But how exactly does EU law achieve the weighing of competing legitimate interests and rights in a data protection law context?
I’ve previously written (here) about the concept of legitimate interest under data protection law and how it has captured the attention of data protection agencies, as well as the EU institutions in informing the relevant provisions under the new General Data Protection Regulation (GDPR) to apply from May 2018.
As a reminder, there is a general prohibition on processing personal data unless a particular condition or ‘gateway’ exists as a pre-requisite to lawful processing. A possible six such conditions are set out in Article 7 of the Data Protection Directive (DPD) which EU Member States (MS) may choose to implement. These include the most recognised condition of obtaining the data subject’s consent for the processing, as well as five less well-recognised conditions. The final one on the list (Article 7(f)) introduces the concept of legitimate interest. It states that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1)”.
In interpreting this legitimate interest condition, the EU Article 29 Working Party (WP) published an Opinion 06/2014. It provides useful guidance in setting out in detail the factors to be considered when carrying out the so-called ‘balance of competing interests’ test set out in Article 7(f) in practice – i.e. for use in balancing whether personal data processing is warranted or unwarranted taking into account the interests of the data controller, versus the interests and rights of the data subject, as assessed on the relevant facts. Opinion 06/2014 also includes a useful list of practical examples designed to illustrate the application of the test.
Yet interpretation of the legitimate interest condition currently differs widely between MS, which has led to divergent applications, resulting in legal uncertainty in this area, as well as litigation. See, e.g., the CJEU 2011 judgement in ASNEF and FECEMD, Cases C-468/10 and C-469/10, 24 November 2011. In that case, the CJEU emphasised MS’ margin of discretion in in the interpretation of Article 7(f), on the basis that the DPD does not itself prescribe the factors to be taken into account when balancing the interests of data subjects and data controllers.
In particular, as legitimate interests are not defined in the DPD, it is often left to data controllers under the supervision of MS national courts to decide whether there is a legitimate aim which justifies the interference with fundamental individual rights. Moreover, even when a legitimate interest is found to exist, there is a risk that some categories of personal data processing may be deemed highly desirable to (but not necessary for) its achievement and, therefore, in breach of data protection rules.
Guidance in this area was re-examined with the publication this week of an Opinion by Advocate General (AG) Bobek of the Court of Justice of the EU (CJEU) in a case referred for a preliminary ruling to the CJEU by the Latvian Supreme Court: Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, Case C-13/16, 26 January 2017.
By way of background, in 2012 a road accident occurred when a taxi pulled up alongside a bus and the passenger (a minor) opened the door damaging the bus. The damage to the bus was the passenger’s fault. The bus company asked the police for the passenger’s name, national identity number, and address. In turn, the police provided the passenger’s name, but refused to disclose the other information arguing that they were prohibited from doing so by the Latvian Data Protection Act. The main question referred to the CJEU was whether Article 7(f) DPD imposes an obligation on a data controller to disclose all the personal data necessary to launch civil proceedings against the person allegedly responsible for an administrative offence. The Latvian Supreme Court further questioned whether the answer to the latter would vary if that person were a minor.
So, what did AG Bobek say? He opines that the bus company should not have been obstructed from obtaining the information required to issue civil proceedings. In this context, he considers the limits set by EU law for the disclosure of personal data in this situation and whether disclosure of the information requested, if permitted by national legislation, would be compatible with Article 7(f) DPD.
His explanation for his finding is as follows:
First, he says Article 7(f) provides authorisation (what he calls a ‘faculty’) for carrying out certain activities lawfully “so long as a number of elements are united” (para 33). This is distinct from an obligation on data controllers to carry out that activity (in this case the activity is to disclose information so civil litigation can be initiated).
Second, AG Bobek determines that three elements must be established for the purposes of Article 7(f):
(a) the existence of a legitimate interest justifying personal data processing;
(b) the prevalence of that interest over the rights and interests of the data subject;
(c) the necessity of personal data processing for the realisation of the legitimate interests.
