The concept of ‘legitimate interests’ as a legal basis under the General Data Protection Regulation (GDPR) is often misunderstood and misapplied, leading to unnecessary legal risks. This is evident in cases such as the notable sanction against Facebook (now META), which faced a fine of 390 million euros for [improper application of legitimate interests European Court of Justice Decision] (HTTPS:/ /curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageindex=0&doclang=fr&mode=req&dir=&occ=first&part=1&cid=1652408).
To appropriately invoke legitimate interests under Article 6(1)(f) of the GDPR, it is imperative to conduct a thorough triple test. This test ensures the legality of processing activities under the specified legal basis and aims to prevent potential abuses, especially since obtaining explicit consent from data subjects is not required in this context.
According to Article 6(1)(f) of the GDPR:
“The processing is lawful only if and to the extent that at least one of the following applies: f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.”
These provisions allows data controllers to collect and process personal data without obtaining consent, provided they have a legitimate reason to do so. However, to prevent potential misuse, the GDPR adds additional requirements for invoking legitimate interests. These are encapsulated in the following triple test:
The French Data Protection Authority (CNIL) emphasizes that this legal basis is applicable to processing activities by private entities that do not significantly harm the rights and interests of the data subjects [CNIL Guidelines] (https://www.cnil.fr/fr/les-bées-legales/tert-legitime)
The GDPR provides specific instances where legitimate interests can be considered a valid legal basis for data processing. These examples, highlighted in Recitals 47, 48, and 49 of the GDPR, include:
The European Commission further clarifies that legitimate interests may be applicable when processing occurs in the context of a customer relationship, for purposes such as marketing, fraud prevention, or ensuring the security of network and IT systems.
If we analyze Recital 49 of the GDPR, we observe that the processing carried out to ensure the security of information systems, based on legitimate interest, has been extensively mentioned: 'The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring the security of the network and information, that is, the ability of a network or an information system to withstand, at a given level of confidence, accidental events or illegal or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of networks and electronic communications services, and providers of technology and security services, constitutes a legitimate interest of the data controller concerned. This could involve, for example, preventing unauthorized access to electronic communication networks and the distribution of malicious code, stopping ‘denial of service’ attacks, and addressing damage to computer and electronic communication systems.
It is important to remember that the legal basis of legitimate interests cannot be used by public authorities; Recital 47 explains why: “Considering that it is the responsibility of the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks.”
Firstly, it is necessary to clearly identify the interests and objectives of the data controller or third party under which the processing is operated. The following questions can be asked:
Recital 47 is useful in this analysis: “The existence of a legitimate interest would need careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.” In the context of a business relationship, it is useful to consider the reasonable expectations of individuals regarding the processing of their data. For example, in a B2B context, it is reasonable for a customer of a company to expect to be contacted by email for a commercial proposal related to an ancillary service.
The french CNIL indicates that "the interest pursued by an entity can be presumed if the following 3 conditions are met:
The organization must then ensure that the processing is necessary (see Art. 6: “the processing is necessary for the purposes of legitimate interests”).
This condition can be broken down into two points:
On one hand, it is necessary to verify that the processing actually achieves the intended purpose, rather than serving other objectives. This condition often poses problems in cases where an organization claims to collect data for one purpose, while in reality, it uses the data for entirely different purposes. Attention must be paid to this as it represents a real and significant risk of deviation. On the other hand, it is necessary to ensure that there is no less intrusive means of achieving the same objective than implementing the processing. Therefore, the following questions can be asked:
The fundamental interests and rights of the data subject could, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing.
Generally, “necessary” means that the processing must be a targeted and proportionate means of achieving the stated objective. Again, the legal basis of legitimate interests cannot be relied upon if there is another reasonable and less intrusive means to achieve the same result.
To understand the balancing test, we need to revisit Article 6. Indeed, the legitimate interests of the data controller (DC) may justify this legal basis “unless the interests or fundamental freedoms and rights of the data subject that require protection of personal data prevail.”
Thus, a balance is established: the interests of the DC cannot override the interests, freedoms, or fundamental rights of the data subject.
Recital 47 adds further elements to the analysis of this balancing condition:
The reasonable expectations of the data subjects - in English “reasonable expectations of data subjects based on their relationship with the controller” - are thus essential elements to consider.
The CNIL states that “the entity must therefore strike a balance, a weighing of the rights and interests at stake, and verify in this context that the interests (commercial, security of goods, fraud prevention, etc.) it pursues do not create an imbalance to the detriment of the rights and interests of the individuals whose data is processed.” Then “the entity must first identify all kinds of consequences that its processing may have on the data subjects: on their privacy but also, more broadly, on all the rights and interests covered by the protection of personal data.” Finally, “The entity must then take into account, in the weighting between its legitimate interest and the rights and interests of the persons, their ‘reasonable expectations’.”
A series of questions can be posed to clarify these aspects:
General Context of Processing
Relationship with the Data Subjects
The aforementioned Article 6.
Recital 47 “The legitimate interests of a data controller, including those of a data controller to whom personal data may be disclosed, or of a third party, may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of the data subjects based on their relationship with the data controller. Such a legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the data controller in situations such as where the data subject is a client of the data controller or is in the service of the data controller. In any case, the existence of a legitimate interest should be subject to careful assessment, particularly to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a particular purpose. The interests and fundamental rights of the data subject may, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is the responsibility of the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks. The processing of personal data strictly necessary for fraud prevention purposes also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest.”
Recital 48 “Controllers that are part of a group of undertakings, or institutions affiliated with a central body, may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of personal data of clients or employees. The general principles for the transfer of personal data, within a group of undertakings, to an enterprise in a third country remain unaffected.”
Recital 49 “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e., the ability of a network or an information system to withstand, at a given level of security, accidental or unlawful events that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of networks and electronic communication services, and providers of technology and security services, constitutes a legitimate interest of the data controller concerned. This could involve, for example, preventing unauthorized access to electronic communication networks and the distribution of malicious code, and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”