The European Data Protection Board (“EDPB”) recently published a One-Stop-Shop (“OSS”) case digest (“the Report”) which analyses decisions made by national supervisory authorities (“SAs”) relating to legitimate interest under Article 6(1)(f) GDPR. The Report offers insights into how SAs have interpreted and applied the concept of legitimate interest, and provides a practical assessment of factors which may assist or hinder controllers in relying on legitimate interest.
The EDPB commissioned Dr. TJ McIntyre to produce the Report, as part of the EDPB Support Pool of Experts Programme. In addition to considering recent OSS decisions on legitimate interest, the Report provides a reminder of the three-step test for relying on legitimate interest as a legal basis for processing personal data under the GDPR, taking into account the EDPB Guidelines 1/2024 on Legitimate Interest (previously discussed here).
In this article, we consider the key highlights of the Report.
Part 1 – The three-step test for reliance on legitimate interest
Article 6(1)(f) GDPR provides a legal basis for processing where “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Article 6(1)(f) GDPR establishes three cumulative conditions for relying on legitimate interests as a legal basis for processing personal data including: (1) the pursuit of a legitimate interest by the controller or a third party; (2) the need to process personal data for the purposes of those legitimate interests (necessity); and (3) ensuring that individuals’ rights and freedoms do not take precedence over the legitimate interests of the controller (a balancing test). We discuss each of these conditions in more detail below.
Step 1: The pursuit of a legitimate interest by the controller or by a third party
Firstly, the Report reminds us of the first step in the three-step process for relying on legitimate interest as a legal basis. It discusses what is meant by “interest”, referencing the EDPB Guidelines 1/2024 which highlight that “interest” means the broader stake or benefit that a controller or third party may have in engaging in a specific processing activity. For example, a controller may have an interest in promoting its products, whereas this interest may be advanced by processing personal data for direct marketing purposes.
It further considers what is a “legitimate” interest. The GDPR does not define the term “legitimate”. However, the Report notes that the CJEU has confirmed that a purely commercial interest can be a legitimate interest (Case C-621/22 (KNLTB)). In addition, the Report notes that the EDPB Guidelines 1/2024 confirm that a legitimate interest must not be contrary to EU or Member State law. For example, sending promotional emails for electronic cigarettes cannot constitute a legitimate interest as such emails are prohibited by the Tobacco Products Directive.
Furthermore, the Report notes that the EDPB Guidelines 1/2024 state that the legitimate interest must be “clearly and precisely articulated”. In several decisions, Lead Supervisory Authorities (“LSAs”) found that a vague statement of legitimate interests led to a failure to establish a legal basis under Article 6(1)(f) GDPR, and also breached the duty of transparency under Article 13 GDPR.
Step 2: Analysis of the necessity of the processing to pursue the legitimate interest
In respect of the second step, the Report notes that a number of OSS decisions and an EDPB urgent binding decision have found that processing was not necessary, as there were alternatives which could achieve the legitimate interests of the controllers. For example, in one case, the LSA found that forcing customers to provide their phone number for customer service purposes was not necessary, as a less intrusive and equally effective means of communication (namely contacting customers by email) was available.
In a further case, the Bavarian SA found that the retention of biometric iris codes after user accounts were closed was not necessary for the controller’s legitimate interests. The purpose of such retention was to ensure users could not avoid service provider bans by deleting their biometric data and registering with a new identity. The LSA found that although the controller had a legitimate interest in protecting the integrity of their online spaces, this did not justify the retention of the biometric data as it placed all users under suspicion of being blocked without the existence of a block. The LSA suggested that an alternative to this data processing would be contacting connected services to see if a block existed for particular users.
