Aolan Li*
*The author is a third-year PhD
candidate in Law at Queen Mary University of London. Her ongoing doctoral
thesis research delves into the application of Article 6(1)(f) of GDPR from a
comparative perspective. Email: aolan.li@qmul.ac.uk
Photo credit: TheDigitalArtist, via Wikipedia Commons
A positive spirit has spread
among business-side stakeholders across the EU since the Court of Justice of
the European Union (CJEU) published its preliminary ruling in the Koninklijke
Nederlandse Lawn Tennisbond case (C-621/22) on 4 October 2024, where
the court confirms a purely commercial interest could constitute a legitimate
interest for processing personal data under Article 6(1)(f) of GDPR.
Commentators go as far as to say – “what this means is that under the GDPR,
your data can be used without your consent solely for a company’s commercial
interests.”
The preceding saying is a total
misunderstanding. The positive spirit should have been dampened as, on 9
October 2024, the European Data Protection Board (EDPB) published its new
guidelines on Article 6(1)(f) for public consultation (hereafter as the new
EDPB guidelines).
Bearing in mind the optimistic
bubbles in the market, this writing articulates the EDPB’s stringent stance on
the application of Article 6(1)(f) of GDPR, focusing on what has changed
compared to the Article
29 Data Protection Working Party’s opinion on the legitimate interest
ground under Directive 95/46/EC (hereafter as the WP29 Opinion).
General remark
The newly published EDPB guidelines
align with the WP29 Opinion in some basic stances. First and foremost, the
recognition of a legitimate interest is not itself sufficient to rely on
Article 6(1)(f) of GDPR as a legal basis (this is why the saying is misleading)
as there are three cumulative conditions for its application. Secondly, Article
6(1)(f) of GDPR should not be used “by default” nor as a “last resort”. The
open-ended nature of Article 6(1)(f) has a unique role in the EU data
protection law.
Not surprisingly, the new EDPB guidelines
also substantially update the WP29 Opinion.
The update is partially
attributed to judgments of CJEU issued after the adoption of the WP29 Opinion,
including Rīgas
(Case C-13/16), Fashion
ID (C-40/17), TK
(C-708/18), MICM
(C-597/19), Meta
v Bundeskartellamt (C-252/21), SCHUFA
Holding (Joined Cases C-26/22 and C-64/22), and the latest Koninklijke
Nederlandse Lawn Tennisbond (C-621/22). Many practical examples in the new
guidelines mirror scenarios disputed in the abovementioned cases. For example, example
4 is analogous to Rīgas.
Building upon more detailed case
law, the new EDPB guidelines are more logical and clearly articulated. Unlike
the WP29 Opinion, the new guidelines make effects to draw a clearer line
between the six grounds for legitimising data processing under Article 6(1) of
GDPR. Also, the new guidelines follow the now well-accepted three-step approach
to applying Article 6(1)(f), which was established by the CJEU in its judgment
in Rīgas.
The update also corresponds to
the evolvement of the law itself (GDPR vs Data Protection Directive). GDPR has
strengthened data subject rights. It is worth noting the improvement of the
right to object – a specific right for the processing based on Article 6(1)(e)
and (f) of GDPR – as the burden of proof has been reversed on the controller.
Also, GDPR and CJEU case law have escalated the reasonable expectation of data
subjects to a more significant position in determining the application of
Article 6(1)(f) of GDPR. Therefore, the new guidelines are observed to enhance
the position of data subjects accordingly.
Besides being consistent with
legislative developments and the CJEU’s case law, the EDPB is observed to add
its unique understanding to narrow down the scope of Article 6(1)(f) of GDPR;
here’s why I said the EDPB takes a stringent stance. The next part provides
more discussions.
Overall, the new guidelines have
been compiled from rich and up-to-date sources and provide much more nuanced
interpretations of Article 6(1)(f) of GDPR. However, one might lament that Part
IV of the new guidelines hesitates to touch on the application of Article
6(1)(f) of GDPR in more complicated and controversial contexts. For example,
its application in the credit scoring industry seems like a real-world need, as
demonstrated in SCHUFA Holding. Let alone its silence on applying
Article 6(1)(f) of GDPR in AI-related scenarios.
The writing below touches on the
substantial content of Article 6(1)(f) of GDPR. However, it does not intend to
sketch the 37-page guidelines reductively. Instead, it aims to highlight the
stringent stance of the new guidelines, read together with the Koninklijke
Nederlandse Lawn Tennisbond case.
The Three Steps Approach
As mentioned above, three
cumulative conditions must be fulfilled to rely on Article 6(1)(f) of GDPR as a
legal basis, called the three steps approach, which are 1) the pursuit of a
legitimate interest by the controller or by a third party; 2) the need to
process personal data for the purposes of the legitimate interest(s) pursued;
3) the interests or fundamental freedoms and rights of the concerned data
subjects do not take precedence over the legitimate interest(s) of the
controller or of a third party (the new EDPB guidelines, p 2).
For the first step, the new
guidelines narrow down the scope of interests with respect to the controller’s
own interests and disentangle the third party’s interests from wider public
interests.
As the information circulated,
the qualifier “legitimate” is interpreted broadly, covering any interests that
are not contrary to the law (Koninklijke Nederlandse Lawn Tennisbond,
para 49).
However, sourced to the CJEU judgment
in Meta v. Bundeskartellamt, the new guidelines confine that “as a
general rule, the interest pursued by the controller should be related to the
actual activities of the controller.” (the new EDPB guidelines, para 19) It
means that, within the meaning of Article 6(1)(f) of GDPR, a controller whose
activity is economic and commercial in nature is only allowed to pursue
economic and commercial-related interests.