Third, in relation to establishing element (a) on the facts of the case, AG Bobek says that the concept of legitimate interests is “elastic enough” (para 65) to accommodate considerations beyond the traditional categories of protecting property, health, and family life, which should include the interests underpinning the issuing of a legal claim. Therefore, the bus company was justified in requesting the personal information of a person who damaged their property in order to sue for damages. (This is also true in relation to a request for sensitive personal data because Article 8(2)(e) DPD allows the processing of sensitive personal data for the purposes of legal claims).
Fourth, with regards to the balance of competing interests test required by element (b), this test is fact-specific and must be conducted on a case-by-case basis. Moreover, in order to meaningfully carry out that balancing, “due consideration should in particular be given to the nature and sensitivity of the data requested, their degree of publicity, and the gravity of the offence committed” (para 69). On the facts of the case, AG Bobek sees no reason why the rights of the data subject should override the specific and legitimate aim of the damaged party in pursuing civil proceedings. The fact that the data subject was a minor at the time of the accident was considered but discounted as immaterial in this regard because the type of personal data processing – the disclosure of information about them – would not endanger, for example, their physical or mental well-development.
Fifth, element (c) requires the strict necessity of personal data processing for the realisation of legitimate interests on the facts. In practice, however, AG Bobek highlights what he considers to be the proper restriction on interpretation of this requirement. He resorts to metaphor to illustrate this: it should not turn “the realisation of a legitimate interest into a Kafkaesque treasure hunt, strongly resembling an episode of Fort Boyard, in which the participants are sent from one room to another to collect partial clues to eventually work out where they are supposed to go” (para 75). In other words, the AG held that the existence of alternative sources for obtaining the requested data was not relevant; the bus company should be able to obtain all the personal data indispensable for issuing a legal claim from the data controller direct.
Finally, AG Bobek concludes that common sense ought to guide interpretation of the protection of personal data in this area, which should keep in mind that the original and primary purpose of data protection law is the regulation of the large-scale, automated processing of personal data (in particular, in relation to the use of large datasets). However, in his view, “a much lighter touch is…called for in situations when a person is asking for an individual piece of information relating to a specific person in a concretised relationship, when there is a clear and entirely legitimate purpose resulting from normal operation of the law” (para 98). In other words, the AG is pointing out that there is a fine line between (on the one hand) using provisions in data protection law to protect the legitimate interests of one group, and (on the other hand) using reliance upon data protection law in ways that could obstruct another group from achieving the enforcement of their (equally legitimate) legal rights under other areas of law.
Thus, the AG’s Opinion seems to support a position of pro-active reliance upon the legitimate interest conditions as fully appropriate in certain circumstances. This position might be seen to stand in contrast to a recent trend criticising over-reliance upon the condition. Such criticisms include those set out by the WP – in its Opinion 06/2014, it cautioned data controllers against treating the legitimate interest condition as an “open door” to legitimise any personal data processing in circumstances which does not fit neatly under one of the other legal conditions.
In fact, we are left with a converse discussion point to the one raised in my last post on this topic – how should organisations judge the tipping-point at which the achievement of legitimate interests involving the processing of personal data that they hold becomes sufficiently warranted that it becomes compatible with Article 7(f)? We await the CJEU’s final ruling.
Interestingly, looking forward, the GDPR adapts the wording of the DPD to a certain extent. The new test (Article 6(1)(f) GDPR) reads as follows: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) … shall not apply to processing carried out by public authorities in the performance of their tasks”. Guidance is also provided in Recitals 47-50, e.g. Recital 47 makes it clear that the interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
In practice, these changes suggests that under the GDPR we can expect an increased spotlight on controllers ensuring that any decision to process personal data is carefully justified through the carrying out of risk assessments and documented. This is likely to become an essential requirement when the personal data of minors are involved.
So, we are left with the following question…would AG Bobek have adjudged the balance of competing interests test differently under the GDPR? Answers, please, on a postcard…