What is legitimate interest?

Legitimate interest is one of the 6 legal bases that allow the processing of personal data under the General Data Protection Regulation (GDPR). It can also apply to the individual whose data is being processed, referred to as the data subject, as a basis for opting out of data processing.   

GDPR legitimate interest examples

While legitimate interest is considered the most flexible legal basis outlined in the GDPR for data processing, according to the GDPR recitals, it’s only applicable for limited purposes, including:

• Preventing fraud (Recital 47);
• Direct marketing (Recital 47);
• Transmitting personal data within the group of undertakings for internal administrative purposes (Recital 48);
• Processing of clients’ or employees’ personal data (Recital 48);
• Ensuring network and information security (Recital 49);
• Indicating possible criminal acts or threats to public security (Recital 50).

How do you assess legitimate interest?

There are three ways to assess legitimate interest according to the Information Commissioner’s Office (ICO): identifying the purpose of data processing, assessing its necessity, and weighing its benefits and risks. All three apply to data controllers and only the first applies to data subjects. 

The ICO offers the Legitimate Interest Assessment (LIA), a three-part test designed to determine whether something can be considered a legitimate interest. 

1. Purpose test

The purpose test helps determine the objective behind the processing of personal data. It involves identifying whether the purpose is lawful, fair, ethical, beneficial to the data controller, and well-defined.

2. Necessity test 

The necessity test assesses whether the data controller reasonably needs to process personal data in order to achieve the intended purpose. It poses questions such as:

• Can the purposes be achieved with less personal data?
• Can the purposes be achieved with less sensitive data?
• Can each aspect of the processing be justified in pursuit of the purpose?

3. Balancing test

The balancing test considers the benefits of data processing for the data controller and the interests and rights of the data subject. To pass the balancing test, the data collection must meet certain criteria: 

• What kind of data is being processed? Does it involve sensitive information, special category data, or vulnerable groups?
• Are reasonable expectations being met? For example, what kind of relationship has been established between the data collector and subject and have expectations been set?
• How may the data subject be impacted by data collection? What kind of safeguards will be put in place and will the data subjects be able to opt out?

Real life example of legitimate interest 

The ICO issued an enforcement notice against Experian, a credit reporting bureau, in 2020. The use of legitimate interest for the processing of data originally collected on the basis of consent was one of the violations alleged by the ICO. 

Experian had obtained personal data from a third party which had originally gotten consent for the data. In addition to using this data for credit reporting, Experian claimed legitimate interest to process the data for direct marketing. This failed the “reasonable expectations” portion of the balancing test as the ICO determined the data subjects wouldn’t expect such processing to occur and it might be considered intrusive. 

Experian then appealed the ICO’s decision at the UK’s First Tier (Information Rights) Tribunal in 2023. However, while the tribunal overturned other elements of the decision, they upheld the decision regarding legitimate interest. 

Can individuals opt out of data processing based on legitimate interests?

While companies and organizations can rely on legitimate interest to process data, individuals can also use legitimate interest to opt out as it grants the “right to object.” This isn’t applicable in every case, however. The individual must be able to demonstrate that their right to object outweighs the data collector’s interests. 

The only case in which data subjects always have the right to opt out is data processing for the purpose of direct marketing. 

What does legitimate interest mean for cookies?

When it comes to cookies, legitimate interest can be used to bypass the legal basis of consent to collect personal data. These types of cookies are known as legitimate interest cookies and can collect data for reasons such as enhancing user experience, fraud prevention, and security.

The use of cookies in the EU is controlled by the GDPR and the ePrivacy Directive. The GDPR limits data processing through cookies while the ePrivacy Directive controls how cookies are used directly. Therefore, though the GDPR may allow cookies to be used on the basis of legitimate interest, the ePrivacy Directive prohibits the use of cookies without consent unless they are technical or strictly necessary. 

Legitimate interest vs consent 

Both legitimate interest and explicit consent are among the 6 legal bases for data processing under Article 6(1) of the GDPR. All the cases, except for consent, require data processing to be deemed necessary for a relevant purpose. Therefore, legitimate interest requires the data processor to have a legitimate purpose, while consent requires only permission from the data subject. 

The full list of legal bases for data processing under the GDPR includes:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

FAQ

Updated on: July 27, 2023