Introduction: the EDPB’s approach
Article 6(1)(f) allows for data processing when it serves the legitimate interests of the controller or a third party, provided that these interests are not overridden by the data subject’s interests, rights and freedoms. The Guidance provides valuable interpretative indications which will help organisations navigate this fundamental and yet complex aspect of data protection law while supporting their data strategies.
While Article 6(1)(f) is often considered the most flexible legal basis, the EDPB stresses that this lawful ground should be interpreted restrictively and not be seen as an “open door” to legitimise any processing that does not fall under one of the other lawful bases, or as the default option used by controllers to avoid more constraining options. The Guidance encourages controllers not to view it as a “last resort” for rare or unexpected situations where other legal bases for processing personal data do not apply, but rather to use it responsibly, by carefully assessing its applicability to each processing activity and purpose.
Conditions to lawfully rely on legitimate interests
To rely on this legal basis for processing, data controllers must address three fundamental questions (and, in line with the accountability principle, document the answers in a ‘legitimate interests assessment’). While this three-staged approach is nothing new, as it had already been codified by the CJEU prior to the GDPR coming into force1, the Guidance applies the most recent CJEU jurisprudence on the topic and offers some new inputs as to how each step of the assessment should be interpreted.
Is the interest legitimate?
There is no clear definition or exhaustive list of what might be considered ‘legitimate’, however the Guidance is clear that to be regarded as ‘legitimate’, an interest must be lawful, clearly and precisely articulated, and real and present (as opposed to merely speculative). The EDPB refers to the jurisprudence of the CJEU which has recognised several interests as (potentially) legitimate – notably, among others, having access to information online, product improvement, assessing the creditworthiness of individuals and, most recently, purely commercial interests (see our blogpost here).
The Guidance also stresses how the legitimate interest can be pursued by the controller or a third party, and provides practical indications as to the main contexts where personal data may be processed in the interest of a third party, such as to defend a legal claim. The Guidance makes clear that interests of third parties should not be confused with interests of the community as a whole, although in practice there may be cases where interests pursued by the controller or a third party may also serve broader interests.
Is the processing necessary?
The processing must be strictly necessary (and not merely useful) to pursue the legitimate interest. In line with the data minimisation principle, if the controller has reasonable, but less intrusive, alternatives, then the processing is unlikely to be considered necessary. The EDPB notes that, in practice, it may be easier to show that the processing is necessary to pursue the interests of the controller itself as opposed to the interests of a third party.
Is the controller’s interest overridden by the interests or fundamental rights and freedoms of the individuals?
The “balancing test” between the controller's interest and the individuals’ interests, fundamental rights and freedoms must be rigorous and transparent and will always be fact-dependent. Helpfully, the Guidance stresses that the purpose of this exercise is to avoid disproportionate (as opposed to any) impact on data subjects.
The EDPB lists, in a very detailed way, the main aspects that controllers need to analyse as part of the balancing exercise, which notably include the context and consequences of the processing (on the basis of the specific circumstances of the case), as well as the reasonable expectations of the individuals (i.e. ensuring that they are not surprised by how their data is processed). This not to be confused, according to the EDPB, with what is common practice in certain sectors. The Guidance stresses the importance of this assessment when controllers intend to rely on Article 6(1)(f) to process children’s data – the regulators’ view is that the interests of minors will “very often” outweigh the interests of controllers.
Where the balancing test indicates that the controller’s interests may be overridden by the individuals’ interests, the former can implement mitigating measures and safeguards (which should go beyond mere compliance with the obligations under the GDPR) to reduce the impact on data subjects (and then perform a new balancing test).
Data subject rights
The Guidance also includes a very detailed section on the interplay between the legitimate interests ground and data subject rights. It reminds controllers that the provisions on data subject rights apply mandatorily, and provides guidance as to how those rights are to be interpreted in the context of legitimate interests. The Guidance stresses how controllers must precisely identify and communicate to data subjects the specific legitimate interest(s) pursued as part of their transparency obligations.
Further, the Guidance focusses on the right to object, and explains that the concept of overriding “compelling legitimate grounds”, that would take precedence over the interests, rights and freedoms of the data subjects who submitted the request, implies a higher threshold compared to the balancing test above. The EDPB clarifies that it is the controller who must prove that the legitimate grounds at stake are essential, and as such can be considered compelling, while showing that the processing would simply be beneficial to the controller would not be sufficient.
The Guidance highlights how the right to erasure is closely linked to the right to object and how this could lead to practical uncertainty when it comes to addressing data subject rights requests. In this regard, the EDPB suggests that the controller should assess the indications of the data subject as well as the context of the request to establish what action should be taken to honour it.
Practical application
The Guidance also provides interpretative guidance on the contextual application of the legitimate interests ground to certain scenarios. One example the EDPB specifically calls out is direct marketing, for which controllers often try to rely on legitimate interests but which requires a careful evaluation of necessity and impact on the consumer. Another notable one is the disclosure and transfer of personal data to a third country authority.
Interestingly, the Guidance is silent in relation to the possibility of relying on legitimate interests for web-scraping in the context of algorithmic training and generative AI (or indeed, AI more generally). However, the conditions for engaging this lawful basis for processing do not exclude the possibility for organisations to do so, depending on the specific use case and having carried out a robust legitimate interest assessment. In any case, the EDPB Work Programme 2024-2025, published simultaneously to the Guidance, indicates that dedicated guidelines on generative AI-data scraping will be issued by the end of next year, and they will likely address more specifically the use of legitimate interest in that context.
What’s next
The Guidance is subject to public consultation until 20 November 2024. Following the consultation process, the EDPB will issue a final version of the Guidance, which will become the formal interpretation of this key lawful ground by all data protection regulators represented by the EDPB. It is probably fair to say that the essence of the Guidance will not change and therefore, the current draft already provides a fairly definitive view of the rigorous but practical regulators’ thinking in this area.
1/ With regard to Article 7(f) of Directive 95/46, in judgment of 4 May 2017, Rīgas satiksme, C‑13/16, EU:C:2017:336, paragraph 28.
Authored by Eduardo Ustaran, Giulia Mariuz, Sara Marinoni, and Julia Kelly.