In addition, in Binding Decision 2/2022 (Meta/Instagram Child Users), the EDPB found that publication of contact details of child business account users was not necessary to achieve any relevant legitimate interests of Meta and third parties, as it was possible to contact business users through direct messaging on Instagram, instead of contacting them by e-mail or phone. The LSA had taken the view that the publication of the contact details of minors may have been necessary in some cases, i.e. for business account users who wished to be publicly contactable by email or phone. However, the EDPB noted that “[t]he benefits that such processing may bring to … the child business account owners … are not a relevant element for the assessment of necessity of the processing. Article 6(1)(f) GDPR is clear when it states that the legitimate interests are those of the controller or of a third party (and not those of the data subject)”. The Report notes that if the necessity asserted is the need to implement the wishes of the data subject, then consent would instead be the most appropriate legal basis.
Step 3: The balancing exercise to determine whether data subjects’ interests or fundamental rights override the legitimate interest pursued
The third step requires the controller to carry out a balancing test which, according to the EDPB Guidelines 1/2024, should identify and describe:
- The data subjects’ interests, fundamental rights and freedoms.
- The impact of the processing on data subjects, including: the nature of the data to be processed; the context of the processing, and any further consequences of the processing.
- The reasonable expectations of the data subject.
- The final balancing of opposing rights and interests, including the possibility of further mitigating measures.
Part 2 – Key themes emerging from legitimate interest decisions
The Report identifies a number of key themes emerging from the SA decisions on Legitimate Interest, as set out below.
Theme 1: Differing outcomes of national assessments of legitimate interest
The Report highlights that the context-sensitive nature of legitimate interest, particularly the fact that national law is taken into account at various stages of the assessment of the three cumulative conditions described above, creates the possibility that the outcome of a legitimate interest assessment will diverge between Member States.
Theme 2: Retroactive reliance on legitimate interest as a legal basis
Although the EDPB has warned that legitimate interest should not serve as a “last resort”, the Report notes that in several OSS decisions controllers effectively took this approach by seeking to rely on legitimate interest when a SA would not accept the legal basis initially relied on.
The dominant position in the OSS decisions was that a controller could not retroactively change the legal basis for processing in this way, echoing the position taken in EDPB Guidelines 5/2020 on Consent. Several decisions stressed that a change of basis to legitimate interest would prejudice individuals by undermining their right to information regarding the legitimate interests pursued and their right to object to the processing.
The Report highlights one outlier decision. In that case, a ride-hailing company recorded taxi driver ratings of passengers, but in doing so wrongfully relied on contractual necessity as a legal basis under Article 6(1)(b) GDPR. It sought to retrospectively change its legal basis to legitimate interest under Article 6(1)(f) GDPR, and to retain the existing passenger ratings. The LSA took the view that this was permitted, as the Terms of Use / Privacy Policy, although inadequate, had referred in a general way to passenger data being processed on the basis of legitimate interest for the purposes of safety and security. The Report notes that this decision found that data subjects were not in substance harmed by the initial choice of the wrong legal basis and inadequate transparency, departing from other decisions which found that the lack of information and inability to object to the processing is itself a harm to the data subject.
Theme 3: Overlap with ePrivacy Directive
The Report highlights the legal complexities associated with the overlap between the GDPR and the ePrivacy Directive. The interaction between the two regimes is particularly important in relation to cookies, where the ePrivacy Directive generally requires informed consent for use. In addition, unlike under the GDPR, there is no OSS procedure under the ePrivacy Directive. Furthermore, enforcement of the ePrivacy Directive differs at national level, particularly in relation to unsolicited direct marketing and cookies. Although some Member States entrust enforcement of the ePrivacy rules to data protection authorities, in others enforcement is the responsibility of the telecommunications regulators and consumer protection agencies.
The division between the GDPR and ePrivacy enforcement is also important given that the ePrivacy Directive in some situations displaces GDPR requirements that would otherwise apply. This complex legal framework was reflected in a number of OSS decisions giving rise to both GDPR and ePrivacy issues. For example, the Swedish SA, acting as LSA, has found that it could not consider issues related to the legality of the use of cookies, as this was a matter reserved to the telecommunications regulator. Meanwhile, other LSAs who were competent to address ePrivacy issues have considered the legality of the use of cookies in final OSS decisions, notwithstanding that the OSS procedure itself does not apply to this issue. For example, the Romanian SA, acting as LSA, determined that a stock photography website had breached the national transposition of the ePrivacy Directive by using third-party (Google and Facebook) cookies for analytical and marketing purposes without first obtaining informed consent.
