The European Data Protection Board issued draft guidelines last month that outline when processing can be considered done for “legitimate interest.” The public has until November 20 to provide comments to the draft.

As most know, under GDPR, legitimate interest is one of the six legal bases for processing personal information. There has been some confusion about what might constitute a legitimate interest, though. And for the EDPB, fear that this has become a default selection companies select without sufficient thought or deliberation. Thus, these draft guidelines. In them, the EDPB provides a three-step approach to assess if a processing activity can be considered done for the company’s legitimate interest.

1. Establish that the use is legitimate. The EDPB recognized that there is no definition of this term in GDPR. Noting that there can be no “exhaustive list,” it gave three criteria for determining legitimacy: (a) the interest does not violate the law, (b) it is “clearly and precisely articulated,” and (c) it is real and not speculative. Additionally, any legitimate interest must be related to the business; sharing information with law enforcement, for example, might not be a legitimate interest related to the business. That said, the legitimate interest could relate to the business or a third-party. In such cases, the legitimate interest must relate to the business and not to strictly community interests. Finally, the draft guidelines offer examples of processing for legitimate use. These examples include using information for marketing or ensuring that a website continues to function properly. Other “legitimate use” examples included product improvement or assessing someone’s creditworthiness.
2. Determine if the processing is “necessary” for the legitimate interest. The draft guidelines reiterate that any processing in pursuit of legitimate interest must be strictly necessary to pursue that interest. It is not enough that the processing be “useful” to a business’ legitimate interest – the processing must be “necessary.” This means that a business must carefully consider the necessity of certain processing. If there are reasonable, less intrusive means of processing available, then the business cannot consider it necessary.
3. Balance business interests against the interest of individuals. Even if the first two criteria are met, a business’ legitimate interest does not automatically override the interests of individuals. Before concluding that the basis can be one of legitimate interest, businesses must balance their interests against the interests of individuals. To make the assessment, businesses should consider the impact of the processing on individuals. Businesses should also consider the reasonable expectations of individuals. The goal is not to avoid any impact, but instead disproportionate impact. If this factor falls in favor of the individual business can pursue means to mitigate any processing impacts. Otherwise, the company cannot process the data based on Article 6 of the GDPR.

The draft guidelines also explain how businesses should conduct this assessment in specific contexts. These include direct marketing. Also included are fraud prevention and information security.

Putting it into Practice: These guidelines offer a roadmap for companies to assess if they can rely on ‘legitimate interest” as their legal basis under GDPR. Included in the assessment is looking whether there were alternatives to the processing and that there is a real, and not speculative, need.

James O'Reilly also contributed to this article.

Listen to this post