Legitimate interest and privacy consent, how to use them?
When legitimate interest can be used and the level of granularity of required privacy consent are among the open questions of the GDPR.
Updated on 14 December after the publication of the draft version of the guidelines on automated decision making and profiling and the draft version of the guidelines on privacy consent of the Article 29 Working Party
As part of the privacy audits that we are running for several clients to get them compliant with the European General Data Protection Regulation, a frequent scenario is that companies require a single consent for the processing of personal data for the delivery of marketing communications of their products/services as well as those of third parties’ and for the profiling of their customers. Also, there is a considerable confusion on when and how legitimate interest can be exploited. The purpose of this blog post is to give some clarify on the “dos and don’ts” on such subject matter.
What consent required under the GDPR?
The privacy consent under the GDPR needs to be
“freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The GDPR further clarifies that consent
“could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided”.
What is the level of granularity required?
The wording of EU privacy regulation seems straight forward, but, despite of such language, it leaves the door open to different interepretions on issues such as:
- Is it possible to obtain a single consent for different channels of communication?
- Is it necessary to obtain a consent for marketing communications of third parties’ products/services, separate from the consent for marketing communications of the data controller’s product/services, even if it is performed by the data controller, without disclosing/communicating personal data to the third party?
- How shall third parties whose products/services are advertised be identified? Is it necessary to refer to their industry?
These questions had been clarified in the past by data protection authorities such as the Italian privacy authority in its guidelines on direct marketing. But will these guidelines still be valid after the 25th of May 2018? The matter was not fully clarified in the guidelines of the Article 29 Working Party on privacy consent.
An important change in any case for countries like Italy where the privacy consent to the processing of health related data was required to be “in writing” under the current regime is that this is no longer a requirement. The privacy consent to the processing of health related data shall be explicit and specific, but can be given also for instance in an electronic form.
I discussed in more details on privacy consent in this blog post that specifically focuses on issues raised by the Article 29 Working Party on privacy consent.
When is it possible to rely on legitimate interest?
Under the current data protection law, legitimate interest could be exploited in countries like Italy only with the express approval of the data protection authority. This restriction led to a limited usage of this legal basis, even if there are some interesting decisions on the usage of legitimate interest as legal basis for customers’ profiling in relation to telecom operations.
A higher level of flexibility is given by the GDPR which provides that
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller“.
The so called “balancing test” needs to be run between the interests of the data controller and the ones of the affected individuals. And the area on which legitimate interest is leading to the vast majority of questions pertains to when it can be used as legal basis to the processing of personal data for direct marketing or even profiling purposes. You can also review my video in Italian on the topic below
This was the topic on which the article 29 Working party issued its decision holding that the assessment on whether profiling can be based on legitimate interest depends among others on
- the level of detail of the profile e.g. a profiling activity excluding bad payers could be in my view be grounded on legitimate interest;
- the comprehensiveness of the profile i.e. whether the profile only describes a small aspect of the data subject, or paints a more comprehensive picture;
- the impact of the profiling i.e. the effects on the data subject and for instance he will suffer a major loss because of such profiling or might just receive less profitable marketing offerings; and
- the safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.
What is my view?
What we are currently recommending to clients is to immediately adopt a “transitional” privacy information notice that is compliant with both the current data protection law and the GDPR, with a prudent (but market oriented and justified) approach on privacy consents, in absence of a clear position from the European data protection authorities.
This solution has the advantage of
- avoiding the “bottle-neck effect” in May 2018 when a GDPR compliant privacy information notice otherwise needs to be provided to the whole database (save for specific exceptions) and
- collecting GDPR compliant privacy consents during a period when fines provided by the European data protection regulation are not yet in place, on the understanding that if privacy authorities subsequently adopt a more “liberal” approach, this is easier then the need to recover further privacy consents.
With reference to the scenarios where legitimate interest can be relied on, we are also cautious are using it with reference to
- cases where no other legal basis can be used (e.g. on some matters concerning employees or with reference to the disclosure of personal data as part of M&A transactions);
- marketing profiling that is no invasive e.g. the clustering of customers on the basis of their age range;
- the usage of technologies that because of their nature require some level of profiling in order to properly work, in scenarios where there are other ways of for instance contracting a specific customer; and
- testing activities on real personal data that cannot be performed by using “sintetic data” as this would impact the reliability of the test.
What is your view on the above? Happy to discuss and you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR
As usual, if you found this article interesting please share it on your favourite social media.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.