Brazil’s Guidance on Legitimate Interest

On February 2, 2024, The Brazil National Data Protection Authority (ANPD) released guidance on the processing of personal data based on the legal basis of legitimate interest under the General Data Protection Law (LGPD). The guidance emphasizes the need for a meticulous analysis of each case to ensure compliance with the law. The guidance aims to provide greater certainty and predictability to the controllers when leveraging legitimate interest as a legal basis for the processing of personal data.

Legitimate interest is one of the legal bases for processing personal data provided under Article 7(ix) of the LGPD. Under this legal basis, personal data can be processed when necessary to meet the legitimate interest of the controller or a third party, provided that such processing does not violate the freedom and fundamental rights of the data subjects that require the protection of their personal data.

Key Points From the Guidance

The guidance covers the main definitions and interpretation parameters to understand the legal basis.  Let’s delve into the key points addressed in the guidance.

Nature of Personal Data

To process personal data based on the legal basis of legitimate interest, controllers are first required to verify the nature of the personal data to be processed. It’s important because the legitimate interest does not allow the processing of sensitive personal data. Therefore, if the controller is aiming to process personal data that involves sensitive data, it should look for another legal basis that allows the processing of sensitive personal data.

Example

For instance, a medical clinic collects and stores the medical history and test results of its patients. The clinic plans to use the medical data based on the legal basis of legitimate interest to improve the clinic’s administrative flow and quality of services. As per the provisions of the LGPD, health data has been categorized as sensitive personal data. Sensitive data requires greater protection due to higher risks to its data subjects. Therefore, the legal basis of legitimate interest cannot be used to process sensitive personal data. In that case, the controller is required to obtain specific, prominent consent from each patient for the processing of sensitive personal data or rely on any other permitted grounds under the LGPD.

Personal Data of Children and Adolescents

The processing of personal data of children or adolescents can be carried out based on the legal basis of legitimate interest as long as the best interests of children and adolescents are observed. Therefore, before relying on the legal basis of legitimate interest, the controllers must confirm whether they are processing the personal data of children and adolescents.

To emphasize its stance with regard to the processing of personal data of children and adolescents, the guidance refers to Article 3 of the International Convention on the Rights of the Child, which states that “all actions carried out by public or private bodies relating to the child must primarily observe the best interest of the child.”

In practical terms, controllers must perform a balancing test and keep a record of it to justify the processing of personal data of children based on legitimate interest. The criteria used in the assessment should be appropriate to the situation and capable of demonstrating:

1. What was considered to be in the best interest of the child or adolescent;
2. Based on which criteria your rights were weighed against the legitimate interest of the controller or third party;
3. The treatment does not generate disproportionate and excessive risks or impacts, considering the condition of children and adolescents as subjects of rights.

Given the application of the criteria, it should be appropriate to process the personal data of children in cases where the controllers have a prior and direct relationship with data subjects and the processing aims to protect the best interests of the child.

Example

For instance, a school collects personal data from students when they access the Wi-Fi network available on the site. This is done to ensure the safety of children and adolescents in a digital world.

In the preliminary analysis, schools can collect the personal data of children or adolescents based on legitimate interest due to their prior relationship with students. Furthermore, the collection is justified as it was aimed to prevent improper access to certain content or to identify a child who has assessed a certain page at a specific time. However, in the specific case, the controller should conduct a balancing test to assess the adequacy of the legal basis of legitimate interest and to assess whether the best interests of the child have prevailed.

Conditions for Legitimate Interest

Interest includes any benefit or gains that may result from the processing of personal data. As per the guidance, the interest would be considered legitimate if it meets the following three conditions:

(1) Compatibility with the legal system

Compatibility with the legal system presupposes that the processing of personal data must not be prohibited by the current legislature and does not, directly or indirectly, contravene the legal principle applicable to that specific case.

(2) Grounded in concrete situations

The interest must be based on concrete situations that aim for specific, well-defined interests. Article 10 of the LGPD allows the processing of personal data for legitimate interest based on concrete situations. Therefore, interests that are not based on concrete situations would not be covered under the umbrella of legitimate interest.

(3) Connect to legitimate, specific, and explicit purposes

The data processing must be linked to legitimate, specific, and explicit purposes. Here, the purpose constitutes the specific purpose that is aimed to be achieved after processing the personal data.

Example

For instance, a private school has been providing promotions and discounts to students, teachers, and other staff regarding books from its publisher. Messages are delivered via email and notifications on the institution’s cell phone application. The processing was carried out based on the legal basis of legitimate interest. Furthermore, to mitigate the interest, the school does not share the data with any third party, and provides a mechanism to unsubscribe at the end of the email and application’s notification.

