Re: Lawfulness of processing from Eva Schlehahn on 2018-11-08 (public-dpvcg@w3.org from November 2018)

From: Eva Schlehahn <uld67@datenschutzzentrum.de>
Date: Thu, 8 Nov 2018 12:21:03 +0100
To: public-dpvcg@w3.org
Message-ID: <509285cd-c8a6-5cee-4140-0b563f0dc2a0@datenschutzzentrum.de>
Dear all,

I'd like to provide some clarifications and explanations why at first 
glance, legitimate interest seems to be the easiest legal ground (this 
is what the industry thinks), and why when having a closer look, it 
turns out as actually the most tricky one. Be prepared, this might 
become a longer read in this email. So just tackle it when you have time 
and interest to delve into a deeper understanding of this concept. :-)

Tl;dr at the beginning: Legitimate interest is not what industry thinks. ;-)

Okay, here I go with the details:

 From Art. 6 para (1) f GDPR, it can be seen that the processing of 
personal data as an exercise of a controller’s or third party’s interest 
is bound to specific preconditions. These preconditions are:

 1. Existent legitimate interest of controller or a third party
 2. Necessity of personal data for this legitimate interest
 3. No overriding interests or fundamental rights and freedoms of the
    data subject, especially when the data subject is a child

Here is a bit more in-depth information what this is about:*_
_*

*_1.) Existent legitimate interest of controller or a third party_*

First, it is required that the intended personal data processing is 
necessary to exercise a legitimate interests of the controller or a 
third party. Since ‘interest’ is a rather vague legal notion, it is to 
some extent open to interpretation. The only limitation occurs through 
the adjective ‘legitimate’, which may be interpreted as referring to all 
kinds of interests that are not unlawful and not inexplicable.

Therefore, any type of interest which is in some way legally protected 
in any form can be considered. In this context, it must be noted that 
typically, all activities not forbidden by criminal law or any other 
prohibition can fall within the scope of some fundamental rights 
protection. So it must be assumed that the term ‘legitimate interest’ 
can include legal, economic, or immaterial interests as well.

Crt provided the link to the ICO website information. I'd like to point 
out that the ICO highlights that the reasonable expectation of a data 
subjects plays a role with regard to the time and context of the data 
collection and processing. At first look, this aspect seems to be 
connected to the weighing of interests (step 3 in the list above). So it 
could eventually be assumed that the data subject’s expectations are not 
so much related to the question whether the controller’s interest is 
legitimate but must be paid attention in a later step during the 
balancing of interests. However, the ICO has in several cases taken the 
expectation of the data subject into account aready at this step.*_
_*

*_2.) Necessity of personal data for this legitimate interest_*

In order to be necessary, the personal data processing must first be 
suitable to serve the legitimate interests at all. So in turn, this 
means that if the personal information intended for collection and 
processing is not suitable to achieve the interest, it must be 
considered as not necessary.

Essentially, the evaluation of necessity is related to the principle of 
data minimization as laid down in Article 5 para. 1 (c) GDPR, which says:
     ‘/1. Personal data shall be://
//    […]//
//    (c) adequate, relevant and limited to what is necessary in 
relation to the purposes for which they are processed (‘data 
minimisation’);/’

According to this principle, the necessity is only given if the 
legitimate interest cannot be realized to the same extent with a less 
intrusive data collection and processing. This also means that not only 
the means of the processing, but also the types of the data are relevant 
for this assessment.

In this context, the case law of the European Court of Human Rights 
plays a role, since there is a number of judgements where the court has 
substantiated this principle further. In the Handyside v. The United 
Kingdom case, the ECtHR clarified that the adjective ‘necessary’ is not 
to be seen as ‘/[…] synonymous with "indispensable" [...], neither has 
it the flexibility of such expressions as "admissible", "ordinary" [...] 
"useful" [...], "reasonable" [...] or "desirable"./’ In another 
decision, the ECtHR said that based on the considerations of this 
earlier ruling, ‘that it implies the existence of a "pressing social need"’.

On the basis of these court rulings, the Article 29 Working Party (that 
is the precedessor entity of the now established European Data 
Protection Board) has drawn the following conclusions:
     ‘/This is important, as it means that ‘necessity’ should not be 
interpreted too broadly, as this would make it easier for fundamental 
rights to be circumvented. Nor should it be interpreted too literally, 
as this would set         too high a bar and make it unduly difficult 
for otherwise legitimate activities which may justifiably interfere with 
fundamental rights to take place./’

The scope of the necessity assessment has been and still is subject to 
many legal discussions. Regardless of this debate, it must be considered 
that each personal data processing, even with legal ground, also must 
comply with the general data protection principles of Article 5 para. 1 
GDPR. Therefore, it is thinkable that a processing may be justified on 
the basis of legitimate interest according to Art. 6 para. 1 (f) GDPR, 
yet still violates the data minimization and the purpose limitation 
principles.

In any case, controllers are well advised to exercise the considerations 
in the context of legitimate interest earnest since they are subject to 
the scrutiny of the data protection supervisory authorities and judicial 
review.

_*3.) No overriding interests or fundamental rights and freedoms of the 
data subject, especially when the data subject is a child*_

As next step in the analysis, it would need to be determined whether the 
controller’s interests are overridden by the interests or fundamental 
rights and freedoms of the data subject concerned. This requires a 
weighting of interests, which requires particular care in cases when the 
data subject is a child.

