Sunday, 13 October 2024

Latest Updates on The Legitimate Interest Ground for Processing Personal Data (Article 6(1)(f) of GDPR): the latest CJEU Case and EDPB New Guidelines

 

 




 

Aolan Li*

*The author is a third-year PhD candidate in Law at Queen Mary University of London. Her ongoing doctoral thesis research delves into the application of Article 6(1)(f) of GDPR from a comparative perspective. Email: aolan.li@qmul.ac.uk

Photo credit: TheDigitalArtist, via Wikipedia Commons

 

A positive spirit has spread among business-side stakeholders across the EU since the Court of Justice of the European Union (CJEU) published its preliminary ruling in the Koninklijke Nederlandse Lawn Tennisbond case (C-621/22) on 4 October 2024, where the court confirms a purely commercial interest could constitute a legitimate interest for processing personal data under Article 6(1)(f) of GDPR. Commentators go as far as to say - “what this means is that under the GDPR, your data can be used without your consent solely for a company’s commercial interests.”

The preceding saying is a total misunderstanding. The positive spirit should have been dampened as, on 9 October 2024, the European Data Protection Board (EDPB) published its new guidelines on Article 6(1)(f) for public consultation (hereafter as the new EDPB guidelines).

Bearing in mind the optimistic bubbles in the market, this writing articulates the EDPB’s stringent stance on the application of Article 6(1)(f) of GDPR, focusing on what has changed compared to the Article 29 Data Protection Working Party’s opinion on the legitimate interest ground under Directive 95/46/EC (hereafter as the WP29 Opinion).

General remark

The newly published EDPB guidelines align with the WP29 Opinion in some basic stances. First and foremost, the recognition of a legitimate interest is not itself sufficient to rely on Article 6(1)(f) of GDPR as a legal basis (this is why the saying is misleading) as there are three cumulative conditions for its application. Secondly, Article 6(1)(f) of GDPR should not be used “by default” nor as a “last resort”. The open-ended nature of Article 6(1)(f) has a unique role in the EU data protection law.

Not surprisingly, the new EDPB guidelines also substantially update the WP29 Opinion.

The update is partially attributed to judgments of CJEU issued after the adoption of the WP29 Opinion, including Rīgas (Case C-13/16), Fashion ID (C-40/17), TK (C-708/18), MICM (C-597/19), Meta v Bundeskartellamt (C-252/21), SCHUFA Holding (Joined Cases C-26/22 and C-64/22), and the latest Koninklijke Nederlandse Lawn Tennisbond (C-621/22). Many practical examples in the new guidelines mirror scenarios disputed in the abovementioned cases. For example, example 4 is analogous to Rīgas.

Building upon more detailed case law, the new EDPB guidelines are more logical and clearly articulated. Unlike the WP29 Opinion, the new guidelines make effects to draw a clearer line between the six grounds for legitimising data processing under Article 6(1) of GDPR. Also, the new guidelines follow the now well-accepted three-step approach to applying Article 6(1)(f), which was established by the CJEU in its judgment in Rīgas.

The update also corresponds to the evolvement of the law itself (GDPR vs Data Protection Directive). GDPR has strengthened data subject rights. It is worth noting the improvement of the right to object - a specific right for the processing based on Article 6(1)(e) and (f) of GDPR - as the burden of proof has been reversed on the controller. Also, GDPR and CJEU case law have escalated the reasonable expectation of data subjects to a more significant position in determining the application of Article 6(1)(f) of GDPR. Therefore, the new guidelines are observed to enhance the position of data subjects accordingly.

Besides being consistent with legislative developments and the CJEU’s case law, the EDPB is observed to add its unique understanding to narrow down the scope of Article 6(1)(f) of GDPR; here’s why I said the EDPB takes a stringent stance. The next part provides more discussions.

Overall, the new guidelines have been compiled from rich and up-to-date sources and provide much more nuanced interpretations of Article 6(1)(f) of GDPR. However, one might lament that Part IV of the new guidelines hesitates to touch on the application of Article 6(1)(f) of GDPR in more complicated and controversial contexts. For example, its application in the credit scoring industry seems like a real-world need, as demonstrated in SCHUFA Holding. Let alone its silence on applying Article 6(1)(f) of GDPR in AI-related scenarios.

The writing below touches on the substantial content of Article 6(1)(f) of GDPR. However, it does not intend to sketch the 37-page guidelines reductively. Instead, it aims to highlight the stringent stance of the new guidelines, read together with the Koninklijke Nederlandse Lawn Tennisbond case.

The Three Steps Approach

As mentioned above, three cumulative conditions must be fulfilled to rely on Article 6(1)(f) of GDPR as a legal basis, called the three steps approach, which are 1) the pursuit of a legitimate interest by the controller or by a third party; 2) the need to process personal data for the purposes of the legitimate interest(s) pursued; 3) the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party (the new EDPB guidelines, p 2).

For the first step, the new guidelines narrow down the scope of interests with respect to the controller’s own interests and disentangle the third party’s interests from wider public interests.

As the information circulated, the qualifier “legitimate” is interpreted broadly, covering any interests that are not contrary to the law (Koninklijke Nederlandse Lawn Tennisbond, para 49).

However, sourced to the CJEU judgment in Meta v. Bundeskartellamt, the new guidelines confine that “as a general rule, the interest pursued by the controller should be related to the actual activities of the controller.” (the new EDPB guidelines, para 19) It means that, within the meaning of Article 6(1)(f) of GDPR, a controller whose activity is economic and commercial in nature is only allowed to pursue economic and commercial-related interests.

