence can be found here.