In our analysis of the information available on UK charity scandal the other day, one of the main points we focused on was the use of legitimate interests as a legal grounds for processing personal data. This condition for processing is currently being visited in trilogue discussion of Chapter II of the EU Data Protection Regulation.
As we noted yesterday, EU Council of Ministers draft of the Data Protection Regulation proposes expanding the potential scope for the “legitimate interests” processing condition on the basis that it is “good for business” to allow new and novel processing purposes solely on the basis of the “legitimate interests” of an organisation. This current scandal shows one way in which direct marketing does look to be pretty clearly violating the rights of an individual.
I’ve been looking back at the legislation and expert opinions on the limits of “legitimate interests” as a basis for processing, so beware of large block quotes ahead.
The Current Legislation:
The “Legitimate interests” condition is listed in Article 7 of the Data Protection Directive (95/46/EC). It sets out legal grounds for processing personal data based on reasons other than unambiguous consent of the subject. The Directive states the following are legitimate conditions for processing personal data:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
The “legitimate interests” clause in current legislation, therefore is balanced against other rights, particularly the rights to privacy and to the protection personal data, as enshrined in Articles 7 and 8 of the Charter of Fundamental Rights. This gets a bit circular, but when it gets down to it, fundamental human rights which are made binding by EU Treaty trump national legislation or guidance based on national legislation. Even if they’ve been currently ignored.
The confusion sets in when we start taking into account differing national implementations of the Directive and interpretations of the national implementations. For instance, the UK ICO’s example of legitimate interests as a condition for processing given in the its Code of Practice for Data Sharing does note fairness requirements, but it makes a comment on the likelihood of prejudicing rights and freedoms that may possibly be construed in a way that misses the requirement to balance processing against the individual’s fundamental right to data protection:
For example, a catalogue company providing extreme sports accessories wants to sell a list of customer names and addresses onto a travel agent that offers adventure holidays. In this case the legitimate interests condition is likely to be the catalogue company’s basis to process this data. The data shared is not sensitive personal data and their use of the information in this scenario is unlikely to prejudice the rights and freedoms or legitimate interests of the customers. Having a condition for processing will not ensure that the processing will meet the other requirements of the DPA. The catalogue company needs to consider the fairness requirements of the Act and would need to comply with the other principles.
The Article 29 Working group published an opinion stating that the lack of clear, harmonized interpretation of Article 7(f) raises issues that both weaken individual’s privacy rights in some cases and add extra barriers to businesses in others. They clarify that it is incorrect to see the “legitimate interests” ground as an “open door” to legitimize data processing that doesn’t fit under the other grounds, and that “Article 7(f) is not a get out of jail free card for data processing.
Similarly, The European Data Protection Supervisor has stated that “The requirements for all data processing to be limited to specific purposes and on a legal basis are cumulative, not alternatives.” Legitimate interests would not seem to be sufficient grounds to process personal data in absence of other legitimate processing conditions because they must be proportionate and necessary, balanced against the fundamental rights to privacy and data protection.
The upcoming EU General Data Protection Regulation
Increasing clarity, ensuring a consistent interpretation, and making sure that individuals across the EU have equal access to their rights to privacy and protection of their personal data are some of the purposes of the upcoming Regulation. But, the leaked drafts of the legislation have many people worried that an attempt to take a “pro-business” stance is resulting in the weakening of protection of these fundamental rights. The Council of Ministers’ draft of the upcoming data protection regulation seems to seek to broaden the “legitimate interests” conditions for processing personal data, particularly carving out space for direct marketing. Amendment 16 of the Council draft currently states. (…) “The processing of personal data for direct marketing purposes can may be regarded as carried out for a legitimate interest.”
(p. 67 of 683. If you want to trawl through the whole thing it’s here: http://www.statewatch.org/news/2015/jul/eu-council-dp-reg-trilogue-10391…)
The Commission proposes that changing the purpose should be acceptable on any of the grounds for the initial processing of the data, except for the legitimate interests of the controller. The Council wants to allow a change of purpose for any of the grounds for the initial processing, including the legitimate interests of the controller; while the EP does not want to provide expressly for any incompatible processing at all. The Council’s position in particular would turn the purpose limitation principle into the very smallest of fig leaves.
In fact, according to the Council, it will be possible for a data controller to further process data even if the purpose is incompatible with the original one as long as the controller has an overriding interest in this processing . . . The Working Party considers that this situation would render one of the fundamental principles of the data protection framework, the purpose limitation principle, meaningless and void. The principle is enshrined in Article 8(2) of the Charter of Fundamental Rights of the EU.
Considering that the direct marketing activities that the Daily Mail exposed already have their strongest defence under an interpretation of the current, more stringent understanding of “legitimate interests” as a grounds for legitimate processing, we have a very strong example of exactly why these experts are concerned that this part of the Regulation might weaken the protection of privacy rights.
Looking at a Market-Based Model of Privacy to Understand the Balance of Rights
The question of balancing individuals’ privacy rights against communication rights and the need for businesses to engage in direct marketing to do business has been approached in different ways. American legal scholars Ian Ayres and Matthew Funk proposed a market model to balance the intrusiveness of direct marketing by requiring marketers to compensate people monetarily for the social costs of being marketed to. While this thought experiment proposing compensation as a way to deregulate direct marketing takes a view of privacy as a commodity that isn’t easily compatible with European assertion that privacy is a fundamental right, the proposal clearly identifies social costs that are infringement of rights. These may be taken into consideration when trying to find a balance of rights in a European framework.
The authors clearly identify direct marketing of all types as a “nuisance” that is not just irritating but “more burdensome to the recipient than beneficial to the sender”. They identify this nuisance as a violation of privacy that ” . . . intrudes literally into the most intimates parts of our homes—our bedrooms, our kitchens our living rooms—because these are the very places where we want telephones to give us ready access to our friends and family and solicited contacts with the marketplace“. Furthermore, they argue that this invasion of privacy is supported by a legal framework that “does not compel direct marketers to internalize the full costs of their activities”. Consumers bear more of the costs of direct marketing than the marketers do. In other words, unsolicited direct marketing as an activity is already unbalanced in a way that violates individual’s privacy rights. (source: Ayres, Ian and Funk, Matthew, “Marketing Privacy: A Solution for the Blight of Telemarketing (and Spam and Junk Mail)” (2003). Faculty Scholarship Series. Paper 1243.))
The invasion of privacy identified here is reflected in the results of the recent Eurobarometer survey findings that 67% of people felt they didn’t have control over what happens to their data (TNS Opinion & Social network Special Eurobarometer 431 “Data Protection Report” ) It’s somewhat interesting that US scholars in Law and Economics with a commodity approach towards privacy have gone further to identify direct marketing as a violation of privacy rights than those drafting overarching data protection legislation in an EU framework where privacy is enshrined as a fundamental right.
Even if the upcoming regulation ends up declaring that direct marketing is a “legitimate interest”, It still comes down to balance. We must consider the relative costs and intrusions on people’s rights and their ability to do business. Another question of balance the current situation raises, is that of mental competence of an individual not just as a question of knowing and meaningful consent, but how the “legitimate interests” grounds for processing interacts with this. Current drafts of the Regulation look to consider the interests of children in particular in regards to the “legitimate interests” clause. As this relates to the question of competence to understand risk and meaningful consent, it might be better to rely on standards of “competence” (which a man suffering from dementia did not have) and vulnerable people rather than try to determine an age cut off. In any case, the rights to privacy and protection of personal data are binding under EU treaty, and processing of personal data under “legitimate interest” conditions must still be proportionate and necessary in context of Article 8 of the charter for fundamental rights.