Out-Law News | 20 May 2014 | 10:29 am | 3 min. read
The Article 29 Working Party (WP29) has called for EU data protection laws to be changed to require such an explanation to be provided to individuals and for there to be "greater accountability" of the way businesses assess their legitimate interests in processing personal data (68-page / 991KB PDF) relative to the privacy rights of the individuals. The call mirrors the one also made by the European Data Protection Supervisor last year.
"For the future, the WP29 recommends implementing a recital to the proposed [new EU General Data Protection] Regulation on the key factors to consider when applying the balancing test [between a businesses' legitimate interest and the rights of data subjects]," the Working Party said. "The WP29 also recommends that a recital be added requiring the controller, when appropriate, to document its assessment in the interests of greater accountability. Finally, the WP29 would also support a substantive provision for controllers to explain to data subjects why they believe their interests would not be overridden by the data subject’s interests, fundamental rights and freedoms."
Under EU data protection laws, organisations can rely on a number of legal grounds on which they can legitimately process personal data. Examples of the legal grounds that can be relied upon include where the organisations obtain individuals' consent to the processing, or where the organisations are subject to a legal obligation to process personal data, such as being subject to a court order.
However, businesses can rely on the so-called 'legitimate interests' ground to process personal data too. Businesses can rely on this provision providing their interests in processing personal data do not unduly prejudice the rights and freedoms of individuals.
In a published opinion the Working Party said that businesses need to "clearly articulate" the interests they have in processing personal data and actively pursue those interests. "Interests that are too vague or speculative will not be sufficient" for businesses to weigh that those interests override individuals' rights and freedoms, it said.
The Working Party said that in some cases, businesses may be able to process personal data on the basis of a "trivial" legitimate interest it is pursuing.
"If the interest pursued by the controller is not compelling, the interests and rights of the data subject are more likely to override the legitimate - but less significant - interests of the controller," the Working Party said. "At the same time, this does not mean that less compelling interests of the controller cannot sometimes override the interests and rights of the data subjects: this typically happens when the impact of the processing on the data subjects is also less significant."
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com said: "Having to explain to consumers why their privacy rights do not override a business interest appears to create extra work for businesses, but presumably to reach the conclusion that the legitimate interests condition applies in the first place, they have already done the hard part – making this analysis."
"Perhaps another way to look at this is for organisations to see this as an opportunity – an opportunity to sell their customers the benefits of the processing activity they are undertaking. That is really part of the essential work involved in building a relationship based on trust, rather than a legal chore," he said.
The Working Party outlined a range of factors businesses should consider when undertaking the 'balancing test'.
"The test requires full consideration of a number of factors, so as to ensure that the interests and fundamental rights of data subjects are duly taken into account," the committee said. "At the same time it is scalable which can vary from simple to complex and need not be unduly burdensome."
"Factors to consider when carrying out the balancing test include: the nature and source of the legitimate interest and whether the data processing is necessary for the exercise of a fundamental right, is otherwise in the public interest, or benefits from recognition in the community concerned; the impact on the data subject and their reasonable expectations about what will happen to their data, as well as the nature of the data and how they are processed; additional safeguards which could limit undue impact on the data subject, such as data minimisation, privacy-enhancing technologies; increased transparency, general and unconditional right to opt-out, and data portability," it said.
“The opinion is a document that businesses will use as a persuasive source of guidance that they should generally be following," Dautlich said. "In France, and potentially in other EU countries, however, the legitimacy or otherwise of Google's collection of user data from across its services has yet to be determined by a court."