Legitimate Interests: Dutch Data Protection Authority’s Appeal Dismissed, But the Controversy Continues
In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled in the VoetbalTV case.
The Council of State’s ruling was good news for VoetbalTV as it confirmed that the GDPR fine of €575,000 imposed on VoetbalTV should be overturned. However, the Council of State found that it could arrive at that result without having to address the key question: whether processing based on purely commercial interests can fall within the legal basis contained in Article 6(1) f) GDPR (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject).
The Dutch Central District Court considered that ana priori exclusion of certain legitimate interests, because they were purely commercial in nature, would be incompatible with the GDPR. The Council of State did not have to examine or endorse that position, finding on the facts that VoetbalTV could rely on additional interests that were not purely commercial. The Council of State also declined to refer the matter to the European Court, as requested by the Dutch supervisory authority, leaving the central controversy unresolved.
In the absence of a clear judicial position, the Dutch supervisory authority remains free to apply its strict view and to pursue organizations relying on commercial interests as their Article 6(1)(f) basis for processing personal data. Indeed, there are indications that the European Data Protection Board (EDPB) is being pressed to adopt and endorse the Dutch approach on an EU wide basis.
GPDR was intended to promote and accelerate harmonization, with a consistency mechanism designed to eliminate differences in interpretation and enforcement practices. However, significant areas of divergence remain. For example, Spain’s local data protection laws specifically identify situations in which the legitimate interests of the controller(s) will prevail over the rights and freedoms of data subjects, particularly in the context of corporate transactions or contacts necessary for companies to manage their business relationships. By contrast, the PA’s attempt to slam the door on data processing activities that are at the heart of the digital economy (such as commercial profiling) sits uneasily with the EU’s digital strategy. The Dutch supervisory authority’s wholesale rejection of purely commercial interests prevents data controllers from carrying out the balancing exercise that, in the European Commission’s view, provides the essential safeguard in Article 6(1)(f). While the controversy remains unresolved, organisations wishing (or needing) to rely on legitimate interests should consider:
Whether those interests are purely commercial in nature, or whether there are other elements that would fall within the narrow interpretation applied by the Dutch supervisory authority;
If interests are purely commercial, whether processing might be carried out in a member state where the view preferred by the European Commission prevails; and
If there were any indication that that the Dutch supervisory authority’s view was gaining traction at the EDPB, whether alternative lawful bases might be available.