ARTICLE
12 November 2024

How Legitimate Is Your Business Interest? The EDPB Has Some Thoughts

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The European Data Protection Board issued draft guidelines last month that outline when processing can be considered done for "legitimate interest." The public has until November 20 to provide comments to the draft.
United States Privacy

Listen to this post

The European Data Protection Board issued draft guidelines last month that outline when processing can be considered done for "legitimate interest." The public has until November 20 to provide comments to the draft.

As most know, under GDPR, legitimate interest is one of the six legal bases for processing personal information. There has been some confusion about what might constitute a legitimate interest, though. And for the EDPB, fear that this has become a default selection companies select without sufficient thought or deliberation. Thus, these draft guidelines. In them, the EDPB provides a three-step approach to assess if a processing activity can be considered done for the company's legitimate interest.

  1. Establish that the use is legitimate. The EDPB recognized that there is no definition of this term in GDPR. Noting that there can be no "exhaustive list," it gave three criteria for determining legitimacy: (a) the interest does not violate the law, (b) it is "clearly and precisely articulated," and (c) it is real and not speculative. Additionally, any legitimate interest must be related to the business; sharing information with law enforcement, for example, might not be a legitimate interest related to the business. That said, the legitimate interest could relate to the business or a third-party. In such cases, the legitimate interest must relate to the business and not to strictly community interests. Finally, the draft guidelines offer examples of processing for legitimate use. These examples include using information for marketing or ensuring that a website continues to function properly. Other "legitimate use" examples included product improvement or assessing someone's creditworthiness.
  2. Determine if the processing is "necessary" for the legitimate interest. The draft guidelines reiterate that any processing in pursuit of legitimate interest must be strictly necessary to pursue that interest. It is not enough that the processing be "useful" to a business' legitimate interest – the processing must be "necessary." This means that a business must carefully consider the necessity of certain processing. If there are reasonable, less intrusive means of processing available, then the business cannot consider it necessary.
  3. Balance business interests against the interest of individuals. Even if the first two criteria are met, a business' legitimate interest does not automatically override the interests of individuals. Before concluding that the basis can be one of legitimate interest, businesses must balance their interests against the interests of individuals. To make the assessment, businesses should consider the impact of the processing on individuals. Businesses should also consider the reasonable expectations of individuals. The goal is not to avoid any impact, but instead disproportionate impact. If this factor falls in favor of the individual business can pursue means to mitigate any processing impacts. Otherwise, the company cannot process the data based on Article 6 of the GDPR.

The draft guidelines also explain how businesses should conduct this assessment in specific contexts. These include direct marketing. Also included are fraud prevention and information security.

Putting it into Practice: These guidelines offer a roadmap for companies to assess if they can rely on 'legitimate interest" as their legal basis under GDPR. Included in the assessment is looking whether there were alternatives to the processing and that there is a real, and not speculative, need.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More