In the past few weeks, there have been significant developments relating to the “legitimate interests” legal basis under Article 6(1)(f) of the GDPR:

  • On 4 October 2024, the Court of Justice of the EU (“CJEU”) handed down its judgment in a case relating to the Royal Dutch Lawn Tennis Association (Case C-621/22, KNLTB), confirming that “commercial” interests when processing personal data can constitute legitimate interests.
  • On 8 October 2024, the European Data Protection Board (“EDPB”) adopted its long-awaited draft guidelines on when controllers can rely on legitimate interests (“Draft Guidelines”), which update a 2014 opinion from the Article 29 Working Party (“WP29”). The Draft Guidelines are open for consultation until 20 November 2024.

We set out below five key takeaways from the Draft Guidelines and the KNLTB case, and how these developments may affect a GDPR-regulated data controller’s ability to rely on legitimate interests in the future to process personal data.

  1. Commercial interests can be a “legitimate” interest

The CJEU has consistently held that relying on the legitimate interests legal basis requires controllers to pass a three-step test. The first limb of the test requires controllers to establish that their processing supports “legitimate interests” pursued by the controller or a third party. In the KNLTB case, the Dutch data protection supervisory authority (“SA”) asked the CJEU questions about the nature of those interests: specifically, whether commercial interests could be legitimate.

The background here seemed relatively innocuous: could the tennis club, a data controller, rely on legitimate interests to share data about its members with third parties for marketing purposes? The Dutch SA concluded that it could not, and that it failed the first limb of the test because the interests pursued by its processing were “commercial” and any interest, in order to be “legitimate”, must be determined by or reflected in law. The SA imposed a fine of 525,000 Euros upon the tennis club for the GDPR breach. It appealed, and a Dutch court asked the CJEU to clarify whether a controller can, in principle, rely on: (a) legitimate interests that are not expressly identified in law; and (b) on “commercial” interests. In a relatively short judgment, the CJEU confirmed that controllers can rely on legitimate interests not affirmatively or positively established in law, and that commercial interests can, in principle, constitute legitimate interests provided that those commercial interests are not unlawful. This is a welcome ruling for controllers, who will be able to continue to take the position that they can rely on legitimate interests for various commercial practices, provided that they also meet the second and third limbs of the assessment.

The Draft Guidelines reiterate this position, but also note that to be “legitimate,” the interests pursued must be clearly and precisely articulated, and real and present. This suggests: (a) that there are close links between relying on legitimate interests and the GDPR’s transparency obligations (under which controllers must identify the legitimate interests they pursue); and (b) that hypothetical interests will not be sufficient.

  1. Controllers have to consider carefully whether processing is “necessary” to meet each of the interests they pursue

    In the Draft Guidelines, the EDPB reiterates the CJEU’s prior holdings in relation to the second limb of the legitimate interests test: that processing will be necessary to meet legitimate interests only where there are no “reasonable, just as effective, but less intrusive alternatives.” Notably, however, the Draft Guidelines state that “in practice, it is generally easier for a controller to demonstrate the necessity of the processing to pursue its own legitimate interests than to pursue the interests of a third party.” To the extent that controllers rely on third parties’ interests when they use the legitimate interests legal basis, they are likely to have to consider this necessity requirement particularly carefully.

    1. The EDPB’s assessment of the third limb of the balancing test appears to make it more challenging to rely on legitimate interests than the WP29’s 2014 opinion

    The third limb of the legitimate interests test requires controllers to balance the interests they pursue against the rights, freedoms, and interests of affected data subjects. The EDPB’s Draft Guidelines emphasize, again consistent with CJEU jurisprudence, that this requires a case-by-case assessment taking into account a number of factors, including the impact of the processing on affected data subjects, their reasonable expectations, and the safeguards the controller has put in place. The way that the Draft Guidelines structure the balancing assessment, however, suggests that there is a higher bar for relying on legitimate interests than was set out in the WP29’s pre-GDPR opinion. For example:

    • Unlike the 2014 opinion, the EDPB does not expressly state that the strength of the legitimate interests pursued by a controller is a relevant factor in the balancing test;
    • The EDPB also expressly states that measures a controller has taken to comply with the GDPR are not relevant, even though those measures (e.g., transparency, the right to object, short retention periods, and security measures) could clearly mitigate the impacts of the processing on data subjects; and
    • The Draft Guidelines indicate that transparency measures will not necessarily assist a controller in setting a data subject’s reasonable expectations, and that simply because processing is common practice does not mean that it would be within their reasonable expectations.

