Earlier this month, a Dutch newspaper obtained and published a letter sent by the European Commission to Autoriteit Persoonsgegevens (AP) – the Dutch Data Protection Authority. The letter, dated June 2020, states that the Commission is “concerned” by the AP’s strict interpretation of the GDPR, and the legitimate interest processing ground in Article 6(1)(f) of the Regulation.

Article 6(1)(f) of the EU GDPR reads as follows:

Lawfulness of Processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

[…]

(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The Commission’s letter follows Guidance by the AP (which is understood to be still in force) stating that:

“What are not considered legitimate interest either, would be the following examples: processing personal data for purely commercial interests, profit maximisation, monitoring employee conduct without legitimate interest or tracking the (purchasing) behaviour of (potential) customers, etc.”. 

The Dutch watchdog has also issued a number of enforcement decisions against controllers, applying the above approach in practice. Most notably, shortly after the Commission’s letter, AP imposed a fine of €575,000 to VoetbalTV – an initiative by the Netherlands’ football association, under which amateur football games were being streamed online. On this paid platform, users were able to watch highlights and use the clips as preparation for their matches. However, the main issue was that people were filmed and therefore VoetbalTV processed personal data, on the basis of “legitimate interests” (its commercial interests), an approach which AP disagreed with. VoetbalTV went on to successfully appeal AP’s decision in court, on the grounds that the regulator’s interpretation of the GDPR was too restrictive¹. However, this came at a high cost to the company, which declared bankruptcy before the court’s decision was published.

In its letter, the Commission provides a summary of the foundations of the “legitimate interests” processing condition in EU law and concludes that “[AP’s] strict interpretation is not in line with the GDPR.”

Legitimate interests: The three-part test

The Commission observes that the test for applying the “legitimate interests” ground stems from the Rigas satiksme²case and contains three limbs:

i) establishment of the existence of a legitimate interest behind the processing;

ii) assessment of whether the processing in question is necessary; and

iii) undertaking a balancing test in order to establish whether the legitimate interest of the controller is overridden by the fundamental rights and freedoms of the data subject.

In relation to the first limb, the Commission notes that it is difficult to reconcile the strict interpretation of the AP, regarding what can constitute a legitimate interest, with the intended effect that the EU legislators wanted to attribute to Article 6(1)(f) GDPR, given that Recital 47 of the legislation itself contains examples of commercial activities (e.g. direct marketing) listed as legitimate interests.

In relation to the second and third limbs, the Commission points to a number of decisions by the Court of Justice of the European Union³ which establish that the legitimate interest ground foresees a concrete balancing of the legitimate interests of the controller, on the one hand, and the fundamental rights and freedoms of the data subject, on the other hand. Therefore, the fact that AP generally and categorically prevents data controllers from relying upon pure commercial interests means they are deprived in practice of the possibility of even carrying out this balancing test, which would otherwise allow them to at least weigh up their purely commercial interests against the rights and freedoms of the relevant data subjects and decide whether to proceed with the proposed processing based on legitimate interests or not.

The Commission concludes the letter with a reminder that the purpose of the GDPR is not to hamper business activities but rather to allow the conduct of business while concurrently ensuring a high level of data protection. The Commission states that the strict interpretation laid down by AP severely limits businesses’ ability to process personal data for commercial interests and invites the Dutch watchdog to “readjust” the language of its guidance.

It is understood however that the AP does not agree with the Commission’s remarks and two years after receiving the letter, it has not yet changed its approach on the “legitimate interests” processing ground. If will be interesting therefore to see whether, and if so how, the Commission decides to pursue this in terms of further action. 

A copy of the Commission’s letter is available here.

¹ For more information, see https://gdprhub.eu/index.php?title=Rb._Midden-Nederland_-_UTR_20/2315

² Case C-13/16, Rigas satiksme, para 28 

³ See e.g. Cases C-468/10 and C-469/10, ASNEF; Case C-131/12, Google Spain, and case C-40/17, Fashion ID.