This article will delve into those draft guidelines - that are currently subject to public consultation until 20 November 2024 - to understand their potential impact for organisations.
Background
Under the EU GDPR (and the UK GDPR), organisations must identify what is termed a lawful basis to legally process personal data, with six potential bases to select from (Article 6(1)). One such basis is found in Article 6(1)(f) GDPR, which provides that an organisation can lawfully process personal data if it is necessary in pursuit of a legitimate interest. To be able to rely on that basis, there are certain criteria which are broken down into three "cumulative conditions":
- That the organisation must have a legitimate interest for processing personal data.
- That the processing must be necessary to achieve the legitimate interest.
- That the interests or fundamental freedoms and rights of the concerned individual do not outweigh the organisation's legitimate interest.
The legitimate interest basis is perceived by some organisations as the flexible option or a fallback means to justify processing if they do not satisfy any other bases. Conversely, some organisations have been fearful of using the legitimate interest basis due to its requirement to balance the interests of the business against the rights and freedoms of the individuals. Because of these uncertainties, we sometimes see organisations attempting to shoehorn their processing practices into more established bases, such as consent, when this is perhaps not appropriate in the context.
What is the purpose of the draft guidelines?
The main purpose of the EDPB guidelines is to assist organisations in assessing whether Article 6(1)(f) may be invoked as a valid lawful basis for an organisation's intended processing purpose.
Do the draft guidelines have any relevance to UK businesses?
Although the EDPB focuses on the EU GDPR, its guidelines are still highly relevant in the UK while the text of the UK GDPR largely follows that of the EU GDPR. We see the UK’s data protection regulator, the ICO, often referring to the EDPB's guidance in its own UK specific guidance. As a result, the EDPB guidelines are considered persuasive for the purposes of the UK GDPR.
So, what do the draft guidelines say?
The idea that legitimate interest is a flexible default is rejected by the guidelines, which make clear it must be interpreted restrictively and cannot act as a blanket justification to permit any processing activity. The guidelines repeat that controllers should thoroughly assess whether the three cumulative conditions are met from the outset.
Furthermore, the guidelines stipulate that the notion of "interest" should not become an open door, such as on the vague basis of being "for the greater good of society."
But on the flip side, the EDPB are conscious to make clear that legitimate interest should not be relegated to other Article 6 bases that are perceived as more clear-cut. This is a key issue when considering its link to the lawful basis of consent. There is an understanding that consent is currently being overused by organisations, therefore often becoming an ineffective justification (for example, through consent fatigue). Therefore, the adaptability provided by legitimate interest may be more appropriate than forcing consent in some cases.
For instance, the guidelines highlight that legitimate interest is an effective basis if collecting personal data to prevent fraud. Fraud prevention serves a vital societal interest and therefore would weigh heavily in favour of the organisation in the balance test. As a basis, legitimate interest is more practical in this context as consent-seeking would alert fraudsters and fail to address the harm. However, the guidelines also state that in many scenarios consent may be legally required, and in those cases legitimate interest could not be used as a lawful basis.
There is clearly a fine balance to be struck, and the draft guidelines have been drafted to emphasise the obligations placed on organisations to make the appropriate assessments.
Key guideline takeaways for organisations
Whilst it is appreciated that the guidelines are still in draft form, its content provides important direction for organisations navigating the legitimate interest lawful basis. Key takeaways for businesses considering using Article 6(1)(f) include:
- Conduct a thorough assessment before processing to ensure that the pursuit of the interest satisfies the three cumulative conditions;
- Include a wide range of factors when conducting the balancing test (for example, organisation-subject relationship, level of intrusiveness, data accessibility, and subject vulnerability);
- Consider introducing mitigatory measures to make your data processing less invasive of rights and freedoms;
- Conduct regular reviews of your use of the legitimate interest basis (especially if circumstances change);
- Involve your Data Protection Officer (DPO) when conducting any assessment regarding Article 6(1)(f);
- Inform data subjects of the legitimate interest as part of your transparency obligations (include this information in your privacy policy).
Conclusion
Whilst only in draft form, it is clear that the EDPB is using the guidelines in an attempt to address the vexed issue of when can you validly use the legitimate interest basis. They do this by explaining the factors that must be considered when assessing the cumulative conditions, and by emphasising that the use of the basis should be done on its own right, not because it is "easier" or "more risky." Whilst the guidelines appreciate that this is a difficult legal area, one thing does remain clear: if you plan on using Article 6(1)(f) to justify processing personal data, you better be ready to balance your ability to do so.
This article was co-written by Josh Chambers, Trainee Solicitor in MFMac's Corporate team.