One of the six lawful grounds for personal data processing is the ‘legitimate interests of the controller or third party’, and this is the area we’ll be examining in this article, with plenty of help from the excellent Legitimate Interests Guidance produced by the Data Protection Network (sign up to download it here).
We’ll look at general examples of legitimate interests and more specific examples, too.
Update: The ICO released legitimate interests guidance in March 2018 after the publication of this article.
What are the six lawful grounds for data processing?
Article 6.1 of the GDPR defines the lawful grounds for data processing as follows:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.)
The marketer will chiefly be interested in the grounds of legitimate interests and consent. (For more on consent see our previous articles on best practice UX for obtaining consent for marketing and some UX that may need improvement.)
Get up to date:
What does ‘legitimate interests’ mean and how might it apply?
Fairly obviously, the term refers to the stake that the company processing the personal data may have in that processing. This may imply a benefit inherent in processing for that company itself or perhaps for wider society.
As the DPN points out, a legitimate interest ‘must be real and not too vague’. For example, it may apply to an organisation’s data processing as part of fraud protection, security measures or transferring that data between different parts of an organisational group. Some of this may already be part of legal compliance.
These sorts of interests may seem pretty fair to the average reader, and indeed the expectations of users is one of the elements that the ICO guidance earmarks for consideration when a data controller is deciding whether to rely on legitimate interests.
Would or should a user expect the processing to take place? If there is an expectation then the impact of the processing is arguably less than if no expectation was possessed.
For the marketer, three of the six generic examples in the GDPR (in recitals 47 to 50) of where a Controller may have a legitimate interest are of particular note.
1. Direct marketing
The GDPR states, ‘the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’
This may be where consent is not viable or not preferred, though the DPN rightly stresses the fact that organisations will still need to show that there is a balance of interests – their own and those of the person receiving the marketing.
Of course, any individual can object to direct marketing and it is one of the examples of legitimate interests for which objection is already fairly well understood and easy to action (often by unsubscribe link or by contacting the company in question to request).
2. Relevant and appropriate relationship
This may be a direct appropriate relationship, such as where the individual is a client.
3. Reasonable expectations
As previously discussed, if a controller understands individuals have a reasonable expectation their data will be processed, this may help to make a case for legitimate interests.
How about some more specific examples?
Aside from some of the more obvious cases where legitimate interests may apply – risk assessment, checking children’s age, processing data to afford individuals rights – here are five specific example that may be pertinent for marketers (again taken from the excellent DPN advice).
If a user objects to direct marketing, for example, a company may need to hold some personal data, however limited, in order to ensure no more marketing is sent to this user. This could be regarded as a legal obligation.
This example was alluded to in the comments of a previous article on the GDPR. The Guardian allows users to delete their account and states that “Deleting your account removes personal information from our database. Your email address becomes permanently reserved and the same email address cannot be re-used to register a new account.”
Whilst one of our readers highlighted that this seems to jar with the the right to be forgotten, it’s likely understood by most users that a record needs to be kept and that although comments on articles can be anonymised, the comments themselves are a matter of record and any new account must be on a novel email address.
Though a retailer or a travel company may rely on consent for marketing comms, personalising a website’s content (e.g. recommendations) to improve the user’s customer experience may rely on legitimate interests.
3. Direct marketing
As the DPN suggests, legitimate interest could include direct mail from a charity to existing supporters updating them on details of upcoming events.
4. Web analytics
The DPN gives the example of ‘a social media platform [using] diagnostic analytics to assess the number of visitors, posts, page views, reviews and followers in order to optimise future marketing campaigns.’
Web analytics is one area though where changes to the ePrivacy Directive of 2002 (to bring it in line with the GDPR) may complicate matters. Though this author is only a layman, reading a blog post from law firm Fieldfisher, I was slightly confused as it seems to indicate that cookie consent is needed for third-party platforms such as Google Analytics:
Exemption for analytics cookies: Like the leaked draft, the Commission’s [ePrivacy Directive] proposal retains an exemption from the cookie consent requirement for analytics. However, the exemption applies only for first-party analytics, not third-party analytics – so websites and apps using third-party analytics platforms like Google Analytics etc. will still need consent (even if, for the techies amongst you, the cookie is technically served from a first-party domain – third party here refers to the provider of the analytics service, not the domain from which the cookie is served).
5. Updating customer details and preferences
The DPN highlights the example of a retailer using an external service provider to verify the accuracy of customer data. The DPN also details that controllers have to be careful here as to how such activity is carried out.
On this blog we have already pointed to the fines given out by the ICO to Flybe, Morrisons and Honda, which each broke the existing Privacy and Electronic Communications Regulations (PECR) flouting customers’ marketing wishes, sending emails asking whether users want to change said marketing permissions (and even incentivising the behaviour).
How can marketers be sure legitimate interest applies?
Though the GDPR does not list all circumstances in which legitimate interests may apply, it does specify that any processing under this banner meets the balance of interests condition – are the interests of the controller overridden by the interests or rights of individuals?
Individuals can object to data processing for legitimate interests (Article 21 of the GDPR) with the controller getting the opportunity to defend themselves, whereas where the controller uses consent, individuals have the right to withdraw that consent and the ‘right to erasure’. The DPN observes that this may be a factor in whether companies rely on legitimate interests.
If you are unsure about whether legitimate interests applies, your data protection officer will likely be undertaking a Legitimate Interests Assessment (LIA). There is a template for such an assessment in the DPN’s guidance document.
In short, an LIA is split into three steps:
- The assessment of whether a legitimate interest exists;
- The establishment of the necessity of processing; and
- The performance of the aforementioned balancing test
Regarding step three, factors under consideration include:
- the nature of the interests (such as the reasonable expectations of the individual);
- the impact of processing;
- any safeguards which are or could be put in place.
Privacy notices must provide clarity to the user
One of the main threads of the GDPR is providing clear and transparent information to individuals about data collected, how it is processed, and the lawful basis for this processing.
This is no different where legitimate interests applies – see the examples below from the DPN. It should also be made clear that individuals have the right to object to processing of personal data on these grounds.
Example privacy notice from the DPN, including detail about ‘legitimate business purposes’
Example from the DPN of an alternative statement on data collection page
Note that this article is not intended to construe legal advice or offer comprehensive guidance.
That’s it for this summary. Let us know how you are preparing for the GDPR in the comments below.