September 27, 2022

Volume XII, Number 270

Advertisement

September 26, 2022

Subscribe to Latest Legal News and Analysis

Legitimate Interests: Dutch Data Protection Authority’s Appeal Dismissed, But the Controversy Continues

In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled in the VoetbalTV case.

The Council of State’s ruling was good news for VoetbalTV as it confirmed that the GDPR fine of €575,000 imposed on VoetbalTV should be overturned. However, the Council of State found that it could arrive at that result without having to address the key question: whether processing based on purely commercial interests can fall within the legal basis contained in Article 6(1) f) GDPR (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject).

The Dutch Central District Court considered that ana priori exclusion of certain legitimate interests, because they were purely commercial in nature, would be incompatible with the GDPR. The Council of State did not have to examine or endorse that position, finding on the facts that VoetbalTV could rely on additional interests that were not purely commercial. The Council of State also declined to refer the matter to the European Court, as requested by the Dutch supervisory authority, leaving the central controversy unresolved.

In the absence of a clear judicial position, the Dutch supervisory authority remains free to apply its strict view and to pursue organizations relying on commercial interests as their Article 6(1)(f) basis for processing personal data. Indeed, there are indications that the European Data Protection Board (EDPB) is being pressed to adopt and endorse the Dutch approach on an EU wide basis.

GPDR was intended to promote and accelerate harmonization, with a consistency mechanism designed to eliminate differences in interpretation and enforcement practices. However, significant areas of divergence remain. For example, Spain’s local data protection laws specifically identify situations in which the legitimate interests of the controller(s) will prevail over the rights and freedoms of data subjects, particularly in the context of corporate transactions or contacts necessary for companies to manage their business relationships. By contrast, the PA’s attempt to slam the door on data processing activities that are at the heart of the digital economy (such as commercial profiling) sits uneasily with the EU’s digital strategy. The Dutch supervisory authority’s wholesale rejection of purely commercial interests prevents data controllers from carrying out the balancing exercise that, in the European Commission’s view, provides the essential safeguard in Article 6(1)(f). While the controversy remains unresolved, organisations wishing (or needing) to rely on legitimate interests should consider:

  • Whether those interests are purely commercial in nature, or whether there are other elements that would fall within the narrow interpretation applied by the Dutch supervisory authority;

  • If interests are purely commercial, whether processing might be carried out in a member state where the view preferred by the European Commission prevails; and

  • If there were any indication that that the Dutch supervisory authority’s view was gaining traction at the EDPB, whether alternative lawful bases might be available.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 220
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Partner

Bartolome Martin is a partner in the Data Privacy, Cybersecurity & Digital Assets Practice. Bartolome’s practice sits squarely at the intersection of data protection and cybersecurity, consumer protection, e-commerce, and intellectual property and technology (IP&T). His deep knowledge of the multiple facets of digital transformation makes him a sought-after counsellor to business and legal teams seeking solutions with acceptable risk. Bartolome’s thinking and approach are informed by his experience in a broad array of client engagements and the position he held...

34-91-426-4867
Partner

Malcolm Dowden is a partner in the firm’s Data Privacy, Cybersecurity & Digital Assets Practice. Malcolm has more than 25 years’ experience advising UK and international clients on a wide range of technology, data protection, privacy and electronic communications issues.

Malcolm has a particular focus on planning and implementing cross-border data and privacy law compliance strategies. His experience covers EU GDPR, UK GDPR and (through liaison with local counsel) Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM),...

44-20-7655-1665
Advertisement
Advertisement
Advertisement