Andrew Leahey

GDPR and the "Legitimate Interests" Loophole

If you’d like to discuss the GDPR and how it impacts your business, get in contact.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation outlining new policies for data privacy and protection for individuals within the EU. The regulation's stated aim is to protect a natural person's "fundamental right" of protection in relation to processing of personal data. In sum, the GDPR applies broadly to any entity controlling, collecting or processing data containing personal information regarding a person in the EU -- they need not be a resident of the EU or any member country. "Personal information" is defined broadly as well and includes names, photographs, addresses, email addresses, social media handles and posts and even an IP address. In essence, if you have a web presence or in any way process any data and you aren't explicitly excluding the EU from it, the GDPR applies to you.

However, as broad as the GDPR is, it contains a potential rule-swallowed exception:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. ... The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Regulation (EU) 2016/679 (47)

In essence, processing of personal information for a "legitimate interest," as long as it does not explicitly contravene the interests or expectations of the owner of the personal information, is permissible. The regulation explicitly calls out direct marketing as a potential legitimate interest of the data processor (note the "may be regarded" language). 

In addition to direct marketing, the GDPR outlines several more "legitimate interests" for processing, including: processing and transmitting data between affiliated data controllers for internal administrative purposes; processing data to the extent strictly necessary for the purposes of ensuring network and information security; and processing personal data for purposes compatible with those purposes for which the personal data were initially collected. Compatible purposes include archiving, processing for purposes in the public interest, and scientific, historic or statistical research. Additional potential compatible purposes should be evaluated by the data controller by balancing "any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations."

In sum, the GDPR is almost certain to upend the balance of power between consumers and corporations the world over. While the GDPR largely does away with the "disclaim game" in privacy policies, its scope is undercut by its exceptions. As businesses scramble to comply by the May 25, 2018 enforceability deadline, time will tell how much of a game changer this latest move by the EU will be.