Privacy & Information Security Law Blog

On November 23, 2020, the Dutch District Court of Midden-Nederland (the “Court”) determined that the concept of a legitimate interest for processing is broader than simply being an interest derived from law, overturning a fine by the Dutch data protection authority (the “Dutch DPA”).

The Dutch DPA, Autoriteit Persoonsgegevens, issued a €575,000 fine in July 2020 against VoetbalTV, which allowed football players and fans to view professional video footage of amateur matches on its platform, on the basis that it lacked a legal basis for its processing of personal data, as required by Article 6(1) of the EU General Data Protection Regulation (“GDPR”). Thereby, VoetbalTV was also considered to have infringed GDPR Article 5(1)(a), which sets out the data protection principle that processing must be carried out lawfully.

Specifically, the Dutch DPA took a restrictive interpretation of legitimate interests that can be relied upon to legitimize the processing of personal data pursuant to Article 6(1)(f) of the GDPR. According to the Dutch DPA, a legitimate interest is one designated as a legal interest under law, and must have an “urgent and specific character” deriving from a rule or principle of law. According to the Dutch DPA, purely commercial interests do not constitute a legitimate interest that can serve as a legal basis for data processing activities under the GDPR.

In overturning the Dutch DPA’s decision, the court relied on guidance issued by the European Data Protection Board (the “EDPB”), which provides that legitimate interests can cover a range of different interests, provided that they are real and present (not speculative), meaning that all kinds of factual, economic and idealistic interests can qualify as legitimate interests.

The Court endorsed the position of VoetbalTV, which argued for a broad interpretation of the concept of a legitimate interest, stating that such an interest should be considered to be present unless the interest is contrary to the law (and provided that the interests or fundamental rights and freedoms of the data subject are not overriding). In doing so, the Court also relied on translations of the GDPR concepts of legitimate interest and legal obligation in Dutch, German and French, which indicate a clear distinction between the different legal bases for processing. The Court also considered this broad interpretation to be in line with Recital 47 of the GDPR, which provides that direct marketing may constitute a legitimate interest. The Court commented that the legitimate interest concept should be interpreted as an “an external border . . . and not as a threshold.”

The Court also determined that the Dutch DPA had not taken sufficient care in making its decision, as it stopped its investigation after determining that no legitimate interest existed, rather than considering the validity of the balancing test carried out by VoetbalTV.