When talking about EU privacy law many businesses bemoan the lack of a “commercially reasonable” basis for collecting and using personal information. Europe is usually seen as a consumer-protective regime which focuses on prohibiting business from doing anything with data unless the consumer has affirmatively agreed to the processing before the processing begins (e.g. the “cookie directive”). However, the Article 29 Working Party (“WP”) has just released an Opinion which signals a change in the winds. The rarely used “legitimate interest of the data controller” basis for processing now has a new importance in the realm of fair and legal criteria for processing personal information.
Basis for Processing Under the Directive
The European Data Protection Directive specifies that personal information may only be processed under 6 enumerated criteria – Articles 7(a) through 7(f):
- The Data Subject gives consent to the processing,
- Processing is necessary for the performance of a contract to which the Data Subject is a party,
- Processing is necessary for the controller’s compliance with a legal obligation (note that this is not enforcing a legal right – two different things),
- Processing is necessary to protect a Data Subject’s “vital” interests (usually life or health),
- Processing is necessary to carry out a task in the “public interest”, or
- Processing is necessary for supporting the “legitimate interests” of the data controller, or a third party to whom the data is disclosed; except where those interests are overridden by the Data Subject’s interests.
Historically, Article 7(f) – the last criteria in our list – was not used to justify processing as there was no clear understanding of what a “legitimate interest” was, from the perspective of the Data Protection Authorities of Europe. Thus, businesses, through the advice of their counsel, relied on one of the other 5 criteria, most often the criteria of “consent” (Article 7(a)). This occurred so much so that, in July of 2011, the WP adopted an Opinion on consent which states that consent is more likely to be over-used improperly, than any of the other criteria in Article 7.
Fundamentally, the first 5 criteria weigh the concepts of self-determination and public health and safety more heavily than the interests of business. Either the Data Subject has consented to the processing, or is actively engaged in transacting with the controller. Otherwise, the processing is necessary to perform a legal obligation or protect someone (either the “public interest” or the individual themselves). There doesn’t seem to be much in the way of looking at the commercial stakeholder’s needs in the ecosystem – and this is the source of the view business has taken in Europe for some time.
Commercially Aware Processing
While we cannot really call the WP’s position on Article 7(f) as commercially-friendly, we can say that it is trending toward the “reasonableness” concept that is so prevalent on this side of the pond. The Opinion works at explaining how this criteria should be used; and actually states that this criteria may be much more applicable than a number of other criteria which have been historically misapplied. In addition, the Opinion actually walks through exemplars of how to do the balancing of interests which Article 7(f) requires.
Finally, the Opinion provides guidance on how to apply other Articles (specifically Articles 8 and 14) in conjunction with Article 7. Of most interest is the fact that processing under Article 7(f) does not require prior consent of the Data Subject. This doesn’t mean that there aren’t protections for the Data Subject required by the controller. Nor does it mean that the controller can process personal information in any way they like. But it does mean that the logistical nightmare of prior consent to processing personal information is no longer the only way to comply with the Directive.
In the words of the Opinion: “[I]t may well be that Article 7(f) has its own natural field of relevance and that it can play a very useful role as a ground for lawful processing, provided that a number of key conditions are fulfilled.”
This is an important enough topic, I will follow-up with the rest of the elements of the Opinion in later posts. But for now, it is worth contemplating alternatives to the usual technique of “consent” to legitimize a company’s processing of personal information.