In its October plenary session on 8-9 October 2024, the European Data Protection Board (EDPB) adopted new Guidelines on the processing of personal data based on legitimate interest under Article 6(1)(f) of the General Data Protection Regulation (GDPR). The Guidelines examine the criteria that controllers must meet to lawfully process personal data on the basis of legitimate interest in detail.
A public consultation on the Guidelines has been launched, and any comments must be submitted before 20 November 2024.
In its press release, the EDPB highlighted that the Guidelines also take the recent Court of Justice of the European Union (CJEU) ruling.
On Friday, 4 October 2024, the CJEU published its judgement in Case C-621/22 on the concept of legitimate interest under the GDPR. The background to the case relates to a €525,000 fine imposed by the Dutch Data Protection Authority (AP) on the Royal Dutch Tennis Association after it disclosed the personal data of its members to two of its sponsors in exchange for a fee.
The CJEU found that:
- Legitimate interest is not limited to interests enshrined in and determined by law, it requires that the alleged legitimate interest be lawful.
- The processing of personal data, which consists of the disclosure by a sports federation for a fee, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller, only on condition that such processing is strictly necessary for the purposes of the legitimate interest in question and that, in the light of all the relevant circumstances, the interests or fundamental rights and freedoms of those members do not override that legitimate interest.
The CJEU added that the sports federation could have informed its members to ask whether they wanted their data shared with those third parties for advertising or marketing purposes. Furthermore, implementing such a solution would have enabled the members concerned to retain control over the disclosure.
Legal analysis of the judgment from Hogan Lovells concludes that this preliminary will hopefully bring an end to the Dutch legitimate interest saga of recent years, during which time the AP has maintained an overly strict interpretation.
Elsewhere, Pinsent Masons warns that the ruling could serve as a drag on the ability of European businesses to support and benefit from AI innovation.
In an update, the AP has posted a response on LinkedIn (in dutch) to the CJEU ruling in which the regulator expresses regret over the ruling but that it will adjust its interpretation on this point. Meanwhile, in a scathing LinkedIn riposte to the AP's reaction, Andreea Lisievici Nevin said that the "response is unworthy of a regulator" and that the AP "needs to learn from this and start genuinely serving the public interest by upholding the GDPR, not their own interpretation of it."
Separately, the IAPP has provided a summary analysis of the EDPB Guidelines.
(Translate to English: Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari)
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.