Legitimate and lawful data interests

All legitimate interests must be lawful

In its judgment of 4 October, the CJEU determined that an interest which is unlawful cannot constitute a ‘legitimate interest’ under Article 6(1)(f).

However, an interest can be a legitimate interest within the meaning of Article 6 without being enshrined in, or determined by, a law. That decision is important because it confirms that commercial interests can be ‘legitimate interests’.

Article 6(1)(f) has three elements. It can only be relied upon where:

• the interest being pursued is legitimate;
• the processing is necessary to pursue that interest; and
• the interests or fundamental rights and freedoms of the data subjects do not outweigh the interest pursued.

Those latter two requirements still present a significant challenge for data controllers.

What this means for businesses

This case demonstrates the need for careful and dispassionate assessment of whether the processing is necessary to realise the legitimate interest, and in weighing any competing interests of data subjects to determine whether they prevail over the legitimate interest relied upon.

Data controllers need to recognise the risk of discounting -  whether consciously or otherwise - the significance of impacts the data processing may have on data subjects. If the data controller’s reliance on Article 6(1)(f) is challenged, the question as to whether all three elements are met will be judged objectively and the lawfulness of processing will turn on how that question is answered. Reliance on the purely commercial interests of the controller is likely to mean there is no ‘fall back’ option if the legitimate interest ground fails.  

That need for data controller to assess matters objectively applies equally under the UK GDPR, albeit that the ICO’s approach to assessing necessity is less strict than the CJEU’s.

Details of the case

In the case of Koninklijke Nederlandse Lawn Tennisbond (KNLT) (C-621/22) the Dutch supervisory authorities had concluded that an interest which was not worthy of protection by EU or national law could not be a legitimate interest within the meaning of Article 6. The data controller challenged that decision, arguing that an interest was legitimate provided it was not contrary to law. The CJEU agreed with the data controller.

KNLT, a lawn tennis association, shared its members’ data with two sponsors to facilitate the sponsors’ marketing activities. One of those sponsors was a provider of casino and gambling games. The members had not consented to that use of their data in this way.

The data controller relied on the legitimate interest of creating a strong link between the association and its members and to offer added value to the members in the form of access to discounts and offers.

The CJEU’s decision

The CJEU held that an interest can be a legitimate interest, within the meaning of Article 6, without it being an interest which is enshrined in, or determined by, a law but that the interest must be lawful.

In addressing the question of necessity, the CJEU noted that the legitimate interest relied upon by the data controller in this case could be realised by leaving it to the data subjects to determine whether their data should be shared for marketing or advertising purposes, and that such an approach would allow the data subjects to retain control.

Stressing that it would be a matter for the referring court to determine the case on its particular facts, the CJEU noted that the data controller’s disclosure of members’ data to a provider of gambling and casino games did not appear to be characterised by a relevant and appropriate relationship with the data subjects.

They also noted that exposure to advertising for such services could expose the recipients to a risk of compulsive gambling. Those factors would be relevant to the weight the interests of the data subjects against the legitimate interests pursued by the data controller.

[Photo by Alexey Larionov on Unsplash]