To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”
Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing).
Legitimate Interests
It is interesting to note that the WP has taken this opportunity to distinguish between “interests” and “purposes”. This is important as the narrow-focused analysis in the past has often oriented more toward “purpose” analysis, as opposed to “interest” analysis. The “interest” analysis looks at a broader stake that the Controller may have in the processing. As a consequence, the challenges which go into the “necessary” analysis as described previously are mitigated. So, what makes an interest? And what makes it “legitimate”?
In general, for an “interest” to be legitimate, it has to be lawful (illegal interests are hardly legitimate), sufficiently articulated to allow it to be balanced against, and it must be “real and present” – you can have speculative interests. Much of this discussion is actually also reiterated from the WP Opinion 3/2013 on Purpose Limitation.
What is most interesting about the WP Opinion here is that the balancing test applies to the legitimate interests of third parties. Traditionally (at least in the US) the Controller’s basis for processing is evaluated from the perspective of the relationship between the Controller and data subject as a direct relationship. This recognition of the multi-variant nature of modern service delivery is critical as it provides the myriad of participants in the eCommerce space who don’t have direct contact with the data subject a means of legitimizing their processing without relying on consent (which continues to be questioned as the best basis for processing).
This is an important shift from the “notice and choice” model to the direct accountability model of privacy protections. Now, the obligation isn’t on providing notice and making sure the consent is properly formatted; the obligation is on something far more real and beneficial to the data subject – an analysis of the party in the best position to do the balancing, of the data subjects interests. This injects a level of direct protection into the ecosystem which is not present in the “notice and choice” model.
Additional Safeguards
Special attention should be taken to the concept of “Additional Safeguards”. The combination of a “weighty” purpose and additional safeguards start to provide a guide on how to comply with data protection obligations without going through the highly administrative-type of activities that has been the hallmark of EU data protection programs in the past.
- Objection to Processing
Along with the balancing of interests, the Opinion spends a non-trivial amount of time discussing “additional adequate safeguards”. Interestingly enough, one of these safeguards is the right to object to the processing. Considering this is already a requirement under Article 14, it seems that the Directive itself is an “adequate safeguard”. Merely adopting the requirements of the Directive which are present in other Articles can go to the necessary safeguards allowing for processing of personal data without consent.
- Collection and use limitations
Another seemingly ambiguous concept which has received clarifying treatment in the Opinion is the concept of “necessary”. Some have commented in the past that “necessary” means the same as “indispensable”. The WP recognizes that “necessary” has its own independent meaning in Community law, and such a meaning is not equal to “indispensable”. Consequently, the Opinion moves away from the strict interpretation of “necessary” to a more commercially palatable state. Businesses will still have to limit collection and use to that which is “necessary”, but this necessity does take into account the needs of the business to innovate (to a point) and grow. Note that the WP does not go so far as to equate “necessary” with “reasonable” or “desirable”. So the WP hasn’t moved completely into the American default of “commercially reasonable”. However, it is a broader definition, which by its broadening, gives controllers more options than they had before.
- “Sensitive Information”
It should be remembered, that special categories of information addressed under Article 8 are still afforded enhanced protections. Article 7(f) should not be read to allow dilution of the additional protections in place under Article 8. The Opinion is careful to provide specific guidance on that issue.
Through out the Opinion, it becomes obvious that the thinking of the DPAs has shifted from a heavily “consent” oriented model of data protection (which was appropriate when all interactions were one-to-one) to an “accountability” oriented model where the Controller has an affirmative obligation to take the data subject’s interests into account. This shift in approach seemingly will be more effective and more appropriate for the many-to-many style of interactions which are the norm in the modern digital age.