In a significant recent ruling, the Court of Justice of the European Union (CJEU) addressed the extent to which organizations can rely on the "legitimate interest" basis under the GDPR when processing personal data for commercial purposes, such as marketing, without user consent. The CJEU clarified that a controller's commercial interest may be regarded as necessary for the purposes of the legitimate interests pursued by that controller.
This marks a departure from the Dutch Data Protection Authority’s (AP) traditionally restrictive approach, which argued that organizations cannot rely on legitimate interests as a lawful basis for processing personal data for solely commercial interests.
Background
The dispute arose from the actions of the Royal Dutch Lawn Tennis Association (KNLTB), which in 2018 shared its members' personal data with two sponsors without their consent in exchange for remuneration. The data was used for marketing campaigns, including a leaflet distribution and a phone marketing campaign.
The Dutch data protection authority (AP) imposed a fine of €525,000 on the KNLTB for violating GDPR Articles 6(1) and 5(1)(a) by disclosing the personal data of its members without a valid legal basis. Article 6(1) of the GDPR provides the legal basis for the processing of personal data, whereas Article 5(1)(a) requires that personal data be processed lawfully, fairly, and in a transparent manner.
KNLTB appealed against the penalty, claiming that its actions were based on its legitimate interest (as per Article 6(1)(f) of the GDPR) because it intended to create a strong link between the association and its members and wanted to provide added value to its members in the form of promotional offers from its partners. The KNLTB and the AP submitted different opinions in the appellate court regarding whether a purely commercial interest, consisting in the sale of the personal data of the tennis association members, without their consent, to sponsors for direct marketing purposes may be regarded as a legitimate interest.
This CJEU ruling stemmed from preliminary questions referred by the Amsterdam District Court (referring court) in September 2022, following KNLTB's appeal of the AP’s fine. The referring court sought clarification on the interpretation of "legitimate interest" under Article 6(1)(f) GDPR, particularly concerning the sale of individuals' data without consent for direct marketing purposes.
CJEU’s Interpretation of ‘Legitimate Interest’ Basis
Article 6(1)(f) of the GDPR provides that processing of personal data is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of such personal data. The CJEU recalled the three-prong criteria it has set for determining whether a processing can be justified under Article 6(1)(f) of the GDPR. Following is an overview of the test and the CJEU’s preliminary guidelines.
1. the pursuit of a legitimate interest by the data controller or by a third party,
The CJEU stated that a wide range of interests can be regarded as legitimate, and the GDPR does not require that the interest pursued by a controller be provided for by law, particularly noting that Recital 47 cites direct marketing purposes as an example of legitimate interests that may be pursued by a controller. However, legitimate interests should be lawful.
The interpreting court (CJEU) further declared that in previous cases (see, for reference, Google Spain and Google case), it has not ruled out the possibility that a controller's commercial interest, which consists in the promotion and sale of advertising space for marketing purposes, may be regarded as a legitimate interest.
Therefore, in this case, KNLTB’s disclosure of its members’ personal data to its sponsors for commercial purposes may be considered a legitimate interest. However, it is for the referring court to make a final assessment of whether such an interest exists, taking into account the applicable legal framework and all the circumstances of the case.
2. the need to process personal data for the purposes of the legitimate interests pursued,
The CJEU held that this condition requires the referring court to ascertain that the legitimate interests pursued cannot reasonably be achieved just as effectively by other means that are less restrictive of the fundamental rights and freedoms of data subjects. Particularly, the need for processing must be examined in conjunction with the ‘data minimisation’ principle under Article 5(1)(c) of the GDPR, which requires that personal data be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
The CJEU commented that an organization, such as KNLTB, could ask its members whether they want their data to be shared with third parties for advertising or marketing purposes prior to such a disclosure. This approach would allow data subjects to retain control over the disclosure of their personal data and ensure that it is processed only for relevant and necessary purposes. The CJEU clarified that such an approach would be least intrusive of a data subject’s privacy while allowing the controller to efficiently pursue its legitimate interest (to be ascertained).
3. the interests or fundamental freedoms and rights of the person concerned by the data protection do not take precedence over the legitimate interest of the controller or of a third party.
The CJEU recalled that this condition entails a balancing of the opposing rights and interests of the data controller / third party and the data subject, and the referring court should carry out this exercise. The referring court should take into account, in particular, the reasonable expectations of the data subject, the scale of the processing, and its impact on that person. The CJEU stated that in the context of such a balancing exercise, it is for the referring court to ascertain whether the members' rights of tennis associations would take precedence over the commercial interest of the national tennis federation.
As Recital 47 provides that the interests and fundamental rights of the data subject may, in particular, override the interest of the data controller where personal data is processed in the absence of any reasonable expectations of the data subjects, CJEU commented that it should be assessed in the present case whether members of KNLTB could reasonably expect, at the time of collection of their personal data, that it would be disclosed, for remuneration, to third parties for advertising and marketing purposes. CJEU also remarked that the referring court must consider that sharing data with a gaming provider (NLO) is not in line with the relevant and appropriate relationship between the data subjects and the controller and may also expose the data subjects to gambling addiction risks.
Summary of the Ruling
- Processing (including disclosure) of personal data to third parties for a commercial interest can be justified under the legitimate interest basis as long as it is strictly necessary for that purpose and does not override the rights and freedoms of the individuals involved.
- A legitimate interest need not be determined by law. However, it must be lawful.
Impact on Businesses
The CJEU ruling clarifies that a purely commercial interest can be construed as a legitimate interest within the meaning of Article 6(1)(f) of the GDPR, provided that other conditions outlined within the provision are also met. It is not necessary that a legitimate interest be determined by law. The CJEU has, however, emphasized that legitimate interest is not an unrestricted license to process personal data. The assessment of whether a controller can rely on a legitimate interest for a particular processing activity should be done on a case-by-case basis based on a balancing exercise. Based on the guidelines outlined by the CJEU, it is now for the referring court to decide whether, in light of all the applicable circumstances, the KNLTB could rely on the legitimate interest basis to share the personal data of its members with its sponsors.
From an industry perspective, while the ruling provides relief for businesses to rely on legitimate interests as a lawful basis for processing personal data for commercial purposes, such as direct marketing, businesses must remain diligent in ensuring that the processing is strictly necessary and properly balanced with the rights of data subjects.
However, there are still grey areas, particularly when a business collects data from third parties for commercial purposes and uses it to send direct marketing emails based on legitimate interests. Since the application of legitimate interests is determined on a case-by-case basis, it remains to be seen how courts and data protection authorities will address these nuances in future rulings.