     We expect that some stakeholders might raise concerns about some of these points in the consultation.

    1. The EDPB reiterates the high bar that exists for establishing compelling legitimate grounds and rejecting objections to processing under Article 21 GDPR

    Article 21(1) grants data subjects the right to object to any processing carried out on the basis of legitimate interests “on grounds relating to [their] particular situation,” and that the controller must cease the processing unless they have “compelling legitimate grounds” that override the data subject’s rights, freedoms, and interests. The Draft Guidelines set out the EDPB’s view that a high bar must be met when rejecting an objection. It states that:

    • Even if a data subject does not elaborate much on their particular situation in any detail, that is not per se a reason to reject an objection (if the controller has doubts as to the “particular situation” of the data subject, it can ask them to elaborate); and
    • When conducting the balancing test following an objection, the controller may only take into account “compelling” legitimate interests, and not all legitimate interests will meet this standard. The interests must be “essential” to the controller—for example if the processing is necessary to protect the controller or systems from “serious immediate harm or from a severe penalty which would seriously affect its business.”
    1. The EDPB indicates that it is possible to rely on legitimate interests to share data with public authorities (in the EU)

    In the 2023 Meta v Bundeskartellamt case (C-252/21), the Court was asked whether Meta could collect data on an ongoing basis from other group services as well as from third-party websites and apps for the purpose of sharing information with law-enforcement agencies and responding to legal requests in order to prevent, detect and prosecute criminal offences, unlawful use, breaches of the terms of service and policies, and other harmful behaviour.

    In response, the Court stated that “the sharing of information with law-enforcement agencies in order to prevent, detect and prosecute criminal offences . . . is not capable, in principle, of constituting a legitimate interest pursued by the controller” because in relation to a private entity, that processing “is unrelated to its economic and commercial activity.” This holding, viewed in isolation, understandably has caused some alarm.

    The Draft Guidelines attempt to provide more clarity based on the GDPR and the ruling in Meta. In particular, the EDPB states that a private entity can rely on legitimate interests to “report to law enforcement authorities possible criminal acts or threats it may occasionally become aware of.” The Draft Guidelines contrast this with “collect[ing] and stor[ing] personal data in a preventive and systematic manner specifically to be able to provide such data to law enforcement authorities” (our emphasis).

    The Draft Guidelines also provide that a controller could, in some scenarios, have a legitimate interest in disclosing personal data in response to requests from a third country (i.e., non-EU/EEA) law enforcement authority or public administration, “in particular if the controller is subject to third country legislation and non-compliance with such request would entail sanctions under foreign law”. This analysis is context-dependent. The EDPB reiterates that it has in the past, based on a specific set of facts, taken the view that the interests or fundamental rights and freedoms of the data subject overrode the controller’s interest in complying with a request from a third country law enforcement authority to avoid sanctions for non-compliance.

    *           *           *

    Covington’s Data Privacy and Cybersecurity Practice regularly advises on GDPR compliance, SA investigations, and privacy litigation before the CJEU. If you have any questions about the impact of these developments on your business, or if you are interested in responding to the consultation on the Draft Guidelines, please do not hesitate to contact us.

    (This post was written with the assistance of Alberto Vogel).

    Print:
    Email this postTweet this postLike this postShare this post on LinkedIn
    Photo of Dan Cooper Dan Cooper

    Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

    Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

    According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

    Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

    Photo of Mark Young Mark Young

    Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

    Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

    Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

    Drawing on over 15 years of experience, Mark specializes in:

    • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
    • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
    • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
    • Advising life sciences companies on industry-specific data privacy issues, including:
      • clinical trials and pharmacovigilance;
      • digital health products and services; and
      • engagement with healthcare professionals and marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
    • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
    • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
      • supervising technical investigations and providing updates to company boards and leaders;
      • advising on PR and related legal risks following an incident;
      • engaging with law enforcement and government agencies; and
      • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
    • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
    • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
    • Representing clients in connection with references to the Court of Justice of the EU.
    Photo of Paul Maynard Paul Maynard

    Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

    Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

    Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

    Photo of Tomos Griffiths Tomos Griffiths

    Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

    Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent…

    Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

    Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent experience includes advising clients on data protection compliance, foreign direct investment screening, and competition law litigation.

    As a trainee solicitor, Tomos also gained experience in capital markets and commercial litigation for clients in the technology and life sciences sectors.