The concept of legitimate interests under the Data Protection Directive (95/46/EC) ("DPD") has traditionally been a grey area but a recent opinion from the Advocate General following a referral to the ECJ on a Latvian road accident case in 2012 seeks to provide some guidance (the "Opinion").
What are legitimate interests?
Legitimate interests are not defined in the DPD but transparency or the protection of property, health and family life are held to be legitimate interests. Ultimately it is for data controllers to determine whether there is a legitimate aim which justifies the interference with private life.
Under Article 7(f) of the DPD, one ground which allows data controllers to lawfully process personal data, is where the processing is necessary for the purposes of the legitimate interests pursued by the data controller, or by the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1) ("Article 7(F)").
Why was the Latvian road accident case referred to the ECJ?
In this case, a taxi passenger damaged a bus by opening its door onto it. The bus company asked the police for the name, ID number and address of the passenger but the police refused to disclose the ID number and address on the basis that it was prohibited from doing so by the Latvian data protection agency.
This case was referred to the ECJ for a preliminary ruling to determine whether Article 7(f) imposes an obligation on the data controller to disclose all personal data enabling identification of the person allegedly responsible for an offence, so that the data controller can begin civil proceedings.
Advocate General's guidance:
In its guidance of 26 January 2017, the Advocate General held that:
Article 7(f) does not impose an obligation on data controllers to disclose information so that civil litigation can be initiated, but provides permission to do so "so long as a number of elements are united". To meet the requirement of legitimate interests, the following three elements must be met:
the existence of a legitimate interest justifying processing;
the prevalence of that interest over the rights and interests of the data subject; and
the necessity of processing for the realisation of the legitimate interests.
issuing a legal claim is a legitimate interest and disclosure of personal data is indispensable to issue a legal claim.
the bus company's interest in obtaining the personal information of a person who damaged their property in order to sue for damages qualified as a legitimate interest.
Under the GDPR, the concept of legitimate interests can be relied on as a processing condition. However, in the same way as the DPD this is not clear cut: care should be taken when relying on the 'legitimate interest' processing condition as it requires an assessment of the interests of the data controller and the potential impact on the data subject's privacy: essentially a subjective opinion which could have financial impact if the supervisory authority disagrees.
The concept of legitimate interests is not straightforward and organisations should take care when trying to rely on it. In particularly tricky cases, organisations should keep documentary evidence of the balancing act that it performs and the reasons for its decision. Under the GDPR organisations may have to move away from relying on consent for its processing of (non-sensitive) personal data to be lawful, and rely more on the "legitimate interests" processing condition. This Opinion and the final ECJ decision may be useful guidance on this issue.
The Attorney General's Opinion can be read here.