This article was originally published in World Data Protection Report on June 7, 2014.
When precisely is a data controller lawfully permitted to process personal data?
If a data controller does not have the consent of a data subject to process his or her data, when does the “legitimate interest” condition bite?
These are the million-dollar questions that the many EU entities (as well as those farther afield) that process data grapple with on a daily basis.
The EU Data Protection Directive (95/46/EC) sets out six grounds on which EU data controllers can lawfully process personal data. In addition to consent, the processing being “necessary” for the performance of a contract and so on, Article 7(f ) of the Directive also lists “legitimate interests” as a basis for lawful processing of personal data.
What constitutes (or does not constitute) a legitimate interest, however, has been interpreted in different ways across the EU, as member states have been left to implement the Directive under their national laws.
In many cases, it is interpreted liberally in an attempt to shoe-horn dubious processing within the four corners of the legislation (the author having seen many examples of this).
In others, perhaps because it appears at the bottom of the Article 7 list of grounds for processing, legitimate interest has been viewed as something of a last resort, which should be relied on only in the narrowest of circum- stances, e.g., where other conditions do not bite.
This has led to questions over precisely what the parameters of this condition are.
On April 9, 2014, the EU Article 29 Data Protection Working Party adopted “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC” (WP 217), providing guidance on how to apply Article 7(f ) under the current legal framework. The welcomed guidance includes a useful list of examples designed to illustrate when the condition bites, and also makes recommendations for future improvements.
In summary, the Opinion confirms that three conditions must be satisfied before a data controller (or a person to whom data is disclosed) can rely on the legitimate interest ground:
- It must have a legitimate interest to process the data;
- The processing must be necessary for that interest; and
- Its interests must outweigh the interests and fundamental rights of the data subjects — which requires a balancing test to be performed.
A closer examination of the Opinion is set out below.
What Constitutes a Legitimate Interest?
The Opinion represents the most comprehensive attempt to date at an EU level to pin down the arguably flexible wording of Article 7( f ).
The Opinion notes from the outset that the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward or more controversial, before setting out a non-exhaustive list of some of the most common contexts in which the issue of legitimate interest within the meaning of Article 7(f ) may arise.
This list includes various contexts one would ordinarily expect to see, such as processing for the enforcement of legal claims, to prevent fraud and to protect the safety of employees, along with other contexts that would arguably not immediately spring to mind, including processing for historical purposes or research purposes.
The key, the Opinion notes, is for the legitimate interest to be: 1) lawful, 2) sufficiently articulated (i.e., specific) to allow the balancing test to be carried out (more on this below), and 3) not speculative.
Once a legitimate interest is identified by a data controller, this is just the starting point, however. Whether it can be relied upon by a data controller or a third party to whom data is disclosed will ultimately depend on the outcome of the delicate balancing act that follows.
To illustrate this point, the Opinion notes that a data controller may have a legitimate interest in getting to know its customers’ preferences so as to better target customers with products and services that better meet their needs. Whilst Article 7(f ) may be an appropriate ground to be used for some types of marketing activities, this does not necessarily mean that a controller could rely on it to unduly monitor the online/offline activities of customers, to combine vast amounts of data about them from other sources and to create complex profiles of customers’ preferences without their knowledge (let alone opt-in consent) or a workable mechanism to object. In such a case, the Opinion notes that such profiling activity would likely present a significant intrusion into the privacy of a customer, so that the controller’s interest would be overridden by the interests and rights of the data subject.
The Balancing Test
As noted, once a legitimate interest has been identified, Article 7(f ) then calls for a balancing test, as the Working Party explains: The legitimate interest of the controller (or third party) must be balanced against the interests or fundamental rights and freedoms of the data subject. This balancing test determines whether Article 7(f ) may be relied upon as a legal ground for processing.
According to the Working Party, the key factors to be considered when applying the balancing test are
1. Assessing the Controller’s Legitimate Interest
A controller’s legitimate interest could include the exercise of a fundamental right (e.g., freedom of expression, freedom to conduct a business, the right to property, the right to an effective remedy and a fair trial, etc.), might coincide with a public interest (e.g., combating fraud) or might arise from another legal, cultural or social factor.
