The Nigeria Data Protection Act, 2023 ("NDPA" or the "Act") aims to establish a stable, uniform and conducive regulatory framework for individuals and organisations involved in data processing operations, either as businesses dealing with personal information of natural persons within their target markets ("entities") or as clients and prospects of the various businesses ("data subjects").
Legitimate interest is one of the lawful bases recognized under the NDPA for which entities may process personal data. This is a recent development as Legitimate Interest was not among the five lawful bases recognized under the Nigeria Data Protection Regulation ("NDPR") for processing of personal data. The inclusion of legitimate interest by the NDPA brings the country's data processing regime in line with international best practices and increases the lawful bases for processing of personal data from five to six.
What does legitimate interest mean, and what factors would make it an appropriate basis for processing personal data as opposed to other lawful bases? How does it compare to these other bases? Are there circumstances where it would override data subjects' rights under the Act? This article sheds more light on the delicate balance between legitimate interest and other lawful bases and data subject rights. The primary focus is on understanding the valid utilization of legitimate interest by entities which typically function as data controllers or data processors.
Understanding Legitimate Interest
"The Working Party On The Protection Of Individuals With Regard To The Processing Of Personal Data", a body set up by the European Parliament in the wake of the adoption of the European Union's General Data Protection Regulation ("GDPR"), defines interest as the broader stake that a controller may have in the processing, or the benefit that the controller derives (or that society might derive) from the processing of personal data. Therefore, the notion of legitimate interest could include a broad range of interests, whether trivial or very compelling, straightforward, or more controversial. More precisely, an interest can be considered as legitimate if the controller can pursue this interest in a way that is in accordance with data protection law and other relevant legislation.1
According to Article 6(1)(f) of the GDPR, legitimate interest provides organizations with a lawful basis to process personal data when such processing is necessary for the organisations' legitimate interests or those of a third party, except where such interests are overridden by the interests, rights, or freedoms of the data subject. The notion of legitimate interest enables companies to process data for specific purposes without explicit consent, reducing administrative burden and streamlining data management processes.
While the Nigeria Data Protection Commission ("NDPC") is yet to prescribe the definition of 'legitimate interest', the Act informs the reader of what a legitimate interest is not. In this sense, the Act provides that interests in personal data processing shall not be legitimate where:
- they override the fundamental rights, freedoms, and the interests of the data subject,
- there is incompatibility with the other lawful bases of processing (except consent),
- the data subject does not reasonably expect that his data will be processed in the manner/operation envisaged.
Naturally, these provisions align with the provisions of the globally referenced GDPR, which provides that data controllers or third parties may adopt the legitimate interest basis, but only in instances where there will be no contravention of the rights and freedoms of data subjects (especially where the data subject in question is a child).2
The GDPR goes further to highlight some categories of processing that may be considered legitimate interest such as fraud prevention, network security, information protection, and possible criminal acts that may threaten public security. Processing employee or client data, direct marketing and intra-group administrative transfers may also be considered legitimate interest. With this, we can see that legitimate interest cuts across a variety of commercial and organizational operations and interests, while also prioritizing certain societal benefits.
The Balancing Act in Adoption of Legitimate Interest
From the foregoing, there is obviously a temptation to rely on legitimate interest, as it appears to allow the data controller/processor to avoid the strict limitations of the other lawful bases for processing personal data. However, in adopting legitimate interest, balancing legitimate interest against other legal bases is critical to complying with data protection and privacy obligations. While legitimate interest offers flexibility for data processing without explicit consent, it must be weighed against alternative legal bases to ensure that data subjects' rights are respected.
In addition, necessary steps must be taken to ensure that the rights of the data subjects are protected. Essentially, striking the right balance between legitimate interest and safeguarding data subject rights is an ongoing challenge for controllers/processors. While this legal basis offers flexibility for businesses, it must be employed carefully, responsibly, and with due regard for the fundamental rights and freedoms of individuals.
