“Legitimate Interest” Under the GDPR
In our last blog post, we described generally the European Union’s new data privacy regulation that has everyone talking: The General Data Protection Regulation (“GDPR”). Under the GDPR, a company cannot process personal data unless it can provide a legal basis for doing so. If your company processes the personal information of people residing in the EU, you should be thinking about which of the six legal bases apply to your company. In brief, the choices are: consent, contractual, legal obligation, vital interest, public interest, or legitimate interest. Arguably the broadest and most flexible of these bases is the so-called “legitimate interest” basis, which creates a balancing test between the company’s legitimate interest and the data subject’s interest, fundamental rights, or freedoms. The company’s interests have to be clearly articulated before the balancing test is applied and the company’s current activities must also reflect the interest. Children’s personal data is subject to heightened protection.
Under the balancing test less pressing interests include data processing to maximize marketing and advertising or to create some sort of internal watchlist. Investigating government corruption, by contrast, is sufficiently compelling to prevail. For a company’s legitimate interest to prevail, the data processing must be “necessary” and “proportionate.” One example of the legitimate interest basis in action might occur at a hotel. A hotel will monitor a guest’s use of their key card throughout the guest’s stay. By monitoring this data the hotel is better able to manage guest security. Processing this information is both necessary and proportionate.
The second half of the balancing test focuses on the interests and rights of the data subject. This part of the balancing test provides more protection for the data subject because it requires the subject’s interests to be accounted for – not just his or her freedoms and rights. This is different than the company’s interest. Unlike the company’s interest, the data subject’s interest need not be “legitimate” under the plain language of Article 6(1)(f). A company may run afoul of the GDPR even when processing data of individuals engaged in illegal activities if the interference with their rights and interests is disproportionate. Supplying a criminal’s name to the proper authorities is likely proportional under the test: publishing his/her name on the internet, however, is not.
When balancing the spectrum of interests and rights at stake, the measures a company takes to comply will help ensure the company meets the requirements of the GDPR. You should keep a few things in mind if your company intends to process personal data using the legitimate interest basis. First, be sure to document your analysis of why legitimate interest is the correct legal basis. Next, tell your customers why you’re processing their personal data. The policy announcement should include the purpose for processing their data, it should explain why the legitimate interest is the lawful basis for you data processing, and it should summarize what the relevant interests are. A company seeking to rely on the legitimate interest basis should be able to show that any negative impact on the data subject has been reduced or mitigated.
Although the legitimate interest basis is simpler than gaining consent, it still requires efforts from a company to look at their activities as objectively as possible. For more information on what your company should do to be ready for the GDPR implementation you can find checklists here and here.