Theme 4: Consumer finance issues
Many OSS decisions surveyed related to consumer finance issues. These decisions concerned reliance on legitimate interests as a legal basis for credit checks; reporting of debts to credit default registries; public identification of debtors online; and for enforcing debts, in particular tracking down and contacting debtors using publicly available information.
Theme 5: Anti-fraud measures
The Report notes that the OSS decisions surveyed gave considerable latitude to controllers in relation to anti-fraud measures. The decisions reflect the balancing test weighing in favour of the controller for a strong legitimate interest in preventing fraud. For example, the Swedish SA, acting as LSA, found that a company could rely on legitimate interest for anti-fraud prevention purposes. In this instance, the company selling goods on invoice forwarded details of orders placed on its website to a third party fraud prevention service, including the customer’s name, email address, IP address, telephone number, number of items purchased and value of the transaction. The Swedish LSA accepted that this served the controller’s legitimate interest in preventing fraud, that outsourcing this function was necessary in that the controller did not itself have the expertise to evaluate risk factors (such as whether the IP address of the customer indicated use of an anonymisation service, or multiple accounts sharing the same IP address), and that the balancing test weighed in favour of the controller.
Theme 6: Rental vehicle monitoring
Several OSS decisions surveyed also concerned monitoring of rental vehicles, with concerns over excessive tracking of geolocation data. For example, in one case a car rental company collected geolocation data from rental cars at 500m intervals, whenever the engine was turned off or on, or when a door was opened. This data was transmitted in real time to the company and stored for the entire duration of the commercial relationship and for three years from the date of the user’s last activity. The French SA, acting as LSA, concluded that the collection and retention of such data was excessive and beyond what was necessary to serve legitimate interests such as management of theft.
The French LSA stressed the sensitivity of geolocation data, noting that the EDPB Guidelines 1/2020 warn that: “location data is particularly revealing of the life habits of data subjects. The journeys undertaken are very characteristic in that they enable one to infer the place of work and of residence, as well as a driver’s centres of interest (leisure), and may possibly reveal sensitive information such as religion through places of worship, or sexual orientation through places visited. Accordingly…data controllers should be particularly vigilant not to collect location data except if doing so is absolutely necessary for the purpose of processing.”
Comment
The Report notes that although the OSS database provides us with a useful sample of decisions relating to legitimate interests, it is far from a complete picture. This is due to the fact that the OSS system, by definition, is limited to cases with a cross-border component, and the decisions were predominantly concerned with electronic marketing or online consumer transactions. Notably, there were no OSS decisions relating to the use of legitimate interests as a legal basis for employee monitoring nor video surveillance, which are two areas which often give rise to legitimate interest questions.
Following an analysis of the OSS decisions related to legitimate interest, the Report flags that there are four main reasons that controllers fail to successfully assert legitimate interest as a legal basis for processing personal data. These reasons include:
- Failure to conduct or document a proper legitimate interests assessment before commencing processing.
- Asserting legitimate interests that are too vague. Use of generic language such as “measure content performance” or “apply market research to generate audience insights” was rejected by SAs as lacking the specificity required by the GDPR.
- Failure to pass the necessity test. SAs found that the processing frequently went beyond what was necessary to achieve the legitimate interest, and that a less intrusive approach could be adopted.
- Failure to pass the balancing test for a number of reasons, in particular due to the processing not respecting the reasonable expectations of data subjects.
It would be prudent for controllers to take these common failures into account when relying on legitimate interest as a legal basis, and documenting their legitimate interests assessment. The Report is useful reading for controllers when considering the scope of situations when legitimate interest might be relied on as a legal basis to process personal data.
Contact Us
For more information, or if you would like advice on whether legitimate interests can be relied upon for your data processing activities, please contact Matheson’s Technology and Innovation Group or your usual Matheson contact.