The Autoriteit Persoonsgegevens (‘AP‘), the Dutch data protection authority, has been almost alone in claiming that a legitimate interest must be a legal obligation, not just something legal a business wants to do. This despite Recital 47 of the GDPR stating that direct marketing could be a legitimate interest. The decision is quick and clear and helpfully:
In a grand slam dunk – and very short – decision on 4 October 2024, the CJEU handed the Koninklijke Nederlandse Lawn Tennisbond, the Royal Dutch Lawn Tennis Association, a straight sets win which will be welcomed by business and their advisers across Europe and beyond.
We’ll draw out 4 Key Lessons for you, but first let’s check what the the parties and the CJEU said.
Simply put [para 16]: ‘The AP contends that legitimate interests … are only interests that are enshrined in and determined by law.‘
Again, simply put [para 17]: ‘the KNLTB submits that … any interest may constitute a legitimate interest unless it is contrary to the law …’.
The CJEU had paused the case pending the decision in Meta and Others (General terms of use of a social network) in C‑252/21 and, when the judgment came out on 4 July 2023, gave the referring court the opportunity to withdraw its request for a preliminary ruling in whole or in part.
The Dutch referring court declined, deciding it wanted to continue.
This was an interesting decision, because the CJEU in Meta was super clear that legitimate interests did not need to be a legal obligation:
The CJEU wasted no time in stating [para 38, our emphasis]:
it should be emphasised that, in the absence of a definition of that concept in the GDPR, as the Court has previously held, a wide range of interests is, in principle, capable of being regarded as legitimate (see, to that effect, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 76).
The CJEU also pointed to recital 47 of GDPR, stating that ‘the EU legislature did not require that the interest pursued by a controller be provided for by law in order for the processing of personal data carried out by that controller to be legitimate within the meaning of [Art6(1)(f)]’.
So when is an interest legitimate? Well, it must be lawful. And it must be necessary.
The CJEU gives two straightforward rules for us to use, in paras 42 and 43
This is a great part of the decision as reasonable expectation is a key part of the legitimate interests balancing test which is easily overlooked. It certainly took centre court in this case…
Back to Recital 47, which states, in part (our emphasis):
‘The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.’
These are all aspects the court calls out.
The tennis association claimed its legitimate interests consisted ‘first, in creating a strong link between that association and its members and, second, in being able to provide added value to their membership in the form of discounts and offers from partners enabling those members to play tennis at an affordable and accessible price‘.
Importantly, the tennis association had sold members’ data to two quite different organisations:
The CJEU stated that selling the data to a provider of games of chance and casino games, such as the NLO: ‘contrary to what follows from recital 47 of the GDPR, does not appear to be characterised by a relevant and appropriate relationship between the data subjects and the controller‘.
The CJEU did not specifically state that selling to TennisDirect was within reasonable expectations given the relationship, but it’s pretty obviously implied.
But the CJEU went further, in a very illuminating comment, stating that ‘in certain circumstances, the processing of such data [by the NLO] could have harmful effects on the members of the tennis associations concerned since those activities may expose those members to the risks associated with the development of gambling addiction‘.
And remember – this is all about what can be a legitimate interest, you still need to do your 3-stage balancing test.
Accountability means having proof of your thought process and decisions on matters such as legitimate interests and LIAs. Our award-winning Privacy Management Software prompts you for your legal basis for each Activity, and your LIA if you rely on legitimate interests. We also report all Activities where you rely on that – and the other – legal bases so you can ensure you have the right assessments in place.
Request your Keepabl demo now!
It’s back! The Year in Privacy Hurdles burst onto the scene at the end of 2021, bringing together the big action in Data Protection in the UK and EEA…
A recent KPMG study, surveying 2,000 adults and 250 business leaders in the USA, reveals fascinating – and worrying – insights into how corporate data practices and consumer expectations are shifting. …