Legitimate interest and privacy consent, how to use them?
When legitimate interest can be used and the level of granularity of required privacy consent are among the open questions of the GDPR.
As part of the privacy audits that we are running for several clients to get them compliant with the European General Data Protection Regulation, a frequent scenario is that companies require a single consent for the processing of personal data for the delivery of marketing communications of their products/services as well as those of third parties’ and for the profiling of their customers. Also, there is a considerable confusion on when and how legitimate interest can be exploited.
What consent required under the GDPR?
The privacy consent under the GDPR needs to be
“freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The GDPR further clarifies that consent
“could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided”.
What is the level of granularity required?
The wording of EU privacy regulation seems straight forward, but it leaves the door open to different interepretions on issues such as:
- Is it possible to obtain a single consent for different channels of communication?
- Is it necessary to obtain a consent for marketing communications of third parties’ products/services, even if performed by the data controller, without disclosing/communicating personal data to the third party?
- How shall third parties whose products/services are advertised be identified? It is necessary to refer to their industry?
These questions had been clarified in the past by data protection authorities such as the Italian privacy authority in its guidelines on direct marketing. But will these guidelines still be valid after the 25th of May 2018?
When is it possible to rely on legitimate interest?
Under the current data protection law, legitimate interest could be exploited in countries like Italy only with the express approval of the data protection authority. This restriction led to a limited usage of this legal basis, even if there are some interesting decisions on the usage of legitimate interest as legal basis for customers’ profiling in relation to telecom operations.
A higher level of flexibility is given by the GDPR which provides that
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller“.
The so called “balancing test” needs to be run between the interests of the data controller and the ones of the affected individuals. And the area on which legitimate interest is leading to the vast majority of questions pertains to when it can be used as legal basis to the processing of personal data for direct marketing or even profiling purposes.
What is my view?
What we are currently recommending to clients is to immediately adopt a “transitional” privacy information notice that is compliant with both the current data protection law and the GDPR, with a prudent (but market oriented and justified) approach on privacy consents, in absence of a clear position from the European data protection authorities.
This solution has the advantage of
- avoiding the “bottle-neck effect” in May 2018 when a GDPR compliant privacy information notice otherwise needs to be provided to the whole database (save for specific exceptions) and
- collecting GDPR compliant privacy consents during a period when fines provided by the European data protection regulation are not yet in place, on the understanding that if privacy authorities subsequently adopt a more “liberal” approach, this is easier then the need to recover further privacy consents.
With reference to the scenarios where legitimate interest can be relied on, we are also cautious and use it only with reference to cases where no other legal basis can be used (e.g. on some matters concerning employees or with reference to the disclosure of personal data as part of M&A transactions).
What is your view on the above? Happy to discuss and you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR
As usual, if you found this article interesting please share it on your favourite social media.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.