Who: Data Protection Network (DPN)
When: 10 July 2017
Law stated as at: 4 September 2017
In July, the DPN – with contributions from the Direct Marketing Association (DMA) and the Incorporated Society of British Advertisers (ISBA) – published guidance on the use of legitimate interests under the General Data Protection Regulation (GDPR). The guidance has been welcomed by the UK’s Information Commissioner’s Office (ICO) and the Data Protection Commissioner of Ireland.
The GDPR sets out six lawful grounds or bases for processing personal data (there are separate grounds for processing special categories of personal data). One of those grounds (which, along with consent, is probably the most talked-about) is the “legitimate interests” ground. The GDPR (like its predecessor) provides that processing will be lawful if:
“…processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Relying on the legitimate interests ground for processing requires a careful balancing exercise between the interests of the controller or a third party on the one hand, and the rights and freedoms of the individual on the other hand.
The guidance recommends undertaking a 3-stage “Legitimate Interests Assessment” in respect of each processing activity where the legitimate interests ground is being (or will be) relied on. That test requires organisations to:
- assess whether a “legitimate interest” exists;
- establish whether the particular processing activity is “necessary” for the pursuit of that (or those) legitimate interest(s); and
- perform a balancing test to decide whether a particular processing activity can be undertaken on the basis of the legitimate interests condition.
Helpfully, Appendix B of the guidance sets out a suggested template for undertaking a Legitimate Interests Assessment. Many organisations will already be undertaking a similar assessment as part of their GDPR readiness projects.
The guidance also attempts to tackle the difficulties with meeting the GDPR’s enhanced transparency requirements; specifically, the requirement to inform individuals:
- when processing is being undertaken on the basis of the legitimate interests ground;
- what those legitimate interests are; and
- that they have a right to object to processing which is being undertaken on the basis of the legitimate interests ground.
Reflecting the ICO’s Privacy Notices, Transparency and Control Code of Practice (available here), the DPN recommends taking a layered approach, with a click-through to more detailed information on the legitimate interests ground. Of course, more innovative businesses may want to go further and take advantage of privacy-enhancing tools such as branded logos, videos and dashboards.
Why this matters:
More and more organisations are looking to the legitimate interests ground to justify certain processing activities, partly because valid consent is that much more difficult to obtain under the GDPR. This is particularly the case for certain types of profiling, personalisation (for example, to inform targeted advertising and marketing), employee monitoring and the adoption of cloud-based services for hosting personal data. Those types of activities cannot usually be justified on the basis of any of the other lawful grounds for processing.
This guidance is a useful reminder to those organisations that the legitimate interests ground is far from a carte blanche to do as they wish with personal data. Relying on the legitimate interests ground requires careful thought and consideration; all of which should be documented as part of an organisation’s compliance ‘story’ (required by the principle of accountability).
Establishing that the legitimate interests ground can be relied on in the first instance is, of course, only part of the story. Individuals have a right to object to processing undertaken on that basis; for example, to object to certain types of profiling, to object to their personal data being used for analytics purposes or to object to their personal data being hosted on a cloud-based service.
Businesses may – in certain circumstances – be able to rebut an individual’s objection on the basis that they can demonstrate a “compelling legitimate interest” which overrides the individual’s interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. However, responding to requests in that way is likely to become more and more burdensome as the number of objections increases (a probable side effect of increased awareness).
Therefore, organisations should aim to:
- ensure that processing activities which are in the controller’s or a third party’s legitimate interests also serve to benefit individuals, and explain this to them; for example, to ensure that they are shown adverts for products or services that they might actually be interested in;
- (where possible) positively enable individuals to choose not to have their personal data used in a certain way; for example, using sophisticated, brand-friendly privacy dashboards (the implications of their choice should also be explained to them); and
- ensure that they have the technical means to act on an individual’s objection; for example, to cease using that particular individual’s personal data in a certain way.