Even since before the GDPR, legitimate interests have been one of the most frequent bases that organisations have relied upon to justify processing personal data. However, the GDPR placed increased obligations and scrutiny on this practice. Particularly in industries where business models are increasingly based around the use of personal information, understanding where organisations can legally rely on legitimate interests and where the rights of individuals will be considered “overriding”, is key to compliance.
Legitimate interests have been used as a flexible basis to justify data-driven operations since the Data Protection Directive in 1995. This rose to the fore when, the Google Spain case (Case C-131/12 Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos (AEPD), Mario Costeja Gonzalez, judgement of 13 May 2014), the Court of Justice of the European Union (CJEU) considered the assessment of the balance between the legitimate interests of the internet search engine providers and of internet users in receiving and having access to information in search results, on one side, and the rights of the data subject (here Mr. Gonzalez) in his privacy. Weighing these competing rights, the court considered both the centrality of the data processing to the commercial activity of a search engine and also the sensitivity of the information and the public profile of the data subject.
Changes under the GDPR
Under the GDPR, the legal test for legitimate interests means the onus is now on the controller to demonstrate that the interests or the fundamental rights and freedoms of the data subject do not “override” their interests – where formerly, such processing only needed to be “unwarranted” – a much higher hurdle. On top of the need for this new balance test, the legitimate interests relied upon must now be published in a Privacy Notice and individuals are able to request specific information on the legitimate interest assessment conducted, which increases the obligations and scrutiny on the controller to ensure a proper risk analysis is conducted.
On the plus side for companies, examples of legitimate interests are now provided specifically provided under the GDPR, and are being elaborated on in supervisory authority guidance – including for example, situations including the prevention and detection of fraud, network security and employee monitoring. However, the weighting given to the priority of either the data subject or the controller’s interests – and subsequently, the protective safeguards that must be put into place such as increased notice to data subjects or reduction of the scope of processing – for certain ‘legitimate’ activities such as employee monitoring will differ vastly across EU member states.
A year on from the GDPR’s entry into force, the circumstances in which legitimate interests can be relied upon are still evolving, and as an area in which caselaw and best practice is likely to play a huge part, all organisations should keep themselves updated.