‘Legitimate Interest’, the GDPR’s Great Unknown

A new kid on the GDPR’s block?

Can marketers rely on ‘legitimate interest’?

Marketers struggling through the complexities of the GDPR noticed that - according to Article 6/1/f of the Regulation - one of the bases for lawful data handling was that of “processing .. necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” They immediately started to wonder whether ‘legitimate interest’ offered a way to performing their business without needing to seek individuals’ consent for targeting them with their promotional messages. They also tried to figure out what purposes would be covered by the reference to legitimate interest as a lawful processing basis and may have been delighted to learn that – according to the last sentence of the Regulation’s recital no. 47 – “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

A few things to bear in mind.

However, there are a few things marketers should duly consider before abandoning themselves to excessive enthusiasm.

The concept of ‘legitimate interest’ as a basis for lawful data processing is all but new, as it already appeared in the former general EU data protection directive (no. 46 of 1995, which also set - in Article 7/f - that data could be lawfully handled when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests arc overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1.”).

Even then, it was clear that identifying what resulted in a ‘legitimate interest’ of the controller for data processing without consent was not an easy task. The Article 29 Data Protection Working Party tried to offer some useful indications through its Opinion (WP 217) no. 6 of 2014. Summarizing the WP’s – extensive – opinion, it appears that the reference to “(any kind of) legitimate interest pursued by the controller (in any context)” does not constitute a free pass for processing without consent, as such “general provision, however, is specifically made subject to an additional balancing test, which requires the legitimate interests of the controller - or the third party or parties to whom the data are disclosed – to be weighed against the interests or fundamental rights of the data subjects.”The opinion then went on to specify that “to be considered as 'legitimate' and be relevant under Article 7(f), the interest will need to be lawful, that is, in accordance with EU and national law. It must also be sufficiently clearly articulated and specific enough to allow the balancing test to be carried out against the interests and fundamental rights of the data subject. It must also represent a real and present interest - that is, it must not be speculative.” From a data subject perspective, the opinion holds that, when relying on ‘legitimate interest’, the controller must take into account: the nature of the data (is sensitive information involved?), their way of processing (are they publicly disclosed or made accessible?), data subject’s reasonable expectations (e.g. as to context relevance), the status of both, of the controller as well as of the data subject (e.g. with respect to the latter’s age or its position in relation to the controller), the possible adoption of safeguards to prevent undue impact.

Is ‘legitimate interest’ a free pass for marketers?

Have the provisions of the GDPR changed these requirements and transformed – through Recital’s 47 reference - ‘marketing’ automatically into a ‘legitimate interest’, no longer requiring data subjects’ consent for the processing of their data?

For a number of reasons, it would be unwise – in my personal view – to assign such an effect to the reference above.

First of all, the GDPR has not abolished the provisions laid down in the ePrivacy Directive (Directive 2002/58/EC, concerning the processing of personal data and the protection of privacy in the electronic communications sector). The Regulation is clear about such persistent validity of Directive’s no. 58/2002 legal requirements as - in Article 95 – it states that “this Regulation shall not impose additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.”

Hence, the total ban for automated (‘cold’) approaches (through unsolicited phone calls, fax machines or electronic communication) to prospect customers for direct marketing purposes continues to stay (reference is to Article 13/1 of Directive no. 58/2002). The same goes for the opt-out option to be offered to customers with whom marketers have a business relation in place, allowing those to refuse further receipt of promotional messages for direct marketing purposes. The consent requirement (set in Article 9/1) for processing users’ location data also remains.

Looking at the Italian implementing provisions of the GDPR (which adjourn the previously in force Privacy Code to the new regime), we find explicit confirmation that the above-mentioned ‘opt-in’ – ‘opt-out’ system is still valid.

Marketers should therefore restrain from looking at the GDPR’s complex provisions superficially and simplistically and from drawing hasty conclusions. Otherwise they could found themselves badly hurt.