Is processing personal data under ‘legitimate interest’ creepy or cool?

With less than 200 working days left before Regulation 2016/679 (General Data Protection Regulation) kicks in, a new global study published by the Centre for Information Policy Leadership – a privacy and security think tank – claims that organisations in the US, South America, Europe and Asia are confused about the legal basis for processing personal data under the GDPR.

A total of 223 senior managers of multi-national companies (57% Data Controllers, 43% Data Processors) responded to the survey across a wide variety of sectors including financial services, healthcare, pharma, technology and telecoms.

The authors of the study explored the reasons why organisations choose to rely on ‘legitimate interest’ as a basis for processing personal data and the reaction this could have among customers, clients, supporters and employees.

What the researchers didn’t ask was whether processing personal data under a ‘legitimate interest’ is creepy or cool? Arguably, that may have produced some interesting data points and I’ll leave you to work out whether it’s creepy or cool.

So let me put my cards on the table.

There are two very important principles that run all the way through the 99 Articles of the GDPR. They are transparency and accountability.

In an ideal world, seeking unambiguous consent of the Data Subject to the processing of personal data and explicit consent to the processing of special personal data are two powerful ways of demonstrating compliance with these principles.

For me, consent in this context is the ‘gold standard’. And I’ll stick my neck out a bit more and argue it’s erroneous to believe that legitimate interest and consent are equally valid. They’re not, even accepting the fact that the most appropriate lawful basis for processing personal data will depend on the personal data being processed and the purposes for that processing.

Many lawyers will of course disagree with me and argue there’s no hierarchy of the lawful bases for processing personal data. Technically, they’re right.

But applying the ‘creepy or cool’ test and you get a different answer.

I accept that organisations will want more information about ‘legitimate interest’ as a basis for processing personal data but there’s already existing guidance about it on the UK Information Commissioner’s Office (ICO) web site and from the Art.29 Data Protection Working Party. And more guidance on the subject is going to be published by the ICO next year. But you don’t have the luxury of watching and waiting.

It’s important to remember that if you’ve previously been processing personal data on the basis of consent and change the basis of processing to that of legitimate interest, you’ll need to inform the Data Subject and they have the right to object.

And remember, legitimate interest isn’t a quick fix – the Data Subject has an absolute right under the GDPR to receive a Data Privacy Notice and again, can object to the processing of their personal data. The burden of proof isn’t on them – it’s on you to show a legitimate interest.

What the GDPR says

Under Art.6, GDPR there are six grounds that provide a lawful basis for the processing of personal data:

  1. Consent
  2. Contract
  3. Compliance with a legal obligation
  4. Protection of vital interests of a Data Subject
  5. Public interest/official authority
  6. Legitimate interest.

You have to wonder whether Data Controllers and Data Processors have been grappling with the conundrum as to the legal basis for processing personal data for the past 20 years or whether this issue has only just come to light under the GDPR?

The reality is that it’s a bigger deal in the digital economy and has grown in importance as a result.

Key research findings

A key finding of the research was that companies were aware that the GDPR would make it harder for them to obtain consent to process personal data, although over 51% of respondents intend to rely on legitimate interests as the basis for processing personal data after 25 May 2018. In addition, 31% of respondents intend to make more use of legitimate interest under the GDPR than they are currently doing

Of course, some of these global companies will be able to show that the legitimate interest in processing personal data isn’t overridden by the rights, freedoms and interests of Data Subjects, for example, in maintaining security of processing at the workplace or keeping HR records for legal requirements.

However, the impression remains that some of these companies consider their use of personal data to be legitimate by default – for example, because they find it useful to collect and process personal data to enhance their business.

Or they might regard ‘legitimate interest’ as the least cumbersome reason on which to base their personal data processing.

This should also be read in light of another stark finding. That only 24% of all respondents believed they would be compliant with the GDPR in time and 76% recognised they had their work cut out because ‘the GDPR has teeth and it will bite.’

So is the confidence in using legitimate interest as a basis for processing personal data misplaced?

Fans of using legitimate interest as a basis for processing personal data

Legitimate interest may be considered where:

  • another lawful basis isn’t available due to the nature and/or scope of the proposed personal data processing or
  • where there are a number of lawful bases that could be used but legitimate interest is the most appropriate.

When considering the lawful basis that’s most appropriate to rely on for the processing of personal data, the Data Controller should take account of the privacy rights of individuals under each lawful basis of processing.

It’s important to note that these rights may differ depending on which lawful basis a Data Controller may choose to rely on.

For example, if a Data Controller relies on legitimate interest for profiling activities of customers, the Data Subject has the right to object to profiling under Art.21, GDPR.

However, if the Data Controller uses consent for its profiling activities, the Data Subject doesn’t have this right to object but can withdraw consent at anytime.

Fans of legitimate interest argue that the Data Controller may wish to rely on the ground of legitimate interest as it has the opportunity to defend its decision, whereas when consent is withdrawn, the personal data processing must cease immediately.

Recitals 47-50, GDPR describe circumstances under which a Data Controller may have a legitimate interest:

  • Direct marketing to prospects and customers
  • Reasonable expectation of processing the personal data
  • Where there’s a relevant and appropriate relationship
  • Where it’s strictly necessary for the purposes of preventing fraud
  • Where personal data is being processed within an organisational group
  • Necessary and proportionate for the purpose of ensuring network and information security.

It should be noted that Art.6 (1)(f), GDPR prohibits the use of legitimate interest for as a basis for processing personal data by a public authority.

Downsides for relying on legitimate interest

Unfortunately, legitimate interest is far from a catch-all justification.

Companies and organisations will need to prove their just use of legitimate interest and will have to fully assess their legitimate interest vis-à-vis the rights, freedoms and interests of individuals, notify them of this interest and uphold individual objections unless there are compelling reasons for processing the data.

Reaction of customers, clients, supporters and employees?

Well, don’t expect universal applause. In many respects, legitimate interest is an ‘expectation test’ that requires companies and organisations to consider whether a Data Subject can reasonably expect their personal data to be processed.

For those Data Controllers that don’t have a direct relationship with an individual, this will be a very high hurdle to clear. And even for companies and organisations with a direct relationship, the ‘expectation test’ will be interpreted much more strictly than many expect.

Most commentators predict that when the GDPR is fully enforceable after the 25 May 2018, regulators and Supervisory Authorities will want to make their mark. So expect legitimate interest to play a big part in these cases, as organisations continue to rely on this as a legal basis for processing personal data.

For information about the GDPR Transition Programme at Henley Business School, click here.



Leave a reply