A recent opinion by the Article 29 Working Party provides practical guidance on the applicability of the "legitimate interests" of a data controller as one of the grounds for the lawful processing of personal data under the EU Data Protection Directive 95/46/EC. The processing of personal data based on controller's "legitimate interests" is a valuable option for data controllers, in particular where consent is unobtainable or impractical, such as in certain types of processing by companies that handle big data. Referring to legitimate interests as a ground for data processing requires a thorough assessment of, on the one hand, the legitimate interests pursued by data controller or by any third parties to whom the data are disclosed, and on the other hand, the interests and fundamental rights of the data subject. The balancing test between these two interests is necessary for deciding whether the rights of the data subject can be overridden.
This Opinion is highly relevant in the context of the recent Memo on Big Data issued by the European Commission on 2 July 2014, as it ensures the unified interpretation and implementation of the "legitimate interests" ground for data processing under the current Directive throughout the EU. It also provides policy recommendations for the future EU General Data Protection Regulation. Businesses involved in processing big data or in combining existing data with new data sources should carefully study this Opinion.
The Opinion was published on 9 April 2014 by the Working Party and provides a detailed analysis of the criteria that make data processing legitimate per Article 7 of Directive 95/46/EC. From six legal grounds for the processing of personal data stipulated in Article 7, the most known and widely used are:
the unambiguous consent of the data subject processing that is necessary for the performance of a contract with the data subject processing necessary for compliance with a legal obligation of controller. A less constraining ground for processing, as stipulated under Article 7(f), permits the processing of personal data necessary for the purposes of the legitimate interests pursued by the controller or third parties, subject to an additional test balancing the data controller's interests against the data subject's fundamental rights and interests.
Application of the balancing test
For a proper assessment of the balancing test, companies have to consider a number of factors, including: