The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.

By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty

On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines follow a recent Court of the Justice of the European Union (CJEU) judgment affirming that legitimate interests can include commercial interests, and update the previous WP29 Opinion 06/2014 on this critical topic for businesses.

Reminder: Overview of Legitimate Interest Test

Under the GDPR, controllers need a lawful basis to process personal data. “Legitimate interests” is one of the legal bases available in the exhaustive list in Article 6(1), and is widely considered the most flexible legal basis for processing personal data. The Guidelines reiterate and build on the three-part legitimate interests assessment, recently re-affirmed by the CJEU, which requires the following:

  1. Legitimate Interest: The pursuit of a legitimate interest by the controller or by a third party
  2. Necessity Test: The need to process personal data for the purposes of the legitimate interest(s)
  3. Balancing Test: The interests or fundamental freedoms and rights of the concerned data subjects must not override the legitimate interest(s) pursued by the controller/third party, in particular if the data subjects are children

What Is a “Legitimate Interest”?

The Guidelines clarify that an interest can be regarded as “legitimate” if it is lawful, clearly and precisely articulated, and real and present (i.e., it is not speculative or hypothetical). The Guidelines also identify some common commercial use cases as examples of data processing that may be regarded as “legitimate”, including data processing for fraud prevention and for certain direct marketing purposes (see below for further detail). This follows the recent CJEU judgment that a commercial interest of the controller could constitute a legitimate interest, provided it is lawful. However, the EDPB stresses the need for a case-by-case assessment to assess whether the controller’s or third party’s interest meets the requirements set out by the CJEU.

Interestingly, this differs from draft UK proposals under the proposed Data (Use and Access) Bill, which introduces a limited schedule of “recognised” legitimate interests that can be relied upon without the need to apply the balancing test. The Data (Use and Access) Bill also lists certain other use cases which “may” constitute legitimate interests — including direct marketing, intra-group data sharing for administrative purposes, and IT system security — though the legitimate interest assessment must still be applied in full in each case.

Approach to the Necessity Test

The Guidelines, while referencing various CJEU cases, clarify that the processing must be necessary (and not simply useful) to pursue the legitimate interest, meaning that there are no other reasonable, equally effective but less intrusive options available. The EDPB also notes that necessity must be considered alongside the data minimisation principle under the GDPR, i.e., the processing must be the minimum data processing necessary to achieve the legitimate interest. Finally, the EDPB also notes that it may be easier to show that the processing is necessary to pursue the interests of the controller itself as opposed to the interests of a third party. This strict interpretation could suggest some divergence with the UK Information Commissioner’s Office (ICO), which recommends that data processing should be “targeted and proportionate” to achieve its purpose (please refer to this ICO guidance for further information).

Approach to the Balancing Test

To complete the three-part assessment, the Guidelines state that controllers should identify the fundamental rights and interests that may be affected by the data processing and evaluate its impact on the data subject. This assessment is fact-dependent and aims to avoid disproportionate impact on data subjects.

The Guidelines emphasise that children require special protection in data processing as they are less aware of associated risks, and therefore controllers should recalibrate the balancing test if the data subjects are children. In cases of conflict between a controller’s legitimate interests and a child’s interests or fundamental rights, the latter generally prevails, and controllers must ensure (and be able to demonstrate) that they have taken the child’s best interests into account as primary consideration. When considering a child’s interests, the Guidelines state that controllers should consider that this assessment may vary significantly across different age groups and for children with disabilities.

Data Subject Rights

The Guidelines also detail the relationship between the legitimate interests legal basis and data subjects’ rights. For the right to object, the Guidelines set out that controllers must demonstrate “compelling legitimate grounds” to continue data processing despite the data subject’s objections. This requires more than repeating the balancing test; it is a case-by-case assessment, requiring a stronger justification to override a specific objection while considering the individual’s particular concerns.

The Guidelines also acknowledge that the right to erasure is often closely related with the right to object. A controller cannot deny a data subject’s request merely because it is unclear or lacks a specific reference to either of these rights. Instead, the Guidelines highlight that the indications provided by the data subject, along with the context of the request, should be considered for the controller to appropriately address the request.

Processing for Direct Marketing Purposes

The Guidelines also clarify that for direct marketing purposes, Article 13(1) and Article 5(3) of the ePrivacy Directive (ePD) mandate obtaining consent in relation to, respectively, electronic marketing and the use of cookies and similar tracking technologies (subject to certain exceptions). The Guidelines confirm that consent is likely the appropriate legal basis for data processing related or subsequent to such marketing or use of cookies, typically precluding reliance on the legitimate interests legal basis. However, as with reliance on legitimate interests more generally, controllers should assess this legal basis on a case-by-case basis for their marketing activities.

Practical Implications

The Guidelines are open for public consultation until 20 November 2024. After this period, the EDPB will release a final version (which is not expected to change significantly from the current draft). The Guidelines do not suggest any material shift in the requirements around the legitimate interests legal basis, and do not explicitly preclude reliance on legitimate interests in any specific scenarios. The Guidelines do, however, provide detailed guidance on the EDPB’s interpretation of this legal basis, including in relation to common use cases (such as direct marketing, IT security, or use of children’s data). This may be helpful to organisations seeking to rely on legitimate interests — as a commonly used and relatively flexible legal basis — but facing potentially complex assessments of the necessity test and the balancing test in practice.

In the UK, the ICO has not indicated any intention to adopt additional guidelines to clarify its approach to legitimate interests. Whether the EDPB and the ICO will diverge further in this context remains to be seen.

The EDPB is silent in the Guidelines on the hot topic of legal bases for web scraping for AI training purposes and broader AI activities. It is however expected to issue guidance on data protection issues around generative AI web scraping before the end of next year, which may cover the topic of legal bases for such activities. The ICO is also expected to issue guidance on legal bases for web scraping for AI training later this year or in early 2025, following its series of consultations exploring the application of data protection law to generative AI.

This post was prepared with the assistance of Christine Tun in the London office of Latham & Watkins.