Legitimate Interests

42 COMANDÉ, Giovanni; Elgar Encyclopedia of Law and Data Science; Edward Elgar Publishing; 2022; pg.

209.

Chapter III – Legitimate Interest and the Media

20 1.1 The concept of legitimate interest

“(…) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”⁴³

The concept of legitimate interest can be seen as “ambiguous and controversial”⁴⁴, there is no clear delimited scope of what can and cannot be deemed as a legitimate interest, which will be studied in depth in this Chapter.

The idea of legitimate interest was not new to data protection legislation, having been present in the DPD in Art. 7, and it has no direct definition, which can be somewhat understood due to the several stances it can take within law, but plainly, it refers to a range of interests that can be beneficial to one or more parties when processing data.

It can be found in two instances in the GDPR:

1) In Art. 6, Nr. 1, Al. f) – as a basis for lawfulness;

2) In Art 49, Nr. 1, Subparagraph 2 – as an exception when transferring personal data from the EU to a third country.

This concept is one of the most important in the GDPR, as it works as an exclusion, and it must be carefully pondered and documented to be compliant. Additionally because it is easily used and usable as an excuse and not only a founded exclusion.

Article 6 Nr.1 f) demands a careful interpretation as it holds more depth to it than it might appear. This principle demands a carefully placed balance between the interests of the controller/third party and those of the data subject, resulting in a three-point analysis of (a) necessity, (b) the actual existence of a legitimate interest and (c) consideration:

43 Art. 6, Nr. 1, f) of the GDPR, emphasis added.

44 CAREY, Peter; Data Protection – A Practical Guide to UK and EU Law; Fifth Edition; Oxford University Press; 2018; pg. 57.

21 (a) Necessity: it needs to be deemed necessary to achieve a pre-determined goal, defined by the European Data Protection Supervisor (EDPS) as needing a “fact-based assessment of the effectiveness of the measure for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”⁴⁵.

b) The existence of a legitimate interest: the data that is used needs to be a response to the

“problems” of the controller/third party, but it cannot override the fundamental rights of the data subject, this legitimate interest needs to be clear, concise, unmistakable and be able to be recognisable as legitimate, permitted by EU and national laws, so to stand the guidelines of the law and Article 29 Working Party;

c) Consideration: This point of analysis is the last one due to its end goal, whereas the two previous ones are conditio sine qua non of data processing based on legitimate interests.

As previously mentioned, there needs to be a careful pondering between the interests and goals of the data controller or third party and those of the data subject. The goal is for the scale to be as even as possible, i.e., the interests of the data controller/third party cannot cause dangerous harm or unfounded limitations to the fundamental rights of the data subject. Recital 47 of the GDPR showcases exactly that as it reads “(…) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller”⁴⁶, and “simply put, processing pursuant to Art. 6 Sec. 1 phrase 1 lit. f GDPR shall be lawful if, as a result of a balancing of interests, the legitimate interests of the controller/a third party prevail over the need to protect data subjects”⁴⁷, this will correlate with the legitimate expectation of privacy that will be explained further ahead.

On a more critical note, can the data controller/third party, holding their own legitimate interests on one side of the scale, really assess, and this is a matter of assessment and not

45 European Data Protection Supervisor; “Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A toolkit”; 2017; pg. 5.

46 Rec. 47 GDPR.

47 VOIGT, Paul and BUSSCHE, Axel von dem; The EU General Data Protection Regulation (GDPR) – A Practical Guide; 2017; Springer; pg. 103.

Chapter III – Legitimate Interest and the Media

22 just of compliance, the necessity and proportionality of their actions against the safeguards and plenitude fundamental rights of the data subject?

The Working Party has set three factors to be taken into consideration: nature and source of the interest, the impact it will have on the data subjects (and depending on the relation between both parties then the reasonable expectations of the data subjects must be taken into consideration as well) and possible additional safeguards to diminish the possible restrictions it might create.

1.2 The consequences of processing based on the exclusion

Article 6 of the GDPR sets the requirements, of which at least one of them must be met, of lawful processing, being one of them (al. f) based on the existence of legitimate interests.

As mentioned above, and with due notice of rec. 40⁴⁸, using legitimate interests of the controller/third party as the basis means that the data processing is within Art. 6 of the GDPR, however they must concern themselves about complying with the rest of the regulation.

This means that compliance to the principles of Art. 5 is still necessary despite not being to Art. 6, with the transparency requirement to gain even higher significance.

Not only are the obligations of Art. 5 mandatory, processing data based on legitimate interests is also bound by Arts. 13 (Information to be provided where personal data are collected from the data subject) and 14 (Information to be provided where personal data have not been obtained from the data subject), falling, in the GDPR, within the scope of the rights of the data subject.

With the exception of the right to data portability (Art. 20), rec. 48 of the GDPR states that

“That right should apply where the data subject provided the personal data on the basis of

48 Rec. 40 GDPR: “In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the

performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

23 his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract.”, the remainder of the data subjects’ rights are applicable – Arts. 15 (right of access), 16 (erasure), 17 (its restrictions), 18 (right to object) and 21 (to no be subject to a decision merely based on automated processing).

One of the most important rights to be extracted from the list above, that is not exclusive, is the right to object, that can only be applied based on necessity to execute a task belonging to a public body and for a legitimate interest. Art. 21 of the GDPR states that the controller must halt or avoid starting, depending, the processing of data unless “compelling legitimate grounds”⁴⁹ can be proven.

In what concerns the burden of proof, this resides on the controller/third party side as they must be able to argument their legitimate interest, and it can be founded in “any interest that is in accordance with the law and is, thus, interpreted in a very broad manner⁵⁰”.⁵¹ The goal of the GDPR is to safeguard people’s data, ensure it is dutifully taken care of and not wrongly accessed nor disseminated. The media, however and regardless of the shape it takes, has the opposite goal, to share something as far and wide as possible, this creates tension between legislation and ‘real life’.

Under the legitimate interest exclusion, the controller’s interest could override the ones of the data subject when concerning the right of freedom of expression, however it would not when sharing location data.

One of the biggest points in the GDPR is that data protection and other fundamental rights should be carefully balanced. This is incredibly relevant because data protection and the protection of legitimate interests, in this case excluded of the GDPR compliance for journalistic purposes, can often clash. This balance, and as a common stance within the GDPR, is difficult to achieve, especially because it was left to the Member States how to

‘weight’ these two figures, despite both being recognized as fundamental rights by the CFRUE in Arts. 8 and 11.

49 Art. 21 Nr. 1 GDPR.

50 Rec. 47 GDPR.

51 VOIGT, Paul and BUSSCHE, Axel von dem; The EU General Data Protection Regulation (GDPR) – A Practical Guide; 2017; Springer; pg. 103.

Chapter III – Legitimate Interest and the Media

24 This is a two sided evaluation: the limits to legitimate interest in media versus the journalistic exemption, are they the same? Or do they simply fall in the intersecting point of a Venn diagram?