Legitimate Interests under the GDPR
I have been asked several times over the summer to comment on various suggestions that it will be possible to rely on legitimate interests as the legal basis for direct marketing post-May 2018 under the General Data Protection Regulation. However, the devil in the detail is that the nature and method of direct marketing are going to be crucial to this argument and this paper[blog] is designed to explore and clarify the situation.
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Recital 47 also sets out that, those legitimate interests must be weighed against the rights and freedoms of individuals and their reasonable expectations based on their relationship with the data controller.
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller…. At any rate, the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could, in particular, override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.”
This qualification has been explored by several erudite bodies including the Direct Marketing Association and papers published by Slaughter and May and Bird and Bird and in fact the current ICO guidance states:
“The legitimate interests condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms or legitimate interests of the individual. Your legitimate interests to not need to be in harmony with those of the individual for the condition to be met. However where there is a serious mismatch between competing interests the individual’s legitimate interests will come first.”
When to use Legitimate Interests
Controllers may choose a legitimate interest in preference to consent where the latter is not viable or not preferred. The Data Protection Network paper suggests that legitimate interests could include direct mail from a charity to existing supporters updating them on details of upcoming events.
Slaughter and May’s guidance reminds us that the legitimate interest condition is necessity-based: i.e. the condition may be relied upon to the extent that the processing is necessary for the purpose of the company’s legitimate interests and therefore that before relying on the condition, controllers should consider whether a less invasive form of processing would be available to achieve the same ends. A paper by the Data Protection Network introduced the concept of a “legitimate interests assessment” (LIA) – a superb 3-stage process to a) identify a legitimate interest, b) carry out a necessity test, and c) carry out a balancing test. The final step, the balancing test aims to explore and document the nature of the interests, the impact of the processing, and the safeguards which are or could be put in place.
Individual information rights
Let us assume that we have carried out an LIA regarding a commercial direct marketing program and have unbiasedly determined and documented that it is fair and reasonable to rely on legitimate interests. Clearly, we need to ensure that our privacy notices declare this legitimate interest and advise people of their rights including the right to object to processing based on legitimate interests as well as their specific right to object to the processing of their personal data related to direct marketing including profiling. We also need to ensure that we have the necessary mechanism in place to deliver on any objections received.
In relation to the right to object the burden now lies with data controllers to demonstrate that they have compelling grounds which over-ride the individuals’ right to object however the right to object in relation to direct marketing does not give the controller an opportunity to review and weigh the rights conflict – it is an absolute right set out in Article 21(3), “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”
Legitimate interests and direct marketing – no problem?
So there would seem to be no problem in theory with the practice of undertaking direct marketing on the legal basis of legitimate interests of the data controller provided all aspects have been considered and this is the view of the DMA, Slaughter and May and, of course, the GDPR in Recital 47. In their paper on the subject, Slaughter and May argue that the legitimate interests condition is likely to be appropriate in the case of direct marketing promoting special offers to an existing customer via the post. It is reasonable to expect consumers to expect a business to attempt to promote its products and, “whilst the company’s interests are not particularly compelling there is a relatively little intrusion into a customer’s privacy or disproportionate impact.”
When the direct marketing activity envisaged is through the medium of email or any other form of electronic communications a different set of rules apply – soon to be reformed but currently the Privacy and Electronic Communications Regulations – and this is when the legitimate interests argument rapidly loses momentum and runs aground, particularly in the charity sector.
In the case of email marketing all of the qualifications below currently apply to the ability to undertake and lawfulness of an email marketing campaign:
- Have the proposed recipients previously opted out of receiving direct marketing (DM) emails from you? If so then unsolicited DM communications are prohibited.
- Has the communication been specifically requested? If not then the proposed communication is unsolicited.
- Are messages being sent to recipients outside of the UK? If so then you may have other laws to consider.
- Are e-mails are being sent to generic email addresses (e.g. [email protected]…)? If not then they are being directed to specific individuals.
- Can you demonstrate that you have specific and valid consent to send email marketing materials? If not (including implied consent and consent acquired via third parties) then sending unsolicited DM emails is prohibited unless you can rely on the “soft opt-in”.
- Are you a charity or political organisation? If you are then you cannot rely on the “soft opt-in”.
- Are the proposed recipients your existing customers? If so then you may be able to rely on the “soft opt-in”
- Have recipients bought or discussed buying products or services from you which are similar to those you wish to promote? If so then you may be able to rely on the “soft opt-in”.
- How long is it since you last engaged meaningfully with the recipient? If it is not recently then you may find that you have no grounds for sending the emails.
- Are your proposed recipient’s consumers or individuals with whom you have a business-based relationship? If so then you may find the rules are slightly relaxed.
In the future, under the GDPR and a revised PECR this may change. The leaked proposal for a new e-Privacy Regulation brings the definition and meaning of consent and the requirements relating to privacy notices and information into line with the GDPR in recital 22. Article 16 states,
“1. The use of electronic communications services by natural or legal persons for the purposes of transmitting direct marketing communications is only allowed in respect of end-users who have given their prior consent.
- Where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Regulation 2016/679/EU, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and on the occasion of each message.”
So while it uses very similar language to Article 13 of PECR, the reliance on implied consent will, I am sure, be more difficult. What is clear is that the legitimate interests in relation to direct marketing certainly do not extend into direct marketing by electronic means covered by PECR including email, SMS, fax, telephone, and social media.
The assumption that personal data processed for direct marketing purposes do not need to be based on the prior consent of the data subject is well founded but this clearly does not extend to direct marketing activities using electronic communications such as email where valid consent remains and will continue to remain a qualifying condition for unsolicited direct marketing communications – “unsolicited” meaning anything that was not specifically asked for.
Philip Brining 23rd August 2017
The information provided in this document is for guidance only and does not constitute legal or professional advice. Always consult a suitably qualified lawyer who is licensed to give legal advice on any specific legal problem or matter. Data Protection People assumes no responsibility for the information contained in this document and disclaims all liability in respect of such information.
 Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016.
 Slaughter and May Processing of personal data: consent and legitimate interests under the GDPR May 2106
 Bird and Bird Guide to the General Data Protection Regulation January 2017
 Data Protection Network Guidance on the use of Legitimate Intersts under the EU General Data Protection Regulation 10.07.2017 Version 1.0
 Proposal for a Regulation concerning the respect for private life and personal data in electronic communications (‘Privacy and Electronic Communications Regulation’)