The controller is the party who needs to demonstrate compliance with the 
provisions of the GDPR, including the justification of the processing, 
whereas the supervisory authorities are tasked with the responsibility 
to monitor the application of the GDPR. Therefore, the onus of proof 
that the processing is justified does not lie within the domain of the 
data subject.

The reasonable expectations of the data subjects play a role when 
balancing the interests. Recital 47 sentence 4 GDPR states:
     ‘/The interests and fundamental rights of the data subject could in 
particular override the interest of the data controller     where 
personal data are processed in circumstances where data subjects do not 
reasonably expect further processing./’

In this context, the following factors might be decisive:

  * Categories of personal data concerned (e.g. tricky in cases of
    sensitive data concerned)
  * Consequences or impact of the data processing on the data subject
  * The scope of data collection (tricky in cases of extensive profiling)
  * Personal data of children concerned
  * Mitigating factors (like the implementation of efficient and
    encompassing safeguards, i.e. technical + organizational measures)

In any case, the data subject has a right to object to the processing of 
his/her personal data at any time according to Article 21 para. 1 GDPR. 
The consequence of an objection is that no further processing can occur 
and that the data must be deleted (Article 17 para. 1 (c) GDPR), unless 
the controller provides compelling legitimate ground which which 
override the interests, rights and freedoms of the data subject. The 
only other cases of exemption are the establishment, exercise or defence 
of legal claims. Additional information obligations toward the data 
subject exist (I won't go into more detail here).

Some methodologies to conduct the weighting of interests in the context 
of data protection impact assessments exist. Nonetheless, the whole 
affair remains a highly tricky and difficult matter even for trained 
lawyers.

In any case, the controller needs to document the whole assessment to 
demonstrate compliance (Article 5 para. 2 GDPR). Consequences of a 
missing documentation might be regarded by e.g. a data protection 
supervisory authority as negligence and compliance failure.

Phew, that's it. Oof. Kudos to everyone who read until this point! :-D

I apologize for making this explanation so long, but I wanted to make a 
point why the industry is misled when they think legitimate interest 
could be a big-scoped and easy legal basis for their business interests. 
In fact, I think those companies who ground their processing on this, 
might get a rather rude awakening by authorities and courts at some 
point. And then they have a problem.

For our DPVCG, I think it does not make sense to try to capture 
sub-terms associated to legitimate interest.

As you can see from my explanations above, most of it is subject to 
interpretation, a lot of 'what if's', case-by-case assessments, and 
possibly court decisions somewhen in the future.

I'd suggest just adding 'legitimate interest' as term to the taxonomy to 
the collection of legal grounds. The controller company then has to take 
its own additional organisational measures to document why they think 
this is a valid legal ground for them.

Greetings,

Eva


Am 08.11.2018 um 11:12 schrieb Črt Ahlin:
> Hello,
>
> There is a detailed description of "legitimate interests" scenarios etc. in
> :
> https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
>
> Before using it as the basis for data processing, you should weigh benefits
> you get vs the impact on individual's rights via an "legitimate interest
> impact assesment":
> https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/
>
> Hope this helps
> Best,
> Crt
>
>
> On Thu, Nov 8, 2018 at 10:53 AM Harshvardhan J. Pandit <me@harshp.com>
> wrote:
>
>> Thanks for the lucid clarifications Eva & Rigo!
>> So, coming as a non-legal layman, legitimate interest can be defined as
>> something upon which the provision of business/service/goods is based
>> on, and without which it cannot be provided/operated. And this should
>> not override the fundamental rights of the data subject as clarified by
>> the GDPR.
>>
>> However, I have found it very tricky to determine if something can be
>> classified as legitimate interest as not (makes sense, I don't have a
>> law degree), especially when looking at privacy policies that specify
>> some personal data as being "necessary".
>>
>> For the DPVCG, would we like to delve deeper to also provide a taxonomy
>> to specify terms associated with legitimate interest? And thus forth,
>> for other legal basis?
>>
>> I think this would postpone the first draft due to the work involved,
>> but can be something to note down, and perhaps work later?
>>
>> Best,
>> Harsh
>>
>> On 07/11/18 8:48 PM, Rigo Wenning wrote:
>>> On Wednesday, November 7, 2018 9:11:53 AM CET Eva Schlehahn wrote:
>>>> Second, they cannot simply diminish the data subject's right to
>>>> object wrt the direct marketing purposes. Article 21 para. 2 GDPR
>>>> explicitly says that the data subject *always* has a right to
>>>> object when data are processed for direct marketing purposes at
>>>> any time. This also affects any profiles that were built in the
>>>> context of such direct marketing.
>>> Adding to Eva...
>>>
>>> The cool part is that if you send them a DNT:1, you objected
>>> according to Art. 21 (5) GDPR, which is pretty powerful. In that
>>> case they can't overwrite the user's will with "legitimate
>>> interest".
>>>
>>> Legitimate interest is certainly not the legitimate interest of one
>>> party only. That would be easy as that would mean no GDPR
>>> whatsoever. Or every data collector could just define a "legitimate"
>>> interest in data collection and ignore the data subject. I don't
>>> think the main stream interpretation would support that ...
>>>
>>>    --Rigo
>>>
>> --
>> ---
>> Harshvardhan J. Pandit
>> PhD Researcher
>> ADAPT Centre, Trinity College Dublin
>> https://harshp.com/
>>
>>
Received on Thursday, 8 November 2018 11:21:37 UTC