Doing the triple test to evaluate the legitimate interests under the GDPR

Using ‘legitimate interests’ as a legal basis is fraught with risks. Many data controllers tend to rely on this legal basis in situations where it is not applicable, such as when consent is explicitly required! This can lead to the risk of fines—as evidenced by the Facebook (Meta) case, which resulted in a €390 million penalty for misusing legitimate interests due to misuse of legitimate interests.

For legitimate interests to be validly used, it is necessary to conduct and pass a triple test to ensure the legality of relying on Article 6.1.f. It’s important to note that when using legitimate interests, consent from individuals before processing their data is not required! Thus, this legal basis potentially opens the door to abuses, which is exactly what the triple test aims to prevent and eliminate.

Let’s delve into this in detail!

1. The Legal Basis of “Legitimate Interests”

Article 6, paragraph 1(f) of the GDPR states:

“1. Processing shall be lawful only if and to the extent that at least one of the following applies: (…) f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, particularly when the data subject is a child.”

This explicitly means that a data controller (DC) can collect and process personal data without obtaining consent from individuals if they believe it is legitimate to do so. This is an important element to consider as the controller will not ask permission from the data subjects to process their data, opening the possibility of abuses. With this groundwork laid, we can immediately see how situations might spiral out of control, which is why the GDPR imposes conditions for legitimate interests to be validly invoked. The triple test is structured as follows:

• A purpose test: does the controller truly have a legitimate interest?
• A necessity test: is the data processing genuinely necessary?
• A balancing test: do the individual’s interests prevail over the controller’s legitimate interest?

The french CNIL highlights that “this legal basis concerns processing implemented by private entities that do not significantly infringe on the rights and interests of the concerned individuals.”

2. Examples of Legitimate Interests

Interestingly, the GDPR itself provides a series of examples of interests considered legitimate (recitals 47, 48, and 49):

• fraud prevention
• ensuring the security of network and information systems broadly (see recital 49 for detailed discussion)
• commercial prospecting

The European Commission also reminds us that “Your company/organization has a legitimate interest when the processing occurs within the framework of a client relationship, when processing personal data for prospecting purposes, to prevent fraud, or to ensure the security of network and information systems.”

Analyzing recital 49 of the GDPR, we observe that data processing conducted to ensure the security of information systems, based on legitimate interest, has been extensively mentioned: “The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e., the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, computer emergency response teams (CERT), computer security incident response teams (CSIRT), providers of electronic communications networks and services, and providers of security technologies and services, constitutes a legitimate interest of the controller concerned. It might, for instance, involve preventing unauthorized access to electronic communications networks and the distribution of malicious code, and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

3. No Legitimate Interest for Public Authorities

It’s important to note that the legal basis of legitimate interests is not applicable to public authorities; recital 47 explains why: “Given that it is up to the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks.”

4. How to Conduct the Triple Test

The triple test must be conducted and documented in the processing register to ensure that the organization’s use of the legal basis complies with GDPR requirements. Three key steps must be taken:

4.1 Identify the Interests of the Controller or a Third Party and Their Legitimacy

Initially, it is crucial to clearly identify the interests and objectives pursued by the controller or a third party for which the processing is carried out. Questions to consider include:

• Why is the processing being carried out?
• What benefits are expected from the processing?
• Who benefits from the processing?
• What would be the impact if the organization could not implement the processing?

Recital 47 is helpful in this analysis: “The existence of a legitimate interest would need careful assessment, particularly to determine whether a data subject can reasonably expect at the time and in the context of the collection of personal data that processing for that purpose may take place.” In the context of a commercial relationship, it is useful to consider the reasonable expectations of individuals regarding the processing of their data, such as in B2B scenarios where a client of a company can reasonably expect to be contacted by email for a commercial proposal related to an ancillary service.

The french CNIL states that "an entity’s interest can be presumed legitimate if the following three conditions are met:

• the interest is clearly lawful according to the law;
• it is sufficiently clear and precise;
• it is actual and present for the concerned entity, and not fictitious."

4.2 The Necessity Condition

The organization must then ensure that the processing is necessary (cf. Art. 6: “the processing is necessary for the purposes of the legitimate interests”). This condition can be broken down into two parts:

• Firstly, verify that the processing indeed helps achieve the stated objective, and not in reality other aims. This condition is often problematic in cases where the organization claims to collect data for one purpose, while in reality, it uses this data for entirely different purposes. It’s vital to be vigilant here, as this poses a real and significant risk of deviation.
• Secondly, ensure that there is no less intrusive way to achieve the same objective. Questions to ponder include:

Will this processing genuinely help the organization achieve the initially stated objective?

• Is the processing proportional to this objective?
• Is it possible to achieve the same objective without processing?
• Is it possible to achieve the same objective by processing less data, or in a less intrusive manner (also see the principle of data minimization)?

4.3 The Balancing test

The details of Article 6 must be revisited to understand the balancing test. Indeed, the legitimate interests of the controller may justify this legal basis “unless the interests or fundamental rights and freedoms of the data subject that require protection of personal data prevail.”

The balance is thus established: the controller’s interests cannot override the interests, liberties, or fundamental rights of the individual concerned.

Recital 47 further elaborates on this balancing condition:

• “unless the interests or the fundamental rights and freedoms of the data subject prevail, considering the reasonable expectations of data subjects based on their relationship with the controller;”
• “The existence of a legitimate interest must be carefully assessed, particularly to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a given purpose;”
• “The interests and fundamental rights of the data subject might, in particular, prevail over the interest of the controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”

The reasonable expectations of data subjects “reasonable expectations of data subjects based on their relationship with the controller” - are thus crucial elements to consider.

The CNIL notes that “the entity must balance, weigh the rights and interests at stake, and verify within this framework that the interests (commercial, security of property, fraud prevention, etc.) it pursues do not create an imbalance to the detriment of the rights and interests of the persons whose data are processed.” Furthermore, “the entity must first identify all types of consequences its processing may have on the concerned individuals: on their privacy but also, more broadly, on all rights and interests covered by data protection.” Then, “the entity must take into account, in the balance between its legitimate interest and the rights and interests of the people, their ‘reasonable expectations’.”

Additional questions to clarify these aspects include:

General context of processing:

• Are there data referred to in articles 9 or 10?
• Are these data likely to be considered particularly ‘private’ or sensitive by individuals?
• Are children, minors, or vulnerable individuals’ data processed?
• Is data related to individuals’ personal or professional capacity processed?

The relationship with concerned individuals:

• Is there a relationship with the individual?
• What is the nature of this relationship, and how has data been used in the past?
• Was data collected directly from individuals?
• What information were they given?
• How long ago was the data collected? Have there been technological or contextual changes since that would affect expectations?