Other legitimate but non-economic/commercial interests might fall within the scope of interest(s) pursued by a third party. The new guidelines clarify that the controller needs to demonstrate the legitimate interest(s) are pursued by one or more specific third parties (para 20-25) and should not be confused with broader public interests despite the fact they can overlap, as seen in SCHUFA Holding.

Remarkably, the new EDPB guidelines indicate that relying on the interest(s) pursued by a third party in the first step is generally more challenging to pass the latter two steps (the necessity and balance test) than relying on the controller's own interests. (para 30)

For the second step, the processing involved should be necessary for the purposes of that interest identified in the first step, called the necessity test. The concept of necessity has its own free-standing meaning in EU law. The controller must demonstrate that there are no other reasonable, just as effective, but less intrusive alternatives to achieve the pursued legitimate interests.

Despite no given example in the new EDPB guidelines, the CJEU judgment in Koninklijke Nederlandse Lawn Tennisbond provides a least intrusive scenario in the direct marketing context. To be brief, without asking for consent, a Netherlands sports federation (KNLTB) sold its members’ personal data to its sponsors for the latter’s marketing purposes. The court considers it possible for KNLTB “to inform its members beforehand and to ask them whether they want their data to transmitted to those third parties for advertising or marketing purposes.” (para 51) The court deems a procedure as such may involve the least intrusion of data subjects’ rights and compliance with data minimisation principles. As will be explained below, the proposed approach resonates with the right to object and controllers’ notification obligations.

For the third step, the balance test entails a balancing of the controller side's rights and interests against those of the data subject side. The controller needs to ascertain, on a case-by-case basis, that the processing at issue would not disproportionately impact the data subject’s rights and interests.

One can observe the improved position of data subjects directly from the structures of exercising the balance test in the new EDPB guidelines and the WP29 Opinion. (See table below)

Methodology for the balancing test under new EDPB guidelines

Methodology for the balancing test under the WP29 opinion

 

The data subjects’ interests, fundamental rights and freedoms.

 

 

Assessing the controller’s legitimate interest. -      Exercise of a fundamental right;

-          Public interests/the interests of the wider community;

-          Other legitimate interests;

-          Legal and cultural/societal recognition of the legitimacy of the interests.

 

 

 

The impact of the processing on data subjects, including

-          The nature of the data to be processed;

-          The context of the processing;

-          Any further consequences of the processing.

 

 

 

Impact on the data subjects

-          Assessment of impact;

-          Nature of the data;

-          The way data are being processed;

-          Reasonable expectations of the data subject;

-          Status of the data controller and data subject.

 

 

 

The reasonable expectations of the data subject.

 

 

Provisional balance.

 

 

The final balancing of opposing rights and interests, including the possibility of further mitigating measures.

 

 

Additional safeguards applied by the controller to prevent any undue impact on the data subjects.

 

Despite most of the content continuing to work, some remarkable points exist.

Firstly, the reasonable expectation of the data subject has been escalated to an independent element. It goes beyond the controller’s notification obligation and highlights the data subject’s genuine understanding; as the new EDPB guidelines put it, more than the mere fulfilment of Articles 12, 13, and 14 is needed to consider that the data subject can reasonably expect the said processing. (para 53)

Secondly, the mitigating measures, be it technical and organisational, within the meaning of Article 6(1)(f) of GDPR must go beyond existing principles and obligations set out in the GDPR. In this sense, the new EDPB guidelines encourage controllers who intend to rely on Article 6(1)(f) of GDPR to pursue a higher level of personal data protection than legal obligations.

Data subject rights

A comprehensive review of the enhanced data subject rights under the GDPR goes beyond the subject matter of this writing. Calling back to the least intrusive approach proposed in Koninklijke Nederlandse Lawn Tennisbond, this part of the writing articulates the significance of controllers’ notification obligations and data subjects’ right to object in the context of Article 6(1)(f) of GDPR.

The court considers that KNLTB can inform its members beforehand. KNLTB’s notification obligations are set out in Articles 13 and 14 of GDPR. Its members (data subjects) should be informed about, among other things, the legal basis of processing, the specific legitimate interests pursued by KNLTB or its sponsors, and data subject rights. According to Article 13(3), KNLTB should inform its member concerned prior to further processing.

The court also considers it good practice for KNLTB to ask members concerned whether they want their data transmitted to third parties for advertising or marketing purposes. One might feel at odds with the reintroduction of “consent” in assessing Article 6(1)(f) of GDPR. Actually, it is better to understand the “ask” as informing its members concerned about their right to object under Article 21 of GDPR.

The objection to direct marketing based on Article 6(1)(f) of GDPR is absolute. In other cases, however, the controller might have compelling legitimate grounds to disapprove the right. Here, it involves another balancing test to determine whether the controller has a compelling legitimate ground. Unlike Directive 95/46, the burden of proof is on the controller.

The new EDPB guidelines promote the idea that the controller’s compelling legitimate grounds can only be recognised in exceptional cases. The controller cannot circumvent the right to object by merely showing that the processing would be beneficial to the controller. Rather, the concept of compelling is understood as essential to the controller.

From the preceding standpoint, the right to object has been improved in favour of the data subject, and it is not much inferior to the right to withdraw consent.

Concluding remarks

In conclusion, while the CJEU’s preliminary ruling in the Koninklijke Nederlandse Lawn Tennisbond case initially sparked optimism among business stakeholders by holding that purely commercial interests could qualify as legitimate under Article 6(1)(f) of the GDPR, this enthusiasm is misplaced. The ongoing EDPB’s new guidelines underscore a more restrictive interpretation of the legitimate interest ground than the earlier WP29 Opinion, reinforcing the need for careful application and a balanced approach to personal data protection. This writing calls for a self-reassessment of GDPR compliance, in particular for controllers relying on legitimate interest as a main legal basis.

No comments:

Post a Comment