Five key takeaways from recent EU developments on the GDPR’s “legitimate interests” legal basis

In the past few weeks, there have been significant developments relating to the "legitimate interests" legal basis under Article 6(1)(f) of the GDPR:

• On 4 October 2024, the Court of Justice of the EU ("CJEU") handed down its judgment in a case relating to the Royal Dutch Lawn Tennis Association (Case C-621/22, KNLTB), confirming that "commercial" interests when processing personal data can constitute legitimate interests.
• On 8 October 2024, the European Data Protection Board ("EDPB") adopted its long-awaited draft guidelines on when controllers can rely on legitimate interests ("Draft Guidelines"), which update a 2014 opinion from the Article 29 Working Party ("WP29"). The Draft Guidelines are open for consultation until 20 November 2024.

We set out below five key takeaways from the Draft Guidelines and the KNLTB case, and how these developments may affect a GDPR-regulated data controller's ability to rely on legitimate interests in the future to process personal data.

1. Commercial interests can be a "legitimate" interest

The CJEU has consistently held that relying on the legitimate interests legal basis requires controllers to pass a three-step test. The first limb of the test requires controllers to establish that their processing supports "legitimate interests" pursued by the controller or a third party. In the KNLTB case, the Dutch data protection supervisory authority ("SA") asked the CJEU questions about the nature of those interests: specifically, whether commercial interests could be legitimate.

The background here seemed relatively innocuous: could the tennis club, a data controller, rely on legitimate interests to share data about its members with third parties for marketing purposes? The Dutch SA concluded that it could not, and that it failed the first limb of the test because the interests pursued by its processing were "commercial" and any interest, in order to be "legitimate", must be determined by or reflected in law. The SA imposed a fine of 525,000 Euros upon the tennis club for the GDPR breach. It appealed, and a Dutch court asked the CJEU to clarify whether a controller can, in principle, rely on: (a) legitimate interests that are not expressly identified in law; and (b) on "commercial" interests. In a relatively short judgment, the CJEU confirmed that controllers can rely on legitimate interests not affirmatively or positively established in law, and that commercial interests can, in principle, constitute legitimate interests provided that those commercial interests are not unlawful. This is a welcome ruling for controllers, who will be able to continue to take the position that they can rely on legitimate interests for various commercial practices, provided that they also meet the second and third limbs of the assessment.

The Draft Guidelines reiterate this position, but also note that to be "legitimate," the interests pursued must be clearly and precisely articulated, and real and present. This suggests: (a) that there are close links between relying on legitimate interests and the GDPR's transparency obligations (under which controllers must identify the legitimate interests they pursue); and (b) that hypothetical interests will not be sufficient.

1. Controllers have to consider carefully whether processing is "necessary" to meet each of the interests they pursue

In the Draft Guidelines, the EDPB reiterates the CJEU's prior holdings in relation to the second limb of the legitimate interests test: that processing will be necessary to meet legitimate interests only where there are no "reasonable, just as effective, but less intrusive alternatives." Notably, however, the Draft Guidelines state that "in practice, it is generally easier for a controller to demonstrate the necessity of the processing to pursue its own legitimate interests than to pursue the interests of a third party." To the extent that controllers rely on third parties' interests when they use the legitimate interests legal basis, they are likely to have to consider this necessity requirement particularly carefully.

1. The EDPB's assessment of the third limb of the balancing test appears to make it more challenging to rely on legitimate interests than the WP29's 2014 opinion

The third limb of the legitimate interests test requires controllers to balance the interests they pursue against the rights, freedoms, and interests of affected data subjects. The EDPB's Draft Guidelines emphasize, again consistent with CJEU jurisprudence, that this requires a case-by-case assessment taking into account a number of factors, including the impact of the processing on affected data subjects, their reasonable expectations, and the safeguards the controller has put in place. The way that the Draft Guidelines structure the balancing assessment, however, suggests that there is a higher bar for relying on legitimate interests than was set out in the WP29's pre-GDPR opinion. For example:

• Unlike the 2014 opinion, the EDPB does not expressly state that the strength of the legitimate interests pursued by a controller is a relevant factor in the balancing test;
• The EDPB also expressly states that measures a controller has taken to comply with the GDPR are not relevant, even though those measures (e.g., transparency, the right to object, short retention periods, and security measures) could clearly mitigate the impacts of the processing on data subjects; and
• The Draft Guidelines indicate that transparency measures will not necessarily assist a controller in setting a data subject's reasonable expectations, and that simply because processing is common practice does not mean that it would be within their reasonable expectations.

We expect that some stakeholders might raise concerns about some of these points in the consultation.

1. The EDPB reiterates the high bar that exists for establishing compelling legitimate grounds and rejecting objections to processing under Article 21 GDPR

Article 21(1) grants data subjects the right to object to any processing carried out on the basis of legitimate interests "on grounds relating to [their] particular situation," and that the controller must cease the processing unless they have "compelling legitimate grounds" that override the data subject's rights, freedoms, and interests. The Draft Guidelines set out the EDPB's view that a high bar must be met when rejecting an objection. It states that:

• Even if a data subject does not elaborate much on their particular situation in any detail, that is not per se a reason to reject an objection (if the controller has doubts as to the "particular situation" of the data subject, it can ask them to elaborate); and
• When conducting the balancing test following an objection, the controller may only take into account "compelling" legitimate interests, and not all legitimate interests will meet this standard. The interests must be "essential" to the controller-for example if the processing is necessary to protect the controller or systems from "serious immediate harm or from a severe penalty which would seriously affect its business."

1. The EDPB indicates that it is possible to rely on legitimate interests to share data with public authorities (in the EU)

In the 2023 Meta v Bundeskartellamt case (C-252/21), the Court was asked whether Meta could collect data on an ongoing basis from other group services as well as from third-party websites and apps for the purpose of sharing information with law-enforcement agencies and responding to legal requests in order to prevent, detect and prosecute criminal offences, unlawful use, breaches of the terms of service and policies, and other harmful behaviour.

In response, the Court stated that "the sharing of information with law-enforcement agencies in order to prevent, detect and prosecute criminal offences . . . is not capable, in principle, of constituting a legitimate interest pursued by the controller" because in relation to a private entity, that processing "is unrelated to its economic and commercial activity." This holding, viewed in isolation, understandably has caused some alarm.

The Draft Guidelines attempt to provide more clarity based on the GDPR and the ruling in Meta. In particular, the EDPB states that a private entity can rely on legitimate interests to "report to law enforcement authorities possible criminal acts or threats it may occasionally become aware of." The Draft Guidelines contrast this with "collect[ing] and stor[ing] personal data in a preventive and systematic manner specifically to be able to provide such data to law enforcement authorities" (our emphasis).

The Draft Guidelines also provide that a controller could, in some scenarios, have a legitimate interest in disclosing personal data in response to requests from a third country (i.e., non-EU/EEA) law enforcement authority or public administration, "in particular if the controller is subject to third country legislation and non-compliance with such request would entail sanctions under foreign law". This analysis is context-dependent. The EDPB reiterates that it has in the past, based on a specific set of facts, taken the view that the interests or fundamental rights and freedoms of the data subject overrode the controller's interest in complying with a request from a third country law enforcement authority to avoid sanctions for non-compliance.

* * *

Covington's Data Privacy and Cybersecurity Practice regularly advises on GDPR compliance, SA investigations, and privacy litigation before the CJEU. If you have any questions about the impact of these developments on your business, or if you are interested in responding to the consultation on the Draft Guidelines, please do not hesitate to contact us.

(This post was written with the assistance of Alberto Vogel).

Public link

Please use the above public link if you want to share this noodl on another website.