It is true that advertisers will have slightly less leeway. On the other hand, the individuals will benefit by having more rights. The GDPR should help them retake control over their own privacy, as envisioned by the lawmakers.
However, the GDPR does allow some leeway for data processing despite being more restrictive overall. Let’s take a look into the grounds for processing, bases and possible options for your company.
Conditions for Processing
Article 6 of the GDPR lists all the possible bases for processing of the individuals’ personal data. These are:
- obtaining explicit consent from the person for use of their data for specific purposes
- the necessity of processing for the performance of a contract to which the data subject is party (or prior to entering a contract at the individual’s request)
- compliance with a legal obligation to which the data controller is subject
- the protection of the individual’s vital interests (life-or-death situations)
- for public interest
- for the purposes of the legitimate interest pursued by the controller or a third party
The most important and probably the most widely used mechanism for data processing will be consent. Companies have to obtain consent from their users prior to using their data. This is mostly unambiguous in the GDPR – the rules are stricter. We’re mentioning consent here because it is almost always a better option than legitimate interest.
The “opt-out” mechanism consisting of pre-ticked boxes does not fly under the GDPR radar. Explicit opt-in is required, and not only that – you must notify the individual exactly of purposes you will use their data for. You do not get a blanket permission for indiscriminate storage and processing of their data, so keep that in mind. Processing of data for purposes for which it was not originally collected is allowed only if those purposes are compatible with the original purpose.
You are also under the obligation to clearly inform the individual of the consequences of giving consent. Language should be clear and simple, free of legal jargon and convoluted explanations.
You can find more on the issue of consent in our other articles, where we deal specifically with the ins and outs of consent under the GDPR.
The main topic of this article, legitimate interest, is the one leaving most companies and privacy experts thoroughly puzzled.
The GDPR allows companies to justify the processing of persons’ data by invoking the principle of legitimate interest. In other words, that processing should result in concrete benefits to the company or the society at large, and these benefits must be significant.
However, this legitimate interest does not give companies free pass for using the individuals’ personal data as they see fit. If that were possible, basically all data processing could have legitimate interest as its basis, since the company could profit off such data.
A Balancing Act
Such a situation would be preposterous. The GDPR aims to balance out the legitimate interest of the company with the rights of the individuals. Article 6 of the GDPR contains the provision that the interests of the company can be overridden by the interests, freedoms and fundamental rights of the individual.
Children are treated as particularly protected and as a rule you should not expect to invoke legitimate interest concerning children’s data. The same applies to special categories of personal data, which also should not be processed in this manner, as a rule.
Your company should make the assessment weighing up both the company’s and the individual’s interest. Make a record of your analysis, since regulators can and will demand to see it, especially in case of complaints.
The use of better data safeguards could lower the threshold of your legitimate interest. By employing pseudonymisation or even anonymization of personal data, you can demonstrate that the rights of the individuals are well-protected with insignificant risk of infringement, and therefore ensure you can process the data legally.
Notification and the Right to Object
Note that you must notify the individual at the time of data collection that you intend to base processing on legitimate interests, and list the legitimate interests that you will use as a basis for such processing.
The individuals have the right to object, at any time, to your use of their data under the basis of legitimate interest. You must cease such processing upon objection, unless you can demonstrate legitimate grounds for processing that outweigh the rights and freedoms of the individual. The burden of proof lies upon your company.
You are, in most cases, allowed to process the data if is it reasonably expected that you would use the data in such a manner. This depends on your relationship with the individual. The narrower the consent, the less likely you are to be able to use the data.
For example, processing and recording of user data for payment purposes (that the user inputted themselves) is perfectly fine, even without explicit consent, since it is evident that the data must be used for such a purpose (in this particular case, the fulfilment of contractual obligations also comes into play).
Legitimate interest should be used only when necessary. Always try to obtain consent beforehand. This will make processing simpler and safer for you.
Legitimate interest can be used as grounds for cross-border transfers to third countries. In order to qualify, the transfer should only concern a limited number of persons and limited amounts of data.
In practice, you will have a hard time justifying the need for doing so under these grounds. There are so many mechanisms for cross-border transfers that this last-resort option should be rarely, if ever, considered.
Examples of Legitimate Interest from the GDPR
Recitals 47 through 50 cover the cases and conditions for processing.
Administrative purposes are explicitly covered in the GDPR as allowable, even in a group of undertakings (a multinational company and its subsidiaries, for example). This category includes the transfer and processing of clients’ and employees’ data, though this is also in most cases further regulated in national laws.
Processing of personal data for the purposes of ensuring information network security – i.e. prevention of breaches, damage and unauthorised access is also considered legitimate interest, as is notifying the authorities of possible criminal acts and threats to public security.
The Issue with Direct Marketing
There is yet another condition which makes legitimate interest enticing for companies, listed in Recital 47:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
This can be interpreted as a blank cheque for advertisers and companies to market their products and services indiscriminately, as they have legitimate interest in doing so (profit).
However, individuals have an absolute right to demand that your company cease such processing at any time. Furthermore, since you have to notify the individuals of any legitimate interest you might have, this means that generally consent precludes legitimate interest anyway.
Direct marketing promotions are therefore acceptable in most cases if you have previously obtained the individuals’ data in a business transaction or during a sign-up process. However, they must not intrude upon the privacy and the freedoms of the individual. A single e-mail notifying previous customers is reasonably likely not to present an infringement of one’s rights. This is doubly so if an opt-out link is provided at the bottom of every e-mail.
Additionally, as explained in the ‘Reasonable expectations’ section, a client being notified of sales and offers that could interest them is a very reasonable expectation, with little risk to the individual, but clear legitimate interest of the company. It is, after all, reasonable to assume that a business would try to promote itself occasionally.
Do note that upon request, you must cease with direct marketing at once. After receiving a request from the individual, you cannot in any way demonstrate legitimate interest in this case.
Personalisation practices are also in most cases allowed, as long as they are limited and you have obtained previous consent from the individual for marketing purposes. It is no different than visiting a home improvement shop and a shopkeeper advising you on what to buy for your new garden, based on your previous purchases.
Processing of personal data for market research purposes is likely to be allowed, but ensure your company has enough legitimate interest to do so. Speculative research is not considered legitimate.
As Clear as Mud?
To sum up,
- as long as you cease with your marketing activities as soon as you receive an opt-out from the consumer, and
- as long as it is reasonably likely such processing is expected and it would not harm the individual, and
- as long as you enact appropriate safeguards, and
- if your company or the society at large stands a lot to gain from these processing actions (legitimate interest)
you can be reasonably sure that legitimate interest applies in this case, and your activities are not infringing upon the GDPR provisions.
Notably, the supervisory authorities remain quiet on the issue of legitimate interest for the purposes of marketing. They are expected to release further guidelines by the end of this year. Until then the companies will have to take extreme care in determining their further course of action with regards to the preparation for the GDPR.
The best you can do now is to carefully monitor new developments by the regulatory authorities. Prepare to enact their guidelines as soon as they are released! Consider implementing anonymisation strategies that will enable you to use the data for various purposes without onerous safeguards.
And above all, make sure to ensure compliance with the GDPR in other areas as well. Fines can be severe, and a lot can be done even if you start today. Wait a little longer and it could be too late – 25 May 2018 is around the corner!