Privacy & Information Security Law Blog

On July 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on How the Legitimate Interest Ground for Processing for Processing Enables Responsible Data Use and Innovation (the “Paper”). The Paper explains the growing importance of the legitimate interests legal basis for organizations, whether for routine or more complex and innovative data processing activities. It provides recommendations on how this legal basis should be interpreted, used and applied to unlock the value of data in today’s global connected world. Finally, the Paper includes examples of data processing activities where organizations currently rely on the legitimate interests legal basis, illustrated by 16 case studies that describe how organizations balance the legitimate interest of the controller and individuals’ rights and freedoms.

The paper is released in the context of the European Data Protection Board’s update to its 2014 opinion on the legitimate interests, but it is also meant to be relevant for any jurisdiction where data protection law includes legitimate interests as a legal basis for processing personal data, as well as for policymakers in countries looking to adopt a data protection regime. Regulators and policymakers have the opportunity to make the legitimate interests legal basis for processing a catalyst for accountable data practices that drive economic development and innovation in a privacy-preserving manner.

In the Paper, CIPL recommends that regulators and policymakers:

• Acknowledge that there is no hierarchy among different legal bases;
• Emphasize that organizations must rely on the most appropriate legal basis;
• Do not adopt an overly restrictive interpretation of the legitimate interests legal basis;
• Acknowledge that the legitimate interests legal basis promotes risk-based organizational accountability;
• Confirm that the legitimate interests legal basis enables a robust level of protection for individuals;
• Do not automatically exclude certain types processing activities from the legitimate interests legal basis;
• Confirm that individuals’ right to object may be unsuitable in certain situations;
• Recognize that the legitimate interests legal basis is relevant for routine as well as innovative data processing activities;
• Refrain from asking organizations to publish their legitimate interests legal basis assessments (the so-called “balancing test”); and
• Acknowledge that mitigating measures impact the balancing of interests of the controller, third parties, society and individuals.