Legitimate Interest is not just something you assert
Over the years, I’ve heard many excuses for not sending permission-based emails. One of the more creative excuses came from a sender in the EU who, with complete confidence, told me: “I don’t need consent! We have a legitimate interest in marketing our products!”
The General Data Protection Regulation (GDPR) provides a legal basis for processing personal data, known as “legitimate interest.” This basis allows organizations to process personal data for their purposes, including for direct marketing1, so our intrepid marketer was not wrong up to that point. However, this isn’t a blanket permission—it requires careful consideration and a balancing act to ensure that the organization’s interests don’t override the rights and freedoms of the data subject.
Understanding “Legitimate Interest”:
Legitimate interest is often misunderstood as a catch-all justification for data processing. It’s essential to recognize that while it offers flexibility, it also demands more thought. The organization should conduct a Legitimate Interest Assessment (LIA), which involves a rigorous process of evaluating and documenting the processing’s purpose, necessity, and balance. While an LIA is not required to utilize legitimate interest as a legal basis, having one is a crucial step in demonstrating compliance with GDPR, which is required.2
Purpose:
The need to process the data must be clearly stated. “We think it would be helpful to us” is not a statement of need. On the other hand, “we want to send marketing messages only to individuals who would be interested in our product” is specific and clear regarding why the processing needs to happen and the benefits that the processing will bring about. For example, suppose a company is launching a new product that aligns with the interests of a particular customer segment. In that case, it might be argued that sending targeted emails is necessary to inform these customers about a product that could benefit them. The company must process that personal data to create or refine the segmentation necessary to send those targeted emails. However, this purpose must be documented, and its reasoning should be transparent and justifiable.
Moreover, the purpose must align with the expectations of the data subjects, or additional requirements must be met.3 If the data was initially collected for a different purpose, using it for marketing might be seen as a breach of trust unless its additional use for marketing was clearly communicated and the individual had the opportunity to opt out.
Necessity:
The processing must be necessary and proportionate to achieve the organization’s legitimate interest. This justification might fail if the goal can be achieved by other means. For instance, if the organization can reach the same marketing outcome through less intrusive means, such as obtaining explicit consent, then legitimate interest might not be a valid basis. Necessity does not imply that the processing is more convenient; it must be essential to achieve the specific purpose identified.
In practice, organizations should explore alternative approaches before settling on legitimate interest. Could anonymized data be used instead? Is there a way to limit the scope of data processing to minimize its impact on individuals? These are the kinds of questions that must be asked and answered.
Balance:
Weigh the benefits of processing against the risks to the individual’s rights. For legitimate interest to be a valid basis, the benefits must outweigh the risks. The more sensitive the data, the stronger the benefit must be. For example, suppose an organization is processing personal data related to religious beliefs. In that case, there must be a compelling justification for why this processing is necessary and would not harm the individual’s rights or freedoms since the processing of data related to religious belief is generally prohibited unless an exception applies.4 This could be met in this example by pointing out that a religious body runs the organization and is offering a religious retreat to members of the religion to promote fellowship and strengthen faith.5
This balancing act is critical in cases where the data subject might be unaware of the processing, or the impact on them could be significant. Organizations need to consider the potential harm or distress their processing might cause. If the risks are too high, or the data subject’s rights will likely be infringed upon, legitimate interest cannot be used as a lawful basis for processing, no matter how convenient it would be to the organization.
What does it mean?
In summary, while legitimate interest can provide a legal basis for direct marketing under GDPR, it’s not a free pass that allows an organization to bypass the inconvenience of obtaining consent. A thorough analysis is required to ensure that the marketing activities are fair, necessary, and respectful of the individual’s rights and freedoms.
Footnotes
- Recital 47, General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32016R0679 (last visited Aug 22, 2024) (“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”). ↩︎
- Article 5(2), General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32016R0679 (last visited Aug 22, 2024) (“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”). ↩︎
- Article 6(4), General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32016R0679 (last visited Aug 22, 2024). ↩︎
- Article 9(1), General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32016R0679 (last visited Aug 22, 2024) (“Processing of personal data revealing … religious or philosophical beliefs … shall be prohibited.”). ↩︎
- Article 9(2)(d), General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32016R0679 (last visited Aug 22, 2024) (“processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”). ↩︎
- Help me see if there is a need for that I can fill - 23 September 2024
- Verkada: Data Protection Issues - 19 September 2024
- About Consent Decrees - 6 September 2024