A recent opinion by the Article 29 Working Party provides practical guidance on the applicability of the “legitimate interests” of a data controller as one of the grounds for the lawful processing of personal data under the EU Data Protection Directive 95/46/EC. The processing of personal data based on controller’s “legitimate interests” is a valuable option for data controllers, in particular where consent is unobtainable or impractical, such as in certain types of processing by companies that handle big data. Referring to legitimate interests as a ground for data processing requires a thorough assessment of, on the one hand, the legitimate interests pursued by data controller or by any third parties to whom the data are disclosed, and on the other hand, the interests and fundamental rights of the data subject. The balancing test between these two interests is necessary for deciding whether the rights of the data subject can be overridden.
This Opinion is highly relevant in the context of the recent Memo on Big Data issued by the European Commission on 2 July 2014, as it ensures the unified interpretation and implementation of the “legitimate interests” ground for data processing under the current Directive throughout the EU. It also provides policy recommendations for the future EU General Data Protection Regulation. Businesses involved in processing big data or in combining existing data with new data sources should carefully study this Opinion.
The Opinion was published on 9 April 2014 by the Working Party and provides a detailed analysis of the criteria that make data processing legitimate per Article 7 of Directive 95/46/EC. From six legal grounds for the processing of personal data stipulated in Article 7, the most known and widely used are:
- the unambiguous consent of the data subject
- processing that is necessary for the performance of a contract with the data subject
- processing necessary for compliance with a legal obligation of controller.
A less constraining ground for processing, as stipulated under Article 7(f), permits the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller or third parties, subject to an additional test balancing the data controller’s interests against the data subject’s fundamental rights and interests.
Application of the balancing test
For a proper assessment of the balancing test, companies have to consider a number of factors, including:
- the nature and source of the controller’s legitimate interest and whether the data processing is necessary and proportionate for the exercise of a fundamental right (e.g., freedom of expression by a newspaper publishing about a corrupt official or interests of the wider community in whistleblowing schemes to combat financial fraud)
- the impact of processing on the data subject and their reasonable expectations about what will happen with their data, as well as the nature of the data (i.e., sensitive data) and how it is processed (e.g., large amounts of personal data are processed or combined with other data, such as profiling or for commercial purposes)
- additional safeguards which could limit the impact of processing on the data subject (e.g., data minimisation, anonymisation, pseudonymisation, unconditional right to opt-out).
If the balancing test falls in favour of the data subject, companies are not allowed to use Article 7 (f) as a legal ground for the processing of personal data.
New obligations for data controller
If the Working Party’s legislative advice on the legitimate interests ground is followed, the data controllers under the proposed regulation will be required to conduct their assessment as described above. They will also have to thoroughly document their assessment and communicate their processing of personal data, as well as any other additional safeguards used, to the data subjects affected.
If your company is involved in big data, the legitimate interests ground may be an important alternative to the processing of personal data based on prior consent. Companies that opt for the legitimate interest ground must do a thorough balancing test to weigh the company’s interests against the interests of the data subject.
We also recommend that companies closely monitor legislative developments on this issue. The results of the public consultation on this Opinion are expected shortly and will offer additional insight into the applicability of the controller’s legitimate interest as a ground for processing of personal data.
Read the full text of the Opinion here.
Read the memo of the European Commission “Making the most of the Data-Driven Economy” here.