Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Legitimate Interest under GDPR: Why It Still Fails in Practice (and What the Garante Is Telling Us)

8 minutes ago
7 minRead time
legitimate interest GDPR
Share This Article
Share Post

Legitimate interest under the GDPR continues to be one of the most used, and most misunderstood, legal bases. But what are the most relevant issues to be addressed, and how to use it properly?

The recent digest published by the European Data Protection Board offers a very clear message: the issue is not whether legitimate interest can be used, but how it is applied in practice. And if you look at recent enforcement trends, including decisions of the Italian data protection authority, Garante per la protezione dei dati personali, the direction is consistent.

What Legitimate Interest under the GDPR Really Requires

Under Article 6(1)(f) GDPR, legitimate interest relies on a three-step test:

  • a legitimate interest must exist
  • the processing must be necessary
  • the interest must not be overridden by the rights of individuals

This looks simple in theory.

In practice, it is one of the most complex legal bases to operationalise.

The EDPB digest, which analyses more than 60 One-Stop-Shop decisions, confirms that legitimate interest can cover a wide range of scenarios, from fraud prevention to marketing and even AI development. But that flexibility comes at a cost: a much higher burden of justification.

Why Legitimate Interest under the GDPR Keeps Failing

1. No real Legitimate Interest Assessment (LIA)

The first recurring issue is procedural. Many companies simply do not carry out a proper LIA before starting the processing. And this is where things already break. Supervisory data protection authorities are very clear: the assessment must be done ex ante, not reconstructed after the fact.

2. Interests described in generic terms

Another pattern I see very often in practice, and that the digest confirms, is the use of vague purposes:

  • “improving services”
  • “measuring performance”
  • “enhancing user experience”

These formulations do not work. Regulators expect the legitimate interest to be clearly and precisely articulated, otherwise the entire test collapses.

3. The necessity test is underestimated

Even when the interest is accepted, controllers often fail to show that the processing is necessary. Authorities are increasingly asking a very simple question: Could you achieve the same result in a less intrusive way? In some cases, the answer is yes—and that is enough to invalidate the legal basis.

4. The balancing test is where most cases are lost

This is the real battleground. The analysis is not theoretical. It is based on how the processing is perceived by the individual.

Key factors include:

  • reasonable expectations
  • level of transparency
  • actual impact on the data subject

If the processing is unexpected, opaque or too intrusive, legitimate interest will not hold.

The Position of the Garante on Legitimate Interest

What is particularly interesting is how closely recent decisions of the Italian data protection authority, the Garante per la protezione dei dati personali align with this approach. In several cases, the Garante has challenged:

  • the insufficient level of detail of LIAs
  • the use of boilerplate or generic assessments
  • the lack of a real, documented balancing test

The key message is quite pragmatic: a formal LIA is not enough. It must be specific, reasoned and evidence-based.

In other words, simply stating that a legitimate interest exists is not sufficient. You need to demonstrate:

  • what the interest actually is
  • why the processing is necessary
  • how the impact on individuals has been assessed
  • which safeguards have been implemented

This is where many organisations are still exposed.

Can You Switch to Legitimate Interest Later?

Another point clarified by the EDPB digest is particularly relevant in practice. Trying to rely on legitimate interest after another legal basis has failed is, in most cases, not acceptable. Why? Because it undermines:

  • transparency obligations
  • the right of individuals to object

There are limited exceptions, but they remain just that exceptions. Besides, the position of the Garante is that it is not possible to list multiple legal bases for the same data processing without specifying in detail when each legal basis applies.

Legitimate Interest and AI: A Growing Risk Area

This topic becomes even more relevant when we look at AI systems. Legitimate interest is often used in AI-related processing because of its flexibility. But that flexibility can be misleading. AI projects typically involve:

  • evolving purposes
  • large-scale data reuse
  • difficulty in assessing impact upfront

All elements that make the necessity and balancing tests more complex. From what I see, this is exactly where the gap between legal theory and operational reality is still too wide.

Legitimate Interest Is a Governance Issue

The takeaway is quite clear. Legitimate interest under the GDPR is not the “easy option”. It is one of the most demanding legal bases from a governance perspective. The shift we are seeing, both at EDPB level and in decisions of the Garante, is towards a much more substantive assessment. This means:

  • moving beyond templates
  • integrating LIA into internal processes
  • aligning legal analysis with technical design

Because today, the real risk is not choosing the wrong legal basis. It is assuming that legitimate interest requires less work than the others.

On a similar topic, you can read the article “AI Training Based on Legitimate Interest: Is the Digital Omnibus Proposal Enough?“.

(Visited 1 times, 1 visits today)
Tags:
0LikesShare Post