EU data protection experts: "Legitimate interest" is not a panacea

The much-vaunted "legitimate interest" is not recommended as a last resort for collecting and processing personal information. This was clarified by the European Data Protection Board (EDPB) in its guidelines on the interpretation of Article 6 of the General Data Protection Regulation (GDPR) published on Wednesday. In principle, data controllers require a legal basis for the lawful use of personal data. The reference to legitimate interests is – one of six possible relevant requirements alongside informed consent. However, what is covered by this has been hotly disputed for years. Those responsible often rely on this "legitimation" when they can think of nothing else. WhatsApp, for example, switched from "compulsory consent" to "legitimate interest" last year.

The EDPB wants to provide clarity with its guidelines on "legitimate interest", which interested parties can still comment on until November 20 as part of a public consultation. In order to be able to invoke a legitimate interest, the data controller must meet several conditions at the same time, the data protection experts emphasize. The necessity of processing information to pursue relevant interests must be proven. Furthermore, the interests or fundamental freedoms and rights of the individual do not take precedence over the legitimate interests of the controller or a third party, meaning that a careful balance must be struck in each case.

Interests can only be considered legitimate if they are "legitimate, clearly and precisely formulated, real and present", explains the EDPB. This can be assumed, for example, if both parties are in a customer or employment relationship. On the other hand, processing cannot be considered necessary "if there are reasonable, equally effective but less intrusive alternatives to achieve the interests pursued". The principle of data minimization must also be examined. Ultimately, the impact of data processing on the "reasonable expectations" of data subjects and the potential use of additional protective measures must be taken into account.

Habeck rails against data protection bureaucracy

A proper assessment of the safeguarding of rights under the relevant GDPR clause "is not a simple matter", the committee emphasizes. The committee plays through what this could look like in practice in a number of specific contexts such as fraud prevention, information security and direct marketing. The scope for targeted advertising is already limited by the fact that the ePrivacy Directive generally requires consent, it says. The balancing test for "intrusive profiling and tracking practices" that track individuals across multiple websites, locations, devices or services is also "unlikely to yield positive results". Federal Data Protection Commissioner Louisa Specht-Riemenschneider hopes that the information will provide "more legal certainty".

The EDPB has also commented on the planned mini-reform to improve enforcement of the GDPR. In principle, it welcomes proposals to allow the lead data protection authority to largely decide on its own in simple and straightforward cases. At the same time, Federal Economics Minister Robert Habeck (Greens) expressed his criticism of federalism in safeguarding privacy in his autumn projection of German economic performance. "We need to drastically reduce data protection bureaucracy in particular," he demanded.

The responsibility of 17 data protection authorities in Germany alone is often a hurdle for science and business that prevents innovation. According to Habeck, it is necessary for individual countries to take the lead for certain topics. Otherwise, companies would have to renegotiate "how they can use anonymized data" every time. At present, too often "the treasures are gathered elsewhere", while "we in Europe lock away our nuggets virtually unprocessed". However, the GDPR does not apply to anonymized data from machines; in principle, they can be processed freely.

(ds)