A new aid to interpreting “legitimate interest” on the part of the data processor

In April 2014, the Article 29 Data Protection Group published an interesting new paper: With its “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/64/EC,” a new European data protection bible is now available for justifying data collection/ processing on the basis of “legitimate interests”, which can also be read as an alternative to the statements of the Düsseldorf Group regarding the use of personal data for commercial purposes.

“Legitimate interest” and permission to process personal data

A key element of data protection law is prohibition with reservation of the right to grant permission. A permissive rule is necessary for every collection, processing and use of personal data (hereinafter collectively referred to as “processing”). Art. 7 lit. f of the EU Data Protection Directive (95/46/EC) requires all Member States to permit the processing of personal data if the processor has a “legitimate interest” in doing so and this interest is not overridden by the interests of the data subject. Sec. 28 (1) No. 2 BDSG codified this principle before the issuance of the Directive. But when is there a legitimate interest and when does the data subject’s perpetual interest in data secrecy predominate?

So far, there has been inconsistent treatment in Europe

Due to the great deal of leeway in interpreting the term “legitimate interests”, the relevant permissive rule has so far been given very different interpretations in the Member States, even though the ECJ has again just found that there should be full harmonization based on Art. 7 lit. f of the EU Data Protection Directive (ECJ, judgment of 24 November 2011, File No. C-468/10 et al.). This judgment and its predecessors found insufficient compliance in the Member States. German literature argues for a relatively restrictive application of the provision. To date, there is little in the way of legal precedent permitting data processing based on Sec. 28 (1) No. 2 BDSG. Thus far, the best known examples are credit bureaus, particularly Schufa.

The concept of legitimate interest

This could now change since the Art. 29 Data Protection Group has devoted 68 pages solely to the balancing of interests under Art. 7 lit. f of the EU Data Protection Directive and has provided clear guidelines for this balancing. In addition, the Group demonstrated the application of these balancing guidelines through several scenarios and 26 model cases. Thus, European data protection law now has available a uniform “balancing compendium” of heretofore unknown dimensions.

The Article 29 Data Protection Group

The Opinion is not legally binding in the strict sense. To understand its significance, one must consider the composition and position of the Article 29 Data Protection Group more closely. It is named after Art. 29 of the EU Data Protection Directive. Under this provision, every Member State sends a member designated by the national data protection authority to the Group, which adopts its decisions by a simple majority vote. In addition, the European Data Protection Commisioner is entitled to a vote. For Germany, the Federal Data Protection Commissioner Angelika Vosshoff is a member of the Group. Thus, the highest German Data Protection Officer can influence the Opinion. Therefore, data protection authorities in Germany cannot ignore the Opinion. And this is a positive thing for companies, since the balancing of interests in the Opinion has been much more liberally handled than has so far been done by the German data protection authorities.

Liberal balancing of interests with respect to direct marketing

This is made clear in particular through examples taken from direct marketing: Thus in one case, an advertising e-mail informing existing customers about products was permitted based on the shop operator’s “legitimate interest”, even though the customers had not consented to this. The fact that a “complex profile” of the customers was not created in the specific example, and there was a clear ability to opt out, played a role in this result. Nevertheless, from a purely data protection law perspective, a clear contradiction to the line heretofore followed by the German data protection authorities is evident (the strict provisions of Sec. 7 of the German Act against Unfair Competition (UWG) were not discussed at the European level).

Strict rules for direct marketing from the Düsseldorf Group

The strict interpretation made by the Düsseldorf Group – the association of all German data protection authorities – in the area of direct marketing is evident in the “Instructions on the collection, processing and use of personal data for commercial purposes” dated December 2013. Here, the authorities impose – at times excessive – limits on the application of Sec. 28 (3) BDSG, the central norm regulating marketing under German data protection law. This strict interpretation includes the opinion – which is also the prevailing opinion in the German literature – that Sec. 28 (3) BDSG has a blocking effect with respect to the general balancing of interests rule under Sec. 28 (1) No. 2 BDSG. According to the data protection supervisory authorities, matters regarding data processing for marketing purposes should be decided exclusively under Sec. 28 (3) BDSG.

The Article 29 Group permits solution via general balancing in direct marketing cases

The Article 29 Group has expressly stated that some Member States have misunderstood the general balancing of interests rule. It is not only meant to fill the gap in a few exceptional cases that arise due to the limitations of the other criteria for granting permission. Rather “legitimate interest” as a criterion for granting permission is independent of the other criteria for granting permission. The text of the EU Data Protection Directive does not supersede the scope of application of the “legitimate interest” criterion.

Sooner or later there will be a departure from Sec. 28 (3) BDSG

It is a good thing that the current draft of the basic data protection regulation has no criterion for granting permission that is comparable to Sec. 28 (3) BDSG. Rather, the reasons supporting the legitimacy of data processing are modeled on the old Data Protection Directive. Art. 6 No. 1 lit. f of the draft of the Basic Data Protection Regulation contains “legitimate interest” as a justification, which is very similar to Art. 7 lit. f of the Data Protection Directive. Therefore, in the future a “legitimate interest” will be used as the deciding factor in more and more cases.

Relationship to Sec. 7 UWG

Sec. 7 of the German Act against Unfair Competition (UWG) will still have to be examined parallel to data protection law provisions. The competition law aspect of direct marketing is not affected by the developments that have been addressed here. It remains to be seen whether the data protection authorities’ approach – of including an assessment under Sec. 7 UWG in the consideration under data protection law – is still viable, following the opinion of the Article 29 Group and after the issuance of the Basic Data Protection Regulation.

Conclusion: The opinion of the Article 29 Group gives new importance to “legitimate interest” as a criterion for granting permission under data protection law. This allows old BDSG questions to be reassessed in many areas. In particular, the opinion provides interesting arguments to use against the German data protection supervisory authorities in the area of direct marketing.