What is legitimate interest?
Legitimate interest is one of the 6 legal bases that allow the processing of personal data under the General Data Protection Regulation (GDPR). It can also apply to the individual whose data is being processed, referred to as the data subject, as a basis for opting out of data processing.
GDPR legitimate interest examples
While legitimate interest is considered the most flexible legal basis outlined in the GDPR for data processing, according to the GDPR recitals, it’s only applicable for limited purposes, including:
- Preventing fraud (Recital 47);
- Direct marketing (Recital 47);
- Transmitting personal data within the group of undertakings for internal administrative purposes (Recital 48);
- Processing of clients’ or employees’ personal data (Recital 48);
- Ensuring network and information security (Recital 49);
- Indicating possible criminal acts or threats to public security (Recital 50).
How do you assess legitimate interest?
There are three ways to assess legitimate interest according to the Information Commissioner’s Office (ICO): identifying the purpose of data processing, assessing its necessity, and weighing its benefits and risks. All three apply to data controllers and only the first applies to data subjects.
The ICO offers the Legitimate Interest Assessment (LIA), a three-part test designed to determine whether something can be considered a legitimate interest.
- Purpose test
The purpose test helps determine the objective behind the processing of personal data. It involves identifying whether the purpose is lawful, fair, ethical, beneficial to the data controller, and well-defined.
- Necessity test
The necessity test assesses whether the data controller reasonably needs to process personal data in order to achieve the intended purpose. It poses questions such as:
- Can the purposes be achieved with less personal data?
- Can the purposes be achieved with less sensitive data?
- Can each aspect of the processing be justified in pursuit of the purpose?
- Balancing test
The balancing test considers the benefits of data processing for the data controller and the interests and rights of the data subject. To pass the balancing test, the data collection must meet certain criteria:
- What kind of data is being processed? Does it involve sensitive information, special category data, or vulnerable groups?
- Are reasonable expectations being met? For example, what kind of relationship has been established between the data collector and subject and have expectations been set?
- How may the data subject be impacted by data collection? What kind of safeguards will be put in place and will the data subjects be able to opt out?
Real life example of legitimate interest
The ICO issued an enforcement notice against Experian, a credit reporting bureau, in 2020. The use of legitimate interest for the processing of data originally collected on the basis of consent was one of the violations alleged by the ICO.
Experian had obtained personal data from a third party which had originally gotten consent for the data. In addition to using this data for credit reporting, Experian claimed legitimate interest to process the data for direct marketing. This failed the “reasonable expectations” portion of the balancing test as the ICO determined the data subjects wouldn’t expect such processing to occur and it might be considered intrusive.
Experian then appealed the ICO’s decision at the UK’s First Tier (Information Rights) Tribunal in 2023. However, while the tribunal overturned other elements of the decision, they upheld the decision regarding legitimate interest.
Can individuals opt out of data processing based on legitimate interests?
While companies and organizations can rely on legitimate interest to process data, individuals can also use legitimate interest to opt out as it grants the “right to object.” This isn’t applicable in every case, however. The individual must be able to demonstrate that their right to object outweighs the data collector’s interests.
The only case in which data subjects always have the right to opt out is data processing for the purpose of direct marketing.
When it comes to cookies, legitimate interest can be used to bypass the legal basis of consent to collect personal data. These types of cookies are known as legitimate interest cookies and can collect data for reasons such as enhancing user experience, fraud prevention, and security.
Legitimate interest vs consent
Both legitimate interest and explicit consent are among the 6 legal bases for data processing under Article 6(1) of the GDPR. All of the cases, with the exception of consent, require data processing to be deemed necessary for a relevant purpose. Therefore, legitimate interest requires the data processor to have a legitimate purpose, while consent requires only permission from the data subject.
The full list of legal bases for data processing under the GDPR includes:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
What is the meaning of legitimate interest?
Legitimate interest is a valid reason for data controllers to process data and is one of the 6 legal bases outlined in the GDPR that allow data processing. If the data controller can demonstrate legitimate interest, it doesn’t require consent from the data subject.
What are examples of legitimate interests?
Examples of legitimate interests include the processing of personal data for direct marketing purposes, fraud prevention, information security, and improving user experience.
What is the difference between consent and legitimate interest?
Consent and legitimate interest are both legal bases for data processing. Consent requires the data subject to agree to the processing of their data, while legitimate interest can bypass consent and requires the data collector to demonstrate a valid reason for data processing.
How long does legitimate interest last?
Legitimate interest doesn’t last forever. However, the GDPR doesn’t indicate a specific time frame as it can depend on context and the original scope. Each data controller may use a different timescale that should be supported by justifying documentation.