New EDPB guidelines on legitimate interest

by Jan Horstmann//

On 8 October 2024, the European Data Protection Board (EDPB) issued guidelines on the processing of personal data on the basis of a legitimate interest in accordance with Art. GDPR Article 6(1)(f) GDPR for public consultation (the Guidelines).¹ The Guidelines provide orientation regarding a number of practical questions of interpretation and application.

Beyond the general requirements of a legitimate interest, in particular the balancing of interests, the Guidelines address the relationship between this legal basis and the rights of the data subject, as well as its application in certain contexts. The last joint document of the EU supervisory authorities on this topic to date was Opinion 06/2014 of the Art. 29 Working Party (WP29). Along with a general overview, the following sections highlight noteworthy points of the Guidelines, concentrating on the general requirements of the legal basis and some focus areas of the EDPB.

1. Requirements of the legal basis

The applicability of art. 6(1)(f) GDPR is examined in three steps: Identification of a legitimate interest of the controller or a third party, examination of the necessity of the processing for the pursuit of the legitimate interest and finally the balancing of the legitimate interest with the rights and interests of the data subject. Doctrinally, the relationship of the second and third step remains unclear.² The EDPB assumes they coincide ‘in some situations’, as a balancing of interests is already part of the necessity test (para. 12³). In contrast, it is later pointed out that a reconsideration of necessity or the underlying interest is required if the balancing of interests shows that certain categories of data do not need to be processed (para. 42).

The EDPB uses three cumulative criteria to determine whether an interest is ‘legitimate’: it must be lawful, clearly and precisely articulated, and real and present – not speculative. There are no further requirements; in particular, the ECJ has clarified that purely commercial interests are not generally excluded.⁴ The EDPB is somewhat more cautious in reviewing the legitimacy of an interest than the WP29, which at this point already included ethical requirements, codes of conduct or customs.⁵ However, these seem better suited to be taken into account in the balancing of interests step.

When pursuing the legitimate interest of a third party, some special considerations apply. According to the EDPB, there must be a connection to the activities of the controller, a requirement derived from recent ECJ case law.⁶ The Guidelines include an illustrative (yet fairly abstract for application) list of case groups in which a third party’s legitimate interest may become relevant (paras. 21-25):

• The establishment, exercise or defence of legal claims by third parties;

• disclosure of data for transparency or accountability purposes, especially in the interest of the recipients of this information;

• historical or other kinds of scientific research;

• general public interest or interest of a third party.

With regard to necessity, the EDPB – like the ECJ –⁷ somewhat transcends the wording of the GDPR by adding ‘strictly’ before ‘necessary’ in art. 6(1)(f) GDPR (para. 29). Whether this entails practical consequences in terms of stricter handling compared to provisions requiring ‘simple’ necessity, remains unclear.

Finally, the EDPB sets out a clear methodology for the balancing of interests (para. 32):

• First, the fundamental rights, freedoms and interests of the data subjects must be identified;

• Second, the impact in the dimensions ‘type of data processed’, ‘circumstances of the processing’ and ‘further consequences of the processing’ described;

• the reasonable expectations of the data subject must be explored;

• finally, the conflicting rights and interests must be balanced, taking into account further protective measures (‘mitigating measures’).

The EDPB subsequently explains the details of implementation for each step, which should certainly be helpful for controllers. It should be noted that additional details are provided for processing in certain contexts (para. 90 et seq.) as well as profiling (para. 82).

One noteworthy and important difficulty of legitimate interest arises when assessing data subjects’ reasonable expectations: Referencing the judgement of the ECJ in Meta Platforms and Others,⁸ the EDPB explicitly contrasts common practice in a specific area with data subjects’ expectations (para. 52). The controller must therefore largely disregard their specific knowledge of the sector in this assessment. Contractual provisions, on the other hand, may influence reasonable expectations (para. 53 fn. 61).

The EDPB also links the data subjects’ reasonable expectations to GDPR information duties. However, the Board’s position in this question does not seem entirely convincing: While the failure to inform may lead to the data subjects being surprised, mere fulfilment of the obligations set out in art. 12-14 GDPR should not be taken to indicate that the data subjects ought to expect the respective processing (para. 53, 68).

