Out-Law News 3 min. read

Firms should explain what their 'legitimate interest' for processing personal data is, says watchdog

Businesses should have to specify why they should be able to process personal data without the consent of individuals if they wish to claim they have a 'legitimate interest' in processing the information, an EU privacy watchdog has said.

The European Data Protection Supervisor (EDPS) said that the proposal should be included within a reformed EU data protection law framework. The proposal was first contained in a draft amendment formed by the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) committee. 

In a draft report in January, LIBE had proposed an overhaul of the rules on 'legitimate interests' that are currently set out in EU data protection laws. 

Whilst the EDPS said most of what LIBE has proposed in that regard should be rejected, it backed LIBE's suggestion that a new data protection law framework should require data controllers to "publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject" when those firms seek to rely on the 'legitimate interests' basis for processing personal data.

"The EDPS welcomes the proposed amendment to [rules on 'legitimate interests'], which calls for more transparency on 'the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject'," the EDPS said in a new opinion. "This would encourage more accountability for the way in which an acceptable balance of interests should be struck." 

At the moment businesses that process personal data within the EU can lawfully conduct that activity without the consent of individuals in accordance with certain provisions of data protection law. The most common lawful basis organisations rely on to process personal data without consent is where they claim to have a 'legitimate interest' in processing the information. Businesses can rely on this provision providing their processing does not unduly prejudice the rights and freedoms of individuals.

However, existing EU data protection laws are currently subject to major reform after the European Commission proposed an overhaul to the fragmented regime that currently exists across the trading bloc.

In January 2012 the Commission outlined plans for a new General Data Protection Regulation,  as well as a separate Directive governing personal data processing by law enforcement bodies, to replace the 1995 Data Protection Directive. Since then MEPs and officials representing the 27 EU member states  have been actively proposing alterations to the Commission's drafts amidst concern from business organisations and civil society groups over the nature of the provisions. 

In January LIBE, which is leading the European Parliament's scrutiny of the reform plans, outlined plans to overhaul the rules on 'legitimate interests'. The committee said that organisations should only be able to rely on the 'legitimate interests' basis for processing in "exceptional circumstances". It proposed major amendments that would, if introduce, set out when organisations' 'legitimate interests' could be said to outweigh individuals' rights, and vice versa.

However, the EDPS has said that those proposals should be dismissed. The watchdog said the rules on 'legitimate interests' should be less "prescriptive" than what LIBE had drafted.

"In the EDPS' view, these prescriptive lists are counter-productive and should be rejected," the watchdog said. "The EDPS advises replacing these lists by a more concise provision, taking into account that there are many situations that cannot be foreseen in advance and that need to be assessed [in a concrete sense] on a case-by-case basis. In addition, a recital could list the most typical relevant factors that should be taken into account when balancing the interests and fundamental rights at stake. If necessary, some examples can also be given of what might constitute 'legitimate interests'."

The EDPS was commenting in its latest opinion on the data protection reforms. It said that the Commission's plans to change the rules on consent should be supported.

Organisations seeking to rely on individuals' consent in order to process their personal data currently must ensure that the consent they obtain is "unambiguous". However, the Commission has proposed changes to the rules on consent in a way that would require consent to be explicit, freely given, specific and informed and obtained through a statement or "clear affirmative action".

Some business groups have opposed the move to 'explicit' rather than 'unambiguous' consent, whilst some MEPs have sought to water down the Commission's draft, but the EDPS said the Commission's proposal "should be maintained". 

"It provides for some flexibility as to its manner of expression (by a statement or a clear affirmative action) and builds on the requirement of 'unambiguous' consent which constitutes an essential element of the overall balance of data protection since 1995," the EDPS said. "EU data protection authorities have consistently interpreted the requirement of [existing rules under the 1995 Directive] that the consent be 'unambiguous' as meaning that such consent needed to be 'explicit' (so that, for instance, a lack of action or silence cannot be considered as unambiguous)."


We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.