Applying Legitimate Interest Under GDPR

On May 25, the General Data Protection Regulation takes legal effect. Like many privacy regulations, GDPR comes complete with gray areas and allowances for circumstances where communication without consent is permissible, including the question of Legitimate Interest.

The world has been given some two years to get ready for this Europe-wide law, which replaces an earlier “directive” which directed the Members States to adopt national data protection laws. GDPR essentially replaces those domestic laws, which often differed quite remarkably. It will be easier to comply with one regulation in effect, and interpreted the same way, throughout Europe. But, it extends its applicability abroad to overseas businesses who have no physical presence in Europe.

The regulation basically says one cannot “process” (i.e. collect, store, manipulate) personal information about persons located in the EU unless one of six sets of circumstances applies. We suggest that for most businesses only the first and last will be available, and we suggest too broad a reliance on the last is engaging in wishful thinking.

Article 6 of the GDPR states as follows:

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For most businesses that sell goods and services, the only possible operative exceptions are (a) and (f), the latter of which being the legitimate interest exception, and the best thinking on this subject says that few foreign businesses can use (f). There are several compelling reasons why, with one of the most serious “reasons” being Article 3 of the GDPR, which reads:

 “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” 

In short, Article 3 says the interests of the controller come second to the individual’s fundamental rights in the case of offerings of goods or services, or monitoring of behavior, which probably includes tracking you from site-to-site to determine interests and motivation. The only available ground for us to lawfully process personal data is with the individual’s express consent.

If a French woman finds your wonderful website and falls in love with that green blouse, or books a room in your hotel in Chicago, it seems over-reaching for Europe to claim you are subject to the law because she found you and became a customer. But it would not seem overreaching if you were looking for her and took steps to attract her across that border and to your site. Likewise, a broad category interest does not constitute a narrow brand interest; i.e., the fact that someone wears shoes does not constitute legitimate interest in receiving communications from your shoe brand in and of itself.

Does your website promote to European customers? What are you doing on Facebook and other venues to drive foreign traffic there? Do you do mailing campaigns into Europe and emphasize your wonderful engaging website?

Does your website get promoted in France when people in France search for “green blouse” or “Chicago hotel”? Does your check-out facility support foreign currencies or accept foreign credit cards? Does customer service speak French? Does your registration page have a “Country” space in the address collection function?

In short, making your website welcoming to European residents or taking other steps within the EU to drive traffic to you site is probably “offering __________ to data subjects in the Union”. It becomes even more likely if your data system can identify the national source of your website’s traffic and you include that knowledge in planning your web presence.

Moreover, mail campaigns to people with addresses in Europe which invite responses to your website, or a call to your sales group in Baltimore, is “offering to data subjects in the Union”. You should be prepared to demonstrate that your organization is in compliance with the GDPR.

In short, this matter is so serious that if you have not researched carefully what you need to do to absolutely understand and comply with the GDPR, as well as it’s exceptions for legitimate interest and other scenarios, you should give thought to doing so. In addition, it would be wise to examine your organization’s routine for responding to individual expressions of concerns or complaints about your data collection or process. Honor opt-outs. A system that responds quickly, thoroughly, and with sensitivity will be good insurance against an annoyed or disgruntled European citizen’s complaining to the authorities.

Rest assured that here at Data Services, Inc. we are taking every effort to fulfill our obligations in processing and protecting your data and to respond as quickly as possible in the event of expressed complaints or concerns that reach us. We look forward to the challenges as the industry adapts to this new data protection regime in Europe.