The latter makes perfect sense – especially seeing as privacy statements and such are not always (fully) read and understood. But, since they need to ascertain the applicability of a legal basis, including art. 6(1)(f) GDPR, before processing personal data, how should the controller take into account the data subjects’ surprise due to a lack of information that may occur at a later stage? At the outset of processing, the controller will generally assume that they will inform data subjects properly. An ex ante assessment of the data subjects’ expectations thus seems more adequate in the context of art. 6(1)(f). Even a most carefully performed balancing of interests would otherwise be devalued after the fact, by a circumstance not inherently connected to the legal basis, and the controller would risk incurring two fines (pursuant to art. 83(5)(a) and (b) GDPR) for the same omission (failing to inform).

A different reasoning may apply if data is processed for purposes it was not originally collected for (art. 6(4) GDPR). In that case, information about the original processing has already been provided (or not) and this fact could certainly be taken into account in the balancing of interests regarding further processing.

Regardless of this criticism, the ECJ has actually created an even stronger link between information duties and the legal basis of legitimate interest. As held in the Meta Platforms and Others⁹ and very recently confirmed in Mousse,¹⁰ the Court sees the notification of the legitimate interest pursued as an integral precondition to the lawfulness of data processing based on art. 6(1)(f) GDPR.

2 Relationship to the rights of data subjects

The Guidelines go on to shed light on the application of transparency obligations and data subject rights to information, objection, erasure, rectification and restriction of processing as well as the prohibition of automated individual decision-making in connection with the legal basis of legitimate interest.

With regard to the information obligations (art. 13(1)(d) and art. 14(2)(b) GDPR), the EDPB points out that additional information may be provided and could be taken into account as an additional measure in the balancing of interests. One approach could be ‘layered’ information which initially only specifies the legitimate interest, but allows interested data subjects to obtain further information about the elements taken into account in the balancing of interests (para. 68).

A special feature of legitimate interest compared to most other legal bases lies in the right to object. If a data subject objects to the processing on grounds relating to his or her particular situation, the controller must demonstrate ‘compelling legitimate grounds’ in order to continue with the processing (art. 21(1) GDPR). In the absence of ECJ case law, the Guidelines are likely to be particularly relevant for clarifying this indefinite legal term and guiding the necessary balancing of interests. According to the EDPB, compelling interests only include interests which are ‘essential’ for the controller, such as the protection of its organisation or system from serious and imminent harm or a severe penalty which would seriously affect its business operations (para. 73). In contrast to the balancing of interests under art. 6(1)(f) GDPR (see recital 47), the balancing under art. 21(1) GDPR must be based on the individual situation of the data subject (recital 74). The interaction of the right to object with the rights to erasure and restriction of processing must also be taken into account. While an objection is being processed, processing must be restricted to storage of the data concerned (art. 18(1)(d) GDPR). A successful objection must in general be followed by erasure at the request of the data subject (para. 78), since the thresholds for competing interests of the controller in art. 17(1)(c) GDPR and art. 21(1) GDPR are equivalent despite a slightly different wording, according to ECJ case law.¹¹

3. Context-specific application of legitimate interest

Finally, the EDPB addresses a number of processing contexts of particular practical relevance:

• Processing of children’s personal data;

• processing by public authorities;

• processing for the purpose of combating fraud;

• processing for direct marketing purposes;

• processing for internal administrative purposes within a group of companies;

• processing for the purpose of ensuring network and information security;

• transmission of personal data to competent authorities.

These contexts only represent a fraction of processing activities potentially falling under art. 6(1)(f) GDPR, but contain some yet unclarified points. This includes, for example, the question which cases of data processing by a public authority do not fall under art. 6(1) subsection 2 GDPR and may thus be based on legitimate interest. The Guidelines suggest that such cases be restricted to ‘exceptional and limited’ cases in which national law allows authorities to act in a non-public law manner and which must be documented internally (para. 99; note that according to information duties, notification of the data subjects is also necessary).

4. Conclusion

Legitimate interest is a familiar concept to anyone working in data protection law and often used to legitimise data processing. The guidelines of the EDPB on art. 6(1)(f) GDPR offer some important guidance to alleviate the legal uncertainty owed to the flexibility and vagueness of this legal basis. While they contain few interpretive surprises, but rather offer continuity with the WP29 opinion from 2014, and come in the somewhat cumbersome, ritualised diction of the EDPB, they update the position of the EDPB to fit the GDPR and more recent ECJ case law. Importantly, the Guidelines feature selected important contexts of application in greater detail. Overall, however, the Guidelines are somewhat less expansive than the latter.

A revised version of the Guidelines, incorporating feedback from the public consultation, which was closed on 20 November 2024, is expected in 2025.

Jan Horstmann, Researcher and free author in data protection and AI law.