EU legitimate interests ruling could hurt AI development, warns expert

Amsterdam-based Wouter Seinen of Pinsent Masons said that while the Court of Justice of the EU’s (CJEU) had made an important clarification – that businesses wishing to cite a commercial interest as their ‘legitimate interest’ for processing personal data are not disqualified from doing so under EU data protection law – other aspects of its eagerly anticipated judgment would concern them.

The General Data Protection Regulation sets out six lawful bases for processing personal data. Perhaps the most well-known basis for processing personal data, under the legislation, is where organisations obtain the consent of data subjects to do so. However, processing of personal data can be undertaken without consent if one of the other five legal bases can be relied upon, including if the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Hear Emilie Jones and Wouter Seinen discuss this story on The Pinsent Masons podcast here or wherever you get your podcasts.

The ‘legitimate interests’ ground can only be relied upon for processing personal data if the interests cited by the controller are not “overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data […]”.

The circumstances in which organisations are rely on the ‘legitimate interests’ ground for processing personal data has been heavily debated for years, as well as been the subject of litigation.

The question of whether a commercial interest can constitute a legitimate interest came before the CJEU in a case referred to it by a court in the Netherlands, which is considering a dispute between the Royal Lawn Tennis Federation (KNLT), which is an affiliation body for tennis clubs and its members, and the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.

In 2019, the AP imposed a fine of €525,000 against the KNLT over its sharing of tennis club member data with sponsors in return for payment. The sponsors used the data for promotional campaigns through mailshots and telemarketing. The AP considered that the data had been shared unlawfully and in 2020 rejected an appeal KNLT had raised against its original decision.

KNLT raised an appeal before the district court in Amsterdam, claiming that its data sharing was not unlawful because it had a lawful basis for sharing the data – legitimate interests. The crux of its argument is that a legitimate interest exists unless that interest is contrary to law. However, that interpretation of the law was challenged by the AP, which considers that there must be a legitimate and therefore concrete interest pertaining to the law, constituting law, enshrined in a law, for it to constitute a legitimate interest for the purposes of the GDPR.

In considering questions posed it by the district court in Amsterdam, the CJEU held that the KNLT, and not the AP, was right about the scope of the ‘legitimate interests’ basis for personal data processing under the GDPR, but implied that the KNLT may struggle to show it can rely on it to defend against the fine imposed on it in this case – a matter that is for the courts in the Netherlands to definitely rule on.

Seinen said the CJEU’s ruling provides a walk-through of the various steps organisations will need to satisfy to rely on the ‘legitimate interests’ basis for processing.

“The positive news for businesses from the ruling is that the CJEU has confirmed that commercial interests can constitute legitimate interests – included, as in this case, the promotion and sale of advertising space for marketing purposes – provided that the interests are not contrary to the law,” Seinen said.

“However, the court also said organisations will need have regard to principles of data minimisation and transparency enshrined in the GDPR to be able to demonstrate that their processing is necessary and meets other conditions governing lawful data processing. In that regard, it suggested the KNLT ought to have informed the tennis members that their data would be shared with third parties for marketing purposes and given those members an opportunity to opt-out of receiving the marketing materials,” he said.

“Applying the court’s thinking on those points more broadly, it would seem that there is an expectation that businesses wishing to rely on legitimate interests processing will need to tell data subjects about their plans to share their data. Thinking about this in the context of potential data sharing with AI developers for the purposes of training AI models, it is possible to imagine this ruling will impose burdensome and costly barriers to such data sharing and serve to slow-down technological innovation in the EU at a time when technologists have cited concerns about Europe’s rules on use of data and the need for a ‘change of course’,” Seinen said.

Even if processing personal data in pursuit of a commercial interest can be shown to be ‘legitimate’ and ‘necessary’, businesses must carry out a balancing exercise to check that their legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

In this respect, the CJEU said that a relevant factor will be whether data subjects can be said to reasonably expect such processing.

It also suggested that organisations planning to share personal data with third parties on the basis of ‘legitimate interests’ will need to consider the planned data processing activities by third parties, to determine whether those activities can be characterised as relevant and appropriate to relationship they have with the data subjects.