CJEU rules on legitimate interests: 4 key lessons

It's a straight sets win for the Royal Dutch Lawn Tennis Association against the Dutch DPA as the top European court, the CJEU, holds that legitimate interests can be any lawful interest and do not have to be a legal obligation
Dutch DPA loses case that legitimate interests must be legal obligations

The Autoriteit Persoonsgegevens (‘AP‘), the Dutch data protection authority, has been almost alone in claiming that a legitimate interest must be a legal obligation, not just something legal a business wants to do. This despite Recital 47 of the GDPR stating that direct marketing could be a legitimate interest. The decision is quick and clear and helpfully:

  • clarifies what ‘necessary‘ means for legitimate interests, and
  • gives great guidance on whether individuals would reasonably expect such processing.

 

4 key Lessons for your LIA

In a grand slam dunk – and very short – decision on 4 October 2024, the CJEU handed the Koninklijke Nederlandse Lawn Tennisbond, the Royal Dutch Lawn Tennis Association, a straight sets win which will be welcomed by business and their advisers across Europe and beyond.

We’ll draw out 4 Key Lessons for you, but first let’s check what the the parties and the CJEU said.

 

Serve and volley

Simply put [para 16]: ‘The AP contends that legitimate interests … are only interests that are enshrined in and determined by law.

Again, simply put [para 17]: ‘the KNLTB submits that … any interest may constitute a legitimate interest unless it is contrary to the law …’.

 

No meta what

The CJEU had paused the case pending the decision in Meta and Others (General terms of use of a social network) in C‑252/21 and, when the judgment came out on 4 July 2023, gave the referring court the opportunity to withdraw its request for a preliminary ruling in whole or in part.

The Dutch referring court declined, deciding it wanted to continue.

This was an interesting decision, because the CJEU in Meta was super clear that legitimate interests did not need to be a legal obligation:

  • [para 115] ‘First, with regard to personalised advertising, it must be borne in mind that, according to recital 47 of the GDPR, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest of the controller.
  • [para 119] ‘Second, as regards the objective of ensuring network security, that objective, as stated in recital 49 of the GDPR, constitutes a legitimate interest of Meta Platforms Ireland, capable of justifying the processing operation at issue in the main proceedings.
  • [para 122] ‘Third, as regards the ‘product improvement’ objective, it cannot be ruled out from the outset that the controller’s interest in improving the product or service with a view to making it more efficient and thus more attractive can constitute a legitimate interest capable of justifying the processing of personal data and that such processing may be necessary in order to pursue that interest.

 

The decision

The CJEU wasted no time in stating [para 38, our emphasis]:

it should be emphasised that, in the absence of a definition of that concept in the GDPR, as the Court has previously held, a wide range of interests is, in principle, capable of being regarded as legitimate (see, to that effect, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C‑26/22 and C‑64/22, EU:C:2023:958, paragraph 76).

The CJEU also pointed to recital 47 of GDPR, stating that ‘the EU legislature did not require that the interest pursued by a controller be provided for by law in order for the processing of personal data carried out by that controller to be legitimate within the meaning of [Art6(1)(f)]’.

So when is an interest legitimate? Well, it must be lawful. And it must be necessary.

 

What is ‘necessary’?

The CJEU gives two straightforward rules for us to use, in paras 42 and 43

  1. ‘the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter’ and
  2. ‘the need for processing must be examined in conjunction with the ‘data minimisation’ principle …, in accordance with which personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’’

 

Reasonable expectation

This is a great part of the decision as reasonable expectation is a key part of the legitimate interests balancing test which is easily overlooked. It certainly took centre court in this case…

Back to Recital 47, which states, in part (our emphasis):

‘The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.’

These are all aspects the court calls out.

Not expected

The tennis association claimed its legitimate interests consisted ‘first, in creating a strong link between that association and its members and, second, in being able to provide added value to their membership in the form of discounts and offers from partners enabling those members to play tennis at an affordable and accessible price‘.

Importantly, the tennis association had sold members’ data to two quite different organisations:

  1. SportshopsDirect BV (‘TennisDirect’), a company that sells sports products, and
  2. Nederlandse Loterij Organisatie BV (‘the NLO’), the largest provider of games of chance and casino games in the Netherlands.

The CJEU stated that selling the data to a provider of games of chance and casino games, such as the NLO: ‘contrary to what follows from recital 47 of the GDPR, does not appear to be characterised by a relevant and appropriate relationship between the data subjects and the controller‘.

The CJEU did not specifically state that selling to TennisDirect was within reasonable expectations given the relationship, but it’s pretty obviously implied.

Potentially harmful

But the CJEU went further, in a very illuminating comment, stating that ‘in certain circumstances, the processing of such data [by the NLO] could have harmful effects on the members of the tennis associations concerned since those activities may expose those members to the risks associated with the development of gambling addiction‘.

 

Your 4 key lessons

  1. On necessity, consider whether your legitimate interests ‘can reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects’.
  2. Bear in mind the data minimisation principle.
  3. Try to understand the individuals’ reasonable expectations in the context of the relationship.
  4. Bear in mind the negative – and positive – aspects of the processing for the individuals concerned.

And remember – this is all about what can be a legitimate interest, you still need to do your 3-stage balancing test.

 

Record your decisions in Keepabl

Accountability means having proof of your thought process and decisions on matters such as legitimate interests and LIAs. Our award-winning Privacy Management Software prompts you for your legal basis for each Activity, and your LIA if you rely on legitimate interests. We also report all Activities where you rely on that – and the other – legal bases so you can ensure you have the right assessments in place.

Request your Keepabl demo now!

 


Related Articles

The 2022 Year in Privacy Hurdles
Blog
The 2022 Year in Privacy Hurdles

  It’s back! The Year in Privacy Hurdles burst onto the scene at the end of 2021, bringing together the big action in Data Protection in the UK and EEA…

Read More
Blog
Businesses admit to unethical data processing

A recent KPMG study, surveying 2,000 adults and 250 business leaders in the USA, reveals fascinating – and worrying – insights into how corporate data practices and consumer expectations are shifting. …

Read More