On April 10th, the Article 29 Data Protection Working Party (“WP”), the independent advisory body where are represented the EU data protection authorities and the EU Commission, issued a very thorough opinion on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (“Directive”).
According to such provision, personal data may be processed if processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subjects.
The WP recognised “the significance and usefulness of the Article 7(f) criterion, which in the right circumstances and subject to adequate safeguards may help prevent over-reliance on other legal grounds. Article 7(f) should not be treated as ‘a last resort’ for rare or unexpected situations where other grounds for legitimate processing are deemed not to apply”.
The opinion suggests a balanced approach to the legitimate interest, which ensures the necessary flexibility to data controllers for situations where there is no undue impact on data subjects.
On the other hand, the WP stressed the need of an adequate application of the balancing test, in order to avoid possible abuses. In particular, the opinion outlined three key factors to be considered for a fair balance of interests:
- the nature and source of the legitimate interest;
- the impact on the data subjects;
- additional safeguards to prevent undue impact on the data subjects.
Such safeguards do include:
- data minimisation;
- privacy-enhancing technologies;
- increased transparency;
- general and unconditional right to opt-out;
- data portability & related measures to empower data subjects.
In order to explain the rationale behind its opinion, the WP outlined that the lack of harmonised interpretation of Article 7(f) of the Directive has led to divergent applications in the EU Member States and, as a consequence, the lack of legal certainty and predictability, on one hand, may weaken the position of data subjects and, on other hand, may impose unnecessary regulatory burdens on businesses and other organisations operating across borders.
Quite understandably such recommendations have been received with some skepticism in EU Member States where in the past years the criterion of the legitimate interest has been widely exploited and where the guidelines of the WP are perceived as a sort of restriction with respect to the provision of the Article 7 of the Directive.
On the contrary, the key message of such opinion should suggest completely different thoughts in other EU Countries. First of all, Italy.
In deed, in Italy, according to the Italian Data Protection Code, in order to start a data processing relying on the legitimate interest of the data controller, a previous approval of the Italian Data Protection Authority (“Garante”) is needed. In other words, an organization that wishes to start a data processing on the basis of such a ground, should file a prior application before the Garante, that may authorize (or not) such a data processing. A proceeding that might take a couple of years: a geological era for the ICT industry.
Earlier this year, the Garante sent out an S.O.S. message, publicly complaining its under-staffing in comparison with the corresponding Data Protection Authorities of the major EU Countries.
In such circumstances, conditioning the chance to use such a valuable option to the burdens and the timeframes of an administrative proceeding before an Authority, that has not the necessary resources to react in a reasonable time span, de facto means depriving data controllers of a fundamental tool for its privacy policies.
In a global scenario where Big Data and Internet of Things are assuming a tremendous importance for a growing number of stakeholders, the Italian approach to the legitimate interest seems to be an inheritance of the past, no more sustainable.
The new EU Data Protection Regulation, that – hostage of the lobbies - has been under discussions since the beginning of 2012, in the best case, will be approved in its final version in 2015 and will not enter into force before 2017.
And in the meantime, which will be the short-term remedy to adapt the Italian legal framework to the inescapable challenges that new technologies are posing?
The EU watchdogs, with the opinion herein commented, seem to show a possible safe track to move a first step, without affecting the fundamental rights of the data subjects.
The hope is that the Italian lawmakers will not miss the opportunity to consider such important guideline from the Europe. Technology cannot wait the pace of bureaucracy, but it is the good policy that should draw the course on which technology can flourish and create opportunities.