Therefore, when relying on legitimate interest, organizations should carefully consider how data subject rights could be affected. While legitimate interest may justify data processing, it does not override the rights of data subjects. If data subjects' rights and freedoms outweigh the organization's legitimate interest, then the processing activity must be halted.
The NDPA does not prescribe the process to be followed when there is a legitimate interest that overrides the rights of a data subject, and how any damage suffered by the data subject in this instance could be remedied. It is expected that the much-anticipated regulation by the NDPC under section 61(2)(b) of the NDPA will address this. While we await the regulation, which is expected to amongst other issues, prescribe the applicable criteria for identifying or qualifying legitimate interests, the directives of the Information Commissioner's Office (ICO), United Kingdom, prove helpful. The ICO prescribes a three-step test that can be conducted to determine if there exists an unassailable 'legitimate interests' basis for processing personal data:
- Purpose Test: are you pursuing a legitimate
interest? – Under this test, the entity is
advised to conduct a motive check on why it wants to process the
data, what it wishes to achieve with the processing as well as who
stands to benefit from the processing venture.
- Necessity/Proportionality Test: is the processing
necessary for that purpose? – The test requires
data controllers and processors to determine whether the use of
legitimate interest as a basis for processing data is the most
appropriate, or whether there are safer or less intrusive
alternative bases available. Data controllers are required to
establish that the processing of personal data is essential for
achieving the specified purpose, and that the data collected
directly contributes to, and is indispensable for, fulfilling the
intended objective. Data controllers must assess whether the data
processing is proportionate to the purpose pursued, in other words,
whether there are less intrusive means to achieve the same goal and
whether the benefits of the data processing outweigh any potential
risks to individuals' rights and freedoms.
- Balancing Test: do the individual's interests override the legitimate interest? – This test demands a thorough and objective evaluation of the potential impact that the data processing may have on data subjects' fundamental rights and freedoms. It requires entities to weigh the identified interests, side-by-side, with the fundamental rights of the data subjects; ensuring that their processing operations will not have negative impacts on the rights of the data subjects concerned. It is therefore crucial to undertake a Data Privacy Impact Assessment ("DPIA") to assess the potential risks and harms that data subjects may face. If the data processing substantially infringes upon individuals' privacy or other rights, the legitimate interest argument may not hold.
Finding the right balance between legitimate interest and data subject rights is a complex, yet crucial, task for businesses. Careful consideration of alternative lawful bases, alongside a comprehensive assessment of the impact on data subject rights, is necessary to ensure compliance with data protection law and regulations, and maintaining trust with customers and clients. Emphasizing transparency and open communication with data subjects can foster understanding and cooperation, allowing organizations to navigate the intricacies of data processing while respecting individual privacy and autonomy. In our view, organizations looking to strike the right balance should endeavor to carry out Legitimate Interest Assessment ("LIA"), as a proof that the decision to process personal data had been subjected to and passed the necessary tests. LIA entails the proper documentation of the justification for using the method. The LIA report should capture the relationship between the controller and the data subject, the sensitivity of the data involved, the individual's vulnerability and reasonable expectations, among other factors. This is essential because, where the logic of a data processing exercise is challenged by the data subject or the NDPC, the entity may rely on the assessment report to discharge its obligation of duty of care.
Also, unless entities are totally confident of a compelling reason, which justifies the risks and impact on the data subjects, it is advisable that they avoid adopting legitimate interest as a basis for processing personal data. Legitimate interest as a lawful basis is not absolute, as data subjects reserve the right under the Act to object to the processing of their personal data and to request that further processing be discontinued in certain instances. It is important for Data Protection Officers in various organisations that process personal information of clients and prospects, to fully understand the balancing strategy to prevent straying beyond the permissible areas afforded by legitimate interests. This is crucial, given the stringent penalties for infringements in the NDPA.
1. Article 29 Data Protection Working Party, Opinion 06/2014 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46/EC (844/14/EN WP 217)
2. Article 6(1) (f) of the GDPR. SEE also Recitals 47, 48 and 49 of the EU GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.