Other legitimate but non-economic/commercial
interests might fall within the scope of interest(s) pursued by a third party.
The new guidelines clarify that the controller needs to demonstrate the
legitimate interest(s) are pursued by one or more specific third parties
(para 20-25) and should not be confused with broader public interests despite
the fact they can overlap, as seen in SCHUFA Holding.
Remarkably, the new EDPB
guidelines indicate that relying on the interest(s) pursued by a third party in
the first step is generally more challenging to pass the latter two steps (the
necessity and balance test) than relying on the controller’s own interests.
(para 30)
For the second step, the
processing involved should be necessary for the purposes of that interest
identified in the first step, called the necessity test. The concept of
necessity has its own free-standing meaning in EU law. The controller must
demonstrate that there are no other reasonable, just as effective, but
less intrusive alternatives to achieve the pursued legitimate
interests.
Despite no given example in the
new EDPB guidelines, the CJEU judgment in Koninklijke Nederlandse Lawn
Tennisbond provides a least intrusive scenario in the direct marketing
context. To be brief, without asking for consent, a Netherlands sports
federation (KNLTB) sold its members’ personal data to its sponsors for the
latter’s marketing purposes. The court considers it possible for KNLTB “to
inform its members beforehand and to ask them whether they want their data to
transmitted to those third parties for advertising or marketing purposes.”
(para 51) The court deems a procedure as such may involve the least intrusion
of data subjects’ rights and compliance with data minimisation principles. As
will be explained below, the proposed approach resonates with the right to
object and controllers’ notification obligations.
For the third step, the
balance test entails a balancing of the controller side’s rights and interests
against those of the data subject side. The controller needs to ascertain, on a
case-by-case basis, that the processing at issue would not disproportionately
impact the data subject’s rights and interests.
One can observe the improved
position of data subjects directly from the structures of exercising the
balance test in the new EDPB guidelines and the WP29 Opinion. (See table below)
|
Methodology for the balancing test under new EDPB guidelines |
Methodology for the balancing test under the WP29 opinion |
|
The data subjects’ interests, fundamental rights and freedoms.
|
Assessing the controller’s legitimate interest. – Exercise of a fundamental right; – – –
|
|
The impact of the processing on data subjects, including – – –
|
Impact on the data subjects – – – – –
|
|
The reasonable expectations of the data subject.
|
Provisional balance.
|
|
The final balancing of opposing rights and interests, including
|
Additional safeguards applied by the controller to prevent any
|
Despite most of the content
continuing to work, some remarkable points exist.
Firstly, the reasonable
expectation of the data subject has been escalated to an independent element.
It goes beyond the controller’s notification obligation and highlights the data
subject’s genuine understanding; as the new EDPB guidelines put it, more than
the mere fulfilment of Articles 12, 13, and 14 is needed to consider that the
data subject can reasonably expect the said processing. (para 53)
Secondly, the mitigating
measures, be it technical and organisational, within the meaning of Article
6(1)(f) of GDPR must go beyond existing principles and obligations set out in
the GDPR. In this sense, the new EDPB guidelines encourage controllers who intend
to rely on Article 6(1)(f) of GDPR to pursue a higher level of personal data
protection than legal obligations.
Data subject rights
A comprehensive review of the
enhanced data subject rights under the GDPR goes beyond the subject matter of
this writing. Calling back to the least intrusive approach proposed in Koninklijke
Nederlandse Lawn Tennisbond, this part of the writing articulates the
significance of controllers’ notification obligations and data subjects’ right
to object in the context of Article 6(1)(f) of GDPR.
The court considers that KNLTB
can inform its members beforehand. KNLTB’s notification obligations are set out
in Articles 13 and 14 of GDPR. Its members (data
subjects) should be informed about, among other things, the legal basis of
processing, the specific legitimate interests pursued by KNLTB or its sponsors,
and data subject rights. According to Article 13(3), KNLTB should inform its
member concerned prior to further processing.
The court also considers it good
practice for KNLTB to ask members concerned whether they want their data
transmitted to third parties for advertising or marketing purposes. One might
feel at odds with the reintroduction of “consent” in assessing Article 6(1)(f)
of GDPR. Actually, it is better to understand the “ask” as informing its
members concerned about their right to object under Article 21 of GDPR.
The objection to direct marketing
based on Article 6(1)(f) of GDPR is absolute. In other cases, however, the
controller might have compelling legitimate grounds to disapprove the right.
Here, it involves another balancing test to determine whether the controller
has a compelling legitimate ground. Unlike Directive
95/46, the burden of proof is on the controller.
The new EDPB guidelines promote
the idea that the controller’s compelling legitimate grounds can only be
recognised in exceptional cases. The controller cannot circumvent the right to
object by merely showing that the processing would be beneficial to the
controller. Rather, the concept of compelling is understood as essential to the
controller.
From the preceding standpoint,
the right to object has been improved in favour of the data subject, and it is
not much inferior to the right to withdraw consent.
Concluding remarks
In conclusion, while the CJEU’s
preliminary ruling in the Koninklijke Nederlandse Lawn Tennisbond case
initially sparked optimism among business stakeholders by holding that purely
commercial interests could qualify as legitimate under Article 6(1)(f) of the
GDPR, this enthusiasm is misplaced. The ongoing EDPB’s new guidelines
underscore a more restrictive interpretation of the legitimate interest ground
than the earlier WP29 Opinion, reinforcing the need for careful application and
a balanced approach to personal data protection. This writing calls for a
self-reassessment of GDPR compliance, in particular for controllers relying on
legitimate interest as a main legal basis.