2. Assessing the Impact on Data Subjects
Data controllers should then consider the nature of the data, the way the information is being processed, the reasonable expectations of the data subjects and the status of the controller and the data subject, before deciding whether to rely on the condition.
In general, the Opinion notes that the more sensitive the data involved, the more consequences there may be for the data subject, although this does not mean that seemingly innocuous data can be freely processed based on Article 7(f).
Importantly, it is also considered that, if data has already been made publicly available by the data subject or by third parties, this may be relevant in tipping the balance in favour of the data controller, although, as theWorking Party pointed out in its recent opinion on personal data breach notification (WP 213) (see analysis at WDPR, April 2014, page 6), the term public can connote different degrees of availability.
In terms of assessing the balance of power between the data controller and the data subject, the Opinion considers that, whilst the balancing test should in principle be made against an average individual, specific situations should lead to a more case-by-case approach. For example, it would be relevant to consider whether the data subject is a child or otherwise belongs to a more vulnerable group before deciding in whose favour the balance tips.
Crucially, the Opinion does emphasise that not all negative impacts on data subjects “weigh” equally on the balance, and that the purpose of the balancing exercise is not to prevent any negative impact on the data subject. Rather, its purpose is to prevent The EU Article 29 Working Party’s Guidance on the “Legitimate Interests” Ground for Processing Personal Data disproportionate impact. In other words, just because a negative impact is identified, this does not remove the ability for a data controller to rely on Article 7(f ).
3. Provisional Balance
The Working Party goes on to consider the importance of throwing the various horizontal requirements of the Directive into the balancing mix.
In particular, that measures taken by data controllers to comply with the Directive’s broader requirements (e.g., principles of proportionality and transparency) would contribute to ensuring that the potential negative impact on individuals is reduced and, as such, that the data controller meets the requirements under Article 7(f ).
However, such horizontal compliance would not necessarily guarantee that the balance is tipped in favour of the data controller in all cases, and, if a clear determination cannot be made, an additional analysis will be required to determine whether “additional safeguards” need to be put in place to allow reliance on the legitimate interest ground.
4. Additional Safeguards Applied by the Data Controller
In terms of the additional safeguards a data controller could look to implement in seeking to rely on Article 7(f ), the Working Party considers that these may include: technical and organisa- tional measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals; anonymi- sation techniques; aggregation of data; privacy-enhancing technolo- gies; and increased transparency.
In providing such a step-by-step account of how a data controller could look to comply, the Opinion represents the most comprehen- sive attempt to date at an EU level to pin down the arguably flexible wording of Article 7(f ).
Recommendations for Improvements
In terms of what’s on the horizon, the Working Party also makes a number of recommendations in the Opinion for the proposed Data Protection Regulation to replace the Data Protection Directive, which has the strong backing of the European Parliament and was debated by the Council of Ministers in June 2014.
In particular, the Working Party recommends incorporating two new recitals into the draft Regulation: one containing a non-exhaustive list of key factors to consider when applying the balancing test; and another which requires data controllers to document their Article 7(f ) assessments so as to demonstrate in practice their enhanced accountability obligation.
In addition, it is recommended that a provision be added to the Regulation requiring data controllers to disclose to individuals why they consider their interests not to be overridden by data subjects’ interests and fundamental rights.
This would be a significant step forward for the rights of data subjects, if implemented, but could be viewed as particularly cumbersome for data controllers, especially when viewed in conjunction with some of the other wide-sweeping changes the draft Data Protection Regulation seeks to introduce and which have been opposed in some quarters (appointment of data protection officers, greater use of impact assessments for data controllers, etc.).
Whilst it remains to be seen whether any of these recommendations will make their way onto the statute book, controllers looking to rely on the Article 7(f ) condition now should take heed of this guidance going forward, as compliance with it could no doubt help shield any regulator investigation on the basis that data was unlawfully processed. Ensuring the decision-making process is documented prior to relying on the condition, which remains something of an enigma, is key.
For More Information
The Article 29 Working Party’s “Opinion 06/2014 on the notion of legitimate interests of the data
controller under Article 7 of Directive 95/46/EC” (WP 217) can be accessed at here.