The power of “Legitimate Interest” – Why the most im-portant legal basis in practice is still underestimated
In summary:
When the EDPB published its Opinion on data protection aspects of AI models shortly before Christmas (Opinion 28/2024), highlighting Art. 6(1)(f) GDPR as a legal basis in connection with AI models, this sparked a somewhat surprising discussion. Some practitioners seemed to realize only then the practical value of “legitimate interest”. In our experience over two decades, though, this legal basis has proved to be the most relevant and the most important one – in the AI context and beyond. In the following, we will briefly explain why.
1. Avoid Consent – Embrace Legitimate Interest
The numerous publications of the European data protection supervisory authorities on the legal basis of consent have created the impression that individual consent should be the primary legal basis under the GDPR. In fact, the European Court of Justice has repeatedly clarified that the order in which the various legal bases are listed in Art. 6(1) GDPR does not represent a “ranking” or other evaluation. In other words: From a formal point of view, legitimate interest as a legal basis is on par with consent or any other legal basis defined in Art. 6(1) GDPR. In practice, however, legitimate interest often proves to be superior to consent. The flurry of case law and regulator guidance on consent highlights the downsides of consent: Firstly, in view of the completely exaggerated requirements by regulators e.g., regarding “informed” consent, it is often extremely difficult to obtain (in such a manner that businesses can really rely on it). Secondly, consent can either be refused from the outset – or be withdrawn at any time for no reason, in which case this legal basis “disappears into thin air”. Also compared to other legal bases like Art. 6(1)(b) or (c) GDPR, legitimate interest has crucial advantages, first and foremost, a much broader scope of application.
2. A Closer Look
Largely unnoticed by some practitioners it seems, the European Court of Justice has clearly contoured Art. 6(1)(f) GDPR (and its largely similar predecessor provision in the old EU Data Protection Directive 95/46) over the last decade. It has defined a three-step test, with the existence of a “legitimate interest” only being the first of the three steps, to be followed by a thorough “necessity” test and finally a balancing of interest exercise. For all these steps, CJEU case law provides valuable guidance (most recently e.g., in the rulings “Meta Platforms” (C-252/21) and “Koninklijke Nederlandse Lawn Tennisbond” (C-621/22)). Even more recently, the CJEU addressed legitimate interest also in its “HTB” ruling (Joined Cases C‑17/22 and C‑18/22), a case in which our firm represented one of the parties in front of the CJEU.
Here is a closer look at the CJEU case law regarding each of these steps:
Step 1: A legitimate interest can be purely commercial (e.g., targeted advertising) provided it is not illegal.
Step 2: Although the CJEU demands a careful necessity test, the hurdles are not as high as regards necessity in the context of Art. 6(1)(b) GDPR. Looking at recent case law (e.g., C-252/21), controllers must show that there is no “less intrusive” alternative in connection with Art. 6(1)(f) GDPR (“necessary for the purposes of the legitimate interests pursued by the controller”) whereas the necessity bar is much higher in the context of Art. 6(1)(b) GDPR (“objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject”).
Step 3: Regarding the “balancing of interest”, the CJEU has repeatedly held that such "balancing of the opposing rights and interests at issue depends in principle on the specific circumstances of the particular case”. However, the Court also indicated which criteria controllers should consider, e.g., the reasonable expectations of data subjects, the “sensitivity” of the personal data pro-cessed, etc.
3. How to Apply “Legitimate Interest” in Practice
In practice, Step 1 is hardly an issue. Step 2 can be tricky, but usually it is possible to justify why a certain processing activity is without alternative and why the amount of personal data pro-cessed cannot be further reduced (think of the principle of data minimization here). Step 3 is where the magic happens. A well thought-out balancing of interests requires a 360-degree look at what the interests of data subjects might look like and how they might run contrary to the interest of the controller in the individual case. As mentioned, the criteria to look at are manifold: Some of them should be considered in every individual case (e.g., expectations of data subjects or categories of personal data concerned) while other criteria are only relevant in certain cases (e.g., length of (sub-)processor chain, options for data subjects to intervene/opt-out of the intended processing).
The beauty of legitimate interest lies in the fact that there is often room for creativity: The criteria for the balancing exercise are not all pre-defined (as is often the case with Art. 6(1)(b) or (c) GDPR) but can be shaped. A few examples:
• "Reasonable expectations” of data subjects can be influenced by clear information notices.
• Data subjects can be given control by granting opt-out rights.
• Retention periods can be adjusted.
And never forget: A detailed written documentation of all three steps is key!
4. Our Practical Experience and a Look Ahead
In our experience, Art. 6(1)(f) GDPR is a very “workable” legal basis and often provides a reliable justification. In fact, even if applied in complex scenarios or in “borderline cases” (e.g., where supervisory authorities’ guidance indicates that a certain processing is at least critical), our practical experience with legitimate interest has been consistently positive. In practice, it is extremely difficult for a supervisory authority or court to challenge a thought-out and well docu-mented justification for “legitimate interest”. Therefore, companies should not be afraid to base even complex and critical processing operations on the legal basis of legitimate interest.
Finally, in the context of AI, legitimate interest will often be the only legal basis available – while consent or Art. 6(1)(b) and
(c) GDPR will only exceptionally apply (which explains why the EDPB discusses legitimate interest over more than 12 pages in its Opinion 28/2024). Moreover, also in light of the EU Data Act, Art. 6(1)(f) GDPR will be front and center for both data holders and users when disclosing or accessing personal data.