As per the guidance, the interest may be considered legitimate as the processing is compatible with the legal system, meets the requirements of specific situations, and is linked to legitimate, specific, and explicit purposes. This dissemination to the academic community also meets the legitimate expectation of the data subjects, with whom it has a prior relationship. Moreover, the risks are mitigated by providing an option to unsubscribe in the messages.

Interest of Controller or a Third Party

Before the processing of personal data, it is necessary to verify whether the interest underlying the operation is that of the controller or a third party. The interest of a third party may be associated with any legal or natural person other than the controller. The legal basis of legitimate interest may be used to process personal data for the interest of the community or society. Therefore, all the assumptions applicable while processing personal data for the legitimate interest of the controller should be applicable in the event of data processing based on legitimate interest for the interest of a third party.

Example

For instance, a Higher Education Institution offers higher education and post-graduation training. The institution has 800 students and 200 employees. To enhance the training of its teaching and administrative staff, the institution plans to provide 10% discounts on the monthly fee for English and Spanish courses. In this case, the action was carried out only once and for a specific purpose, but the institution promotes campaigns of this nature to encourage the improvement of its employees.

As per the guidance, the promotional campaign can be justified based on the legitimate interest of a third party, in this case, the language school. The promotional campaign will benefit the employees and may benefit the language school with an increase in the number of customers. However, the legitimate interest balancing test may be carried out, and a transparent mechanism must be adopted, such as providing prior information to employees about sending promotional messages, also enabling them to opt out of the promotional campaigns to meet the legitimate expectations of the employees.

Fundamental Rights and Freedoms of Data Subjects

The processing of personal data based on legitimate interest presupposes the identification and mitigation of the expected risks to the fundamental rights and freedoms of the data subjects. Therefore, a balancing test must be carried out to assess whether the impacts caused are proportional to the fundamental rights, and which safeguard measures must be adopted to mitigate these impacts. The controllers should provide easily accessible channels to the data subjects through which they can exercise their rights, such as opting out of the processing and the deletion of their personal data. It is important to note that the legitimate interest cannot be assessed in isolation, as it should only be applied when the fundamental rights of the data subjects do not prevail over the legitimate interest of the controller or a third party.

Legitimate Expectations of Data Subjects

The legitimate expectation of the data subject is another relevant factor that should be considered while processing personal data based on the legal basis of legitimate interest. The controller must be able to demonstrate that the processing of personal data for the intended purpose was reasonably expected by the data subjects. Some of the important factors that form the basis of legitimate expectation include:

1. The existence of a prior relationship between the controller and data subjects;
2. The source and form of data. Whether the data was collected directly from the data subjects, whether it was shared by a third party, or it was collected from a public source;
3. The context and period of data collection; and
4. The intended purpose of data collection, and its compatibility with processing based on legitimate interest.

The legitimate expectation of the data subjects is based on the good faith and principle of data protection, which requires special attention from the controllers while processing personal data based on legitimate interest. Therefore, to fulfill the legitimate expectations of the data subjects, an analysis is important that can be done through a balancing test. To ensure effective respect for legitimate interest, the controller is required to provide easily accessible mechanisms to data subjects so that they can exercise their fundamental rights, such as the right to opt out of the processing and deletion of personal data.

Example

For example, a company used the legal basis of legitimate interest to justify the use of software that tracks employee activities and records everything typed on the company’s computer. This activity aims to track employee productivity and identify improper sharing of confidential information.

In this particular instance, even though the activity may have been previously disclosed and covered by the privacy policy, the collection of data, including the recording of images and everything typed by the employee through the software interferes excessively and disproportionately with the fundamental rights and freedoms of the data subjects and goes against their legitimate expectations. In particular, it must be taken into account that the collection goes well beyond what is necessary to achieve the intended goals, making it unreasonable to expect the employer to collect such data. Additionally, employees have no practical way to challenge the treatment; they are more vulnerable to their employer in the framework of the working relationship. These factors make it impossible for the processing to proceed, and using the legal basis of a legitimate interest would be improper because, in this particular instance, the data subjects' legitimate expectations were not met, and their fundamental rights and freedoms had to take precedence.

Necessity, Transparency, and Recording of Operations

Personal information may only be processed if it is strictly necessary for the intended use. In addition, the controller has to think about if there are other reasonable ways to accomplish the goal without processing the data, or if processing the data is not proportionate or appropriate for the intended purpose. Another requirement under the LGPD is transparency. The controllers must ensure that data subjects have easy access to information about the processing of personal data based on legitimate interest. Moreover, the controller is required to keep a record of the processing of personal data especially when it is based on legitimate interest. The analysis performed by the controller, in particular the balancing test, may also be included in the processing documentation. This analysis should include the nature of the processed personal data, evidence of the controller's or a third party's legitimate interest, consideration of the data subject’s rights and compatibility with their legitimate expectations, and, in the case of children's or adolescents' personal data, proof of the observance and prevalence of their best interests. If the processing has a high risk, the Data Protection Impact Report (RIPD) is another essential document.

