In the realm of data protection and privacy, the European Union’s General Data Protection Regulation (EU GDPR) and the UK’s GDPR have set a high standard for safeguarding personal data. One crucial aspect of these regulations is the concept of “legitimate interest.” It provides a lawful basis for processing personal data, but its use requires a thorough Legitimate Interest Assessment (LIA). In this article, we will explore how data controllers can conduct an LIA to satisfy EU and UK GDPR requirements, and we’ll also examine examples of fines imposed for wrongful use of legitimate interest.
Understanding Legitimate Interest as a Lawful Basis
Under both the EU and UK GDPR, legitimate interest serves as a lawful basis for processing personal data. However, using legitimate interest requires a careful balancing act between the data controller’s interests and the data subject’s rights and freedoms. Here’s how data controllers can conduct a legitimate interest assessment to ensure compliance:
1. Identify the Legitimate Interest:
The first step is to clearly define the legitimate interest that justifies the data processing. This could include purposes such as fraud prevention, direct marketing, network and information security, and more. The interest should be real, specific, and vital for the data controller.
2. Assess Necessity:
Data controllers must evaluate whether processing personal data is necessary to achieve the legitimate interest. If there are alternative, less intrusive means to achieve the same goal, data processing may not be justified.
3. Balance of Interests:
A key component of an LIA is balancing the legitimate interest of the data controller against the fundamental rights and freedoms of the data subject. This requires considering the impact of data processing on individuals and implementing measures to minimize any negative consequences.
4. Document the Assessment:
One of the most critical aspects of an LIA is documentation. Data controllers must maintain records that detail the assessment process, including the identified legitimate interest, the necessity of processing, and the measures taken to mitigate risks.
Examples of Fines for Wrongful Use of Legitimate Interest
While legitimate interest can provide a lawful basis for processing, misuse or negligence can result in significant fines. Here is an example:
- Unlawful Processing of Personal Data: Violation of Article 6 of the GDPR CNIL v Clearview AI facial Recognition The CNIL awarded a 20 Million Euro fine.
To ensure the lawful processing of personal data, it is imperative to rely on one of the legal bases stipulated in Article 6 of the GDPR. In the case of Clearview AI’s facial recognition software, which failed to adhere to this requirement, the processing can be deemed unlawful.
Clearview AI, in particular, does not seek the consent of individuals whose photographs it collects and utilizes to fuel its software.
Clearview failed to secure the requisite consents from individuals, and it appears unlikely that they could have identified any other relevant legal grounds. Consequently, the CNIL has determined that there is no appropriate legal foundation for their data processing activities. The CNIL has ruled out any attempt to justify these actions based on legitimate interest, even before assessing whether Clearview handles special categories of data. The CNIL emphasized the “intrusive and extensive nature of the process” and highlighted that users “do not reasonably anticipate their images being processed by the company to provide a facial recognition system.” It’s important to note that the fact that data is publicly available does not exempt the need for a specific legal basis for web scraping practices.
The gravity of this breach compelled the CNIL restricted committee to mandate that Clearview AI cease its data collection and usage activities within French territory, as long as it lacks a valid legal basis for its operations in relation to the facial recognition software it markets.
These cases highlight the importance of conducting a thorough legitimate interest assessment and implementing robust data protection measures. Fines can be substantial, and organizations must prioritize data privacy and security to avoid legal repercussions.
Using legitimate interest as a lawful basis for processing personal data under EU and UK GDPR laws can be a valuable tool for data controllers. However, it must be wielded responsibly and ethically. Conducting a comprehensive Legitimate Interest Assessment and maintaining diligent records are essential steps in ensuring compliance while safeguarding individuals’ data rights and freedoms. The examples of fines serve as stark reminders of the consequences of failing to do so. In the complex landscape of data protection, vigilance and adherence to best practices are paramount.