On 25 May the EU General Data Protection Regulation (GDPR) came into force. If you need help in working out whether or not your Australian business will be affected by GDPR, please get in touch with us without delay. We have offered updates recently on:
– Cross-country data transfer (https://www.compliancequarter.com.au/gdpr_implications_for_australia/);
– Consent (https://www.compliancequarter.com.au/gdpr-countdown-2-how-to-get-consumer-consent-and-when-is-it-required/).
By Dr Drew Donnelly, Regulatory Specialist, Compliance Quarter
Today we update you on one of the more perplexing aspects of the GDPR; the ‘legitimate interests’ ground for processing personal data. On the one hand, the GDPR makes it easier for organisations to know when personal data processing is permitted (or ‘lawful’). The clear-cut definition of ‘consent’ means all organisations can be on the same page as to whether consent holds. On the other hand, the ‘legitimate interests’ ground requires each organisation to engage in a ‘balancing’ exercise where they determine for themselves whether processing in a particular case is justified or not. We explain this ground below.
GDPR Legitimate Interests
Article 6(1) describes a range of grounds under which processing of personal data of EU data subjects is permitted (‘lawful’). Article 6(1)(f) of the GDPR provides that processing is lawful where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This might be separated into three tests that the organisation can ask itself in determining whether or not the legitimate interests ground is met.
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?
While the necessity test is self-explanatory, we consider the other two tests below.
GDPR legitimate interests – Purpose test
No definition of a ‘legitimate interests’ is given in the GDPR to make it clear when a purpose will be a legitimate, or illegitimate interest. However, the EU’s Article 29 Data Protection working group offered the following in its guidance on the old EU Directive:
- The purpose must be lawful (i.e. in accordance with EU and national law);
- be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently concrete);
- represent a real and present interest (i.e. not be speculative).
On a practical level, an organisation using this ground must document a concrete purpose of the processing, that the purpose is lawful and that it represents a real, not hypothetical or possible future purpose for collecting the data. Other constraints on this test include:
- it cannot be used by a public authority (art 6(1));
- The processing of personal data strictly necessary for the purposes of preventing fraud is a legitimate interest (see recital 47);
- The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (see recital 47).
Note that this advice is of a general nature (except in the case of fraud). Direct marketing is not automatically a legitimate interest. It may be a legitimate interest (i.e. in some cases) depending on the judgement of the organisation (and always subject to the balancing test besides).
GDPR legitimate interests – Balancing Test
Assuming that the first two tests are met, the organisation needs to then consider whether their legitimate interest is outweighed by the interests or fundamental rights and freedoms of data subjects. Recital 47 emphasises the need for “careful assessment as to whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.
It is worth noting here that ‘interests’ is a broader term than rights, covering anything that might be important to the data subject. Note also that it need not be a ‘legitimate’ interest – even unlawful interests of the data subject need to be taken into consideration. In carrying out the balancing itself, it will be useful to consider:
- how important the organisation’s ‘legitimate interest’ is;
- the nature of the data;
- the way in which the data are processed (e.g. large scale, data mining, profiling, disclosure to a large number of people or publication).
If you think we could be of any assistance in carrying out a ‘legitimate interests’ assessment for the EU Personal data you control or process, please get in contact with us.
 For the full GDPR see http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
 See helpful guidance from the United Kingdom Information Commissioner’s Office at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/.