A legitimate interest within the meaning of Article 6(1)(f) GDPR does not need to arise from the law, it just needs not to be contrary to the law, the Court of Justice of the European Union (CJEU) ruled on 4 October 2024. This has finally clarified the interpretation of legitimate interest at European level. This blog explains the CJEU ruling in more detail.
What preceded it?
The Royal Dutch Lawn Tennis Association (KNLTB) is an association-style sports association. Its members consist of affiliated tennis associations and their association members. When someone joins a tennis association affiliated to the KNLTB, that person automatically becomes a KNLTB member.
The KNLTB has shared personal data of its members with two sponsors, namely TennisDirect and the Dutch Lottery Organisation. In particular, members’ names, addresses and places of residence were shared with TennisDirect for the purpose of sending a discount flyer by post. The KNLTB received compensation for sharing personal data.
Following complaints to the Dutch Data Protection Authority (DPA), it ruled that the KNLTB acted in breach of the GDPR because personal data was passed on without these members’ consent and without a lawful basis for providing their data. By decision of 20 December 2019, the DPA imposed a fine of €525,000 on the KNLTB.
It is not in dispute that the KNLTB did not obtain the consent of its members to share the personal data. The KNLTB takes the view that it has a legitimate interest within the meaning of Article 6(1)(f) GDPR in the processing. The legitimate interest: creating a strong bond between the KNLTB and its members, and being able to offer added value to membership, in the form of discounts and offers with partners, enabling those members to play tennis at an affordable and accessible price. The DPA believes that a purely commercial interest does not fall within the scope of the article. Only when there is an interest laid down in a law is there a legitimate interest within the meaning of the article.
CJEU ruling
The CJEU states first that any processing of personal data must be carried out in accordance with the principles of Article 5 of the GDPR and satisfy the exhaustive justification requirements of Article 6 of the GDPR.[1] If the processing is not based on consent, the other justifications of Article 6(1)(b) to (f) GDPR should be interpreted restrictively.
Referring to the Court’s settled case law[2] , the CJEU reiterates the three conditions for successful reliance on Article 6(1)(f) GDPR:
- The controller must pursue a legitimate interest in processing;
- The processing of personal data must be necessary to pursue that legitimate interest, subject to the principles of proportionality and subsidiarity;
- The interests, fundamental freedoms or fundamental rights of the person concerned must not override the legitimate interest of the controller.
The CJEU held that the legitimate interest does not have to be established by law, however, the claimed legitimate interest must be legitimate. A commercial interest of the controller may be a legitimate interest within the meaning of Article 6(1)(f) GDPR to the extent that it is not contrary to law. It is up to the court to assess whether such an interest exists on a case-by-case basis, taking into account the applicable legal framework and all the circumstances of the case.
Implications for Dutch practice
The DPA has long taken a very restrictive stance, not qualifying a purely commercial interest as a legitimate interest. Earlier, the Administrative Jurisdiction Division of the Council of State (ABRvS) ruled in the VoetbalTV issue that a commercial interest (in addition to non-commercial interests) is in any case taken into account when assessing whether there is a legitimate interest. This did not involve a purely commercial interest, leaving that question unanswered.
With the CJEU ruling, the question of whether a purely commercial interest can qualify as a legitimate interest does now have a conclusive answer. The ruling is not a big surprise, after all, the DPA was already reprimanded in 2020 by the European Data Protection Board (EDPB) for its strict interpretation of the concept of legitimate interest.[3] Now there is finally European clarity in the interpretation of legitimate interest.
The question now is whether the DPA will adjust its policy and be less strict in imposing fines in the future when a commercial interest is the basis for processing personal data. In any case, the CJEU ruling creates more clarity on the broader interpretation of legitimate interest, which may have implications for future enforcement decisions by the DPA.
[1] CJEU, judgment of 4 July 2023, Meta Platforms and Others (General terms of use of an online social network), C252/21‑, EU:C:2023:537, para 90.
[2] CJEU 29 July 2019, ECLI:EU:C:2019:629 (Fashion ID).
[3] Letter from the European Commission, Directorate-General for Justice and Consumer Affairs (DG JUST) dated 6 March 2020, ref Ares (2020) 1417369.