Why the GDPR ‘legitimate interest’ provision will not save you

Dr Johnny Ryan GDPR, Uncategorized Leave a Comment

The “legitimate interest” provision in the GDPR will not save behavioral advertising and data brokers from the challenge of obtaining consent for personally identifiable data.

As previous PageFair analysis illustrates, personally identifiable data (PII) will become toxic except where it has been obtained and used with consent once the General Data Protection Regulation is applied in May 2018.

Access the GDPR/ePR repository

A repository of GDPR and ePrivacy Regulation explainers, official docs, and current status.

Even so, many advertising intermediaries believe that they can continue to use PII data without consent because of an apparent carve-out related to “legitimate interest” contained in the GDPR. This is a false hope.

Legitimate interest

The GDPR does indeed provide for “legitimate interest” as a legal basis for using PII without obtaining consent.[1] A legitimate interest provision was also included in the previous Data Protection Directive 95/46/EC.[2] However, the GDPR now includes an explicit mention of direct marketing as a legitimate interest (in Recital 47),[3] which has lured many adtech businesses into the comfortable but erroneous supposition that they will not have to ask people for permission use their PII.

A legitimate interest is a clearly articulated benefit to a single company, or to society as a whole,[4] that can be derived from processing PII in a lawful way.[5] However, the Article 29 Working Party of data protection authorities of EU countries has already made it clear that merely having a legitimate interest does not entitle one to use personal data.[6]

The objective of the “legitimate interest” provision is to give controllers “necessary flexibility for data controllers for situations where there is no undue impact on data subjects”.[7] The Article 29 Working Party cautioned that it is not to be used “on the basis that it is less constraining than the other grounds”.[8] In other words, it is not a get-out-of-jail-free card.

Under the Data Protection Directive that preceded the GDPR some EU countries viewed it as “an ‘open door’ to legitimize any data processing which does not fit in one of the other legal grounds.”[9] This will end with the GDPR, which harmonizes the approach across all the countries of the European Union.

The balancing test 

Article 6 (f) of the GDPR includes the following important caveat: “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”.[10] In other words, a business that intends to use PII must balance its legitimate interest not only against the rights of the data subject, which is a significant test in itself,[11] but also the data subject’s interests, irrespective of whether these interests are legitimate or not.[12] Any company that hopes to use legitimate interest also bears the onus for demonstrating that its interest is favored in such a balancing test.[13] 

This is not a figurative exercise. The Article 29 Working Party cautions that the balancing test should be documented in such a way that data subjects, data authorities, and the courts can examine.[14] It should encompass a broad range of factors[15] including “any possible (potential or actual) consequences of data processing”.[16] This would include, for example, “broader emotional impacts” and the “chilling effect on … freedom of research or free speech, that may result from co­ntinuous monitoring/tracking”.[17] 

The test also must consider the manner in which PII are processed. For example,

“whether large amounts of personal data are processed or combined with other data (e.g. in the case of profiling…). Seemingly innocuous data, when processed on a large scale and combined with other data may lead to inferences about more sensitive data”.[18] 

Europe’s data protection authorities take a dim view of such large scale processing: ­­­­

“Such analysis may lead to uncanny, unexpected, and sometimes also inaccurate predictions, for example, concerning the behavior or personality of the individuals concerned. Depending on the nature and impact of these predictions, this may be highly intrusive to the individual’s privacy”.[19] 

A further factor in the balancing test is mentioned in Recital 47 of the GDPR: “…taking into consideration the reasonable expectation of data subjects based on their relationship to the controller”.[20] A business involved in digital advertising must ask the following question: Is it reasonable to assume that a regular person who peruses the web expects that their behavior is being tracked and measured, consolidated across devices, and that the results of these operations are being traded between different companies that he or she has never heard of, and retained for further trading and consolidation over considerable periods of time?

Behavioral advertising and data-brokering must be based on consent 

The legitimate interest provision in the GDPR sets a high bar. Indeed, the Working Party’s concern about the negative impacts of PII misuse is so broad as to encompass those that result from many cumulative actions, and where “it may be difficult to identify which processing activity by which controller played a key role”.[21] This is bad news for the cascade of cookie syncing and data trading typical of behavioral advertising.

The Article 29 Working Party has considered what a balancing test would yield where behavioral advertising is concerned. It concluded that “consent should be required, for example, for tracking and profiling for purposes of … behavioral advertising, data-brokering, … [and] tracking-based digital market research”.[22]

The Working Party regards the balance as follows: “the economic interest of business organizations to get to know their customers by tracking and monitoring their activities online and offline” must be balanced “against the (fundamental) rights to privacy and the protection of personal data of these individuals and their interest not to be unduly monitored”.[23]

Consent – and nothing short of it – is the necessary legal basis for processing personally identifiable for behavioral advertising.

Two options  

Therefore, hundreds of adtech companies, who who cannot legitimately obtain the PII they depend on, are facing a huge challenge. There are two categories of options.

Option 1. Invest heavily in obtaining consent

For the majority of advertising intermediaries this will require reaching an accommodation with publishers who have direct and trusted relationships with end-users. Whatever this accommodation is, it is likely to tip the balance of power away from adtech and back in favor of publishers. Publishers may recover some of the marketing spend that they lost to the many advertising technology companies of the Lumascape in the shift to digital. As we have suggested previously, mergers with, or acquisition of, media properties may be one way for global advertising holding companies to buy trusted first party relationships with end-users, and establishing a means of requesting end-users consent.

Option 2. Avoid the GDPR’s liabilities and regulatory overhead with a no personally identifiable data approach

Programmatic and behavioral advertising are possible without personally identifiable data. A PII firewall can free brands and intermediaries from the GDPR’s new liabilities and regulatory overhead by anonymizing data while delivering relevant advertising.

We will be writing more about this.

 

Invitation:

RightsCon, Brussels, March 29, 5.15pm – 6.15pm

I will be on the EDRi panel at RightsCon, alongside representatives of the European Data Protection Supervisor and the IAB. Please come and say hello.

Sign up to PageFair Insider to get updates

Notes

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, paragraph 1, f.

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 7 (f).

[3] “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recital 47.

[4] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 10.

[5] ibid., pp 10-11.

[6] ibid., p. 25.

[7] ibid., p. 10.

[8] ibid,, p. 3.

[9] ibid., p. 5.

[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Article 6, para 1 (f).

[11] Data protection is a fundamental right in European Law. Article 8 of The European Charter of Fundamental Rights enshrines the right of every citizen to “the protection of personal data concerning him or her”. The European Union Charter of Fundamental Rights, Article 8, paragraph 1. “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”. The European Union Charter of Fundamental Rights, Article 8, paragraph 2.

[12] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 9, 30.

[13] ibid., p. 52.

[14] ibid., p. 43, 53-54.

[15] ibid., pp 33, 50-51, 55-56.

[16] ibid., p. 37.

[17] ibid., p. 37.

[18] ibid., p. 39.

[19] ibid., p. 39.

[20] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, Recital 47.

[21] Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 9 April 2014, p. 37.

[22] ibid., p. 46.

[23] ibid.