Lawful Interest and the Public Power

The legal basis of legitimate interest has limited applicability within the public sector as its use is inappropriate when processing is carried out to fulfill the obligations and legal duties of the public authorities. Since there is an asymmetry of forces that may, when appropriate, establish restrictions on individual rights, it is impossible to properly balance the expectations of data subjects, as well as their fundamental rights and freedoms, and the supposed interests or obligations of the State when exercising the legal obligations of the Public Power. Therefore, it is advised that public bodies and entities generally refrain from using the legal basis of legitimate interest, instead choosing to rely on other legal justifications, such as the implementation of public policies and adherence to legal requirements, to support the processing of personal data that they conduct.

In conclusion, when it comes to Public Power, the legal basis of legitimate interest must be avoided when processing personal data is done compulsorily or under legal or regulatory assignments. However, in certain cases, it may be admitted eventually, depending on the particulars of each case.

Balancing Test

A balancing test that takes into account the fundamental rights and freedoms of the data subjects, as well as the interests of the controller or third party, must come before processing data based on legitimate interest. The balancing test is an evaluation of proportionality that is conducted in light of the context and particulars of data processing, including the impacts and risks to the freedoms and rights of data subjects. The balancing test must be executed for each specific purpose and entails the account of the legitimacy of the interest, the necessity of processing, the effects on data subjects' rights, and their reasonable expectations with the relevant interests. Therefore, the controller must reevaluate the concrete legitimate interest to support the processing of data for this new purpose if personal data is used for another valid and specific purpose. Prepare a new balancing test for the new purpose if the controller chooses to process personal data based on the legal basis of legitimate interest.

The balancing test model shared by the ANPD has three phases. These phases include the following:

Phase 1: Goal

At this point, the treatment's context needs to be examined, with an emphasis on the goals and benefits that are meant to be attained. Given that the processing of sensitive personal data is exempt from the application of legitimate interest, the first step in achieving this goal is to confirm the nature of the personal data. Furthermore, appropriate measures must be taken to guarantee the observance and prevalence of children's and adolescents' best interests where the processing of their personal data is involved. The interest that justifies the treatment, whether it comes from the controller or another party, by assessing its legitimacy, particularly in terms of its compliance with the law, its foundation in real-world circumstances, and its connection to legitimate, specific, and explicit purposes.

Phase 2: Need

The second part of the test is based on the phrase "when necessary" found in art. 7th, ix, and, more precisely, on Art. 10, Sec. 1, of the LGPD, which states that "only personal data strictly necessary for the intended purpose may be processed when processing is based on the legitimate interest of the controller." It is the controller's responsibility to determine if processing based on legitimate interest is required to accomplish the goals of phase 1 and to put policies in place to reduce the amount of data used for that purpose. Preferring less invasive methods of accomplishing the goal is crucial, in addition to determining whether it can be done so at a lesser cost and with less danger to the data subject. Ensuring that the data is pertinent, fits the processing goal, and corresponds with the data subject’s expectations is crucial. As a result, the processing of data must be limited to that which is necessary to fulfill the purposes of the legitimate interest.

Phase 3: Balancing and Safeguards

The third stage of the test involves striking a balance between the data subject’s fundamental rights and freedoms and the interests of the controller or third party. At this point, in addition to balancing addressing these risks with the safeguards to be adopted and with clear and precise access to data subjects of information relating to the processing of their data, it will be necessary to assess the potential risk and impacts on data subjects based on the interests and purposes identified in the previous phases.

It should be highlighted that processing personal data for legitimate interest does not automatically become impossible just because there may be a risk or adverse effect on data subjects. It is not necessary to have zero impact, rather appropriate safeguard measures must be adopted to minimize the risk.

Prevention of Fraud and Security

When processing sensitive personal data is necessary to "guarantee fraud prevention and security of the data subject, in the processes of identification and authentication of registration in electronic systems," it is permitted by the LGPD's Art. 11, ii,g.

The implementation of the legal basis stipulated in Art. 11, ii, g, from the LGPD, must adhere to a system like that given for legitimate interest, even though it is restricted to achieving a defined goal ("fraud prevention and security"). This is because the legislative text's phrasing requires the controller to confirm whether the "fundamental rights and freedoms of the data subject that require the protection of personal data" prevail in that particular situation.

The balancing test is the most effective method for determining the extent to which the data subject’s fundamental rights and freedoms are being upheld, primarily because it provides a legal foundation for the processing of sensitive personal data.

It is crucial to emphasize that the Art. 11, ii, g does not prohibit the legitimate interest from being used as a legal basis for the processing of non-sensitive personal data to prevent fraud and, consequently, ensure the data security of data subjects, provided that the conditions and application parameters mentioned in this Guide are fulfilled.