On Legitimate Interest Assessment
NPC Circular No. 2023-07 states:
SECTION 4.Ā Requisites for Processing Based on Legitimate Interest; Legitimate Interest Assessment. ā Processing based onĀ legitimateĀ interestĀ requires the fulfillment of the following conditions:
A.Ā TheĀ legitimateĀ interestĀ is established;
B.Ā The means to fulfill theĀ legitimateĀ interestĀ is both necessary and lawful; and
C.Ā TheĀ interestĀ isĀ legitimateĀ and lawful, and it does not override fundamental rights and freedoms of data subjects.
There is no prescribed form for aĀ legitimateĀ interestĀ assessment. The PIC or third party is not precluded from using any existing method, structure, or form, provided that the PIC or third party applies the requisites for processing based onĀ legitimateĀ interestĀ in its assessment.
SECTION 5.Ā TheĀ LegitimateĀ InterestĀ is Established (Purpose Test). ā A PIC shall determine the existence of a clearly establishedĀ legitimateĀ interest, including a determination of the objective of the specific processing activity.
A.Ā The purpose of the specific processing activity must be specific, such that it is clearly defined and not vague or overbroad;
B.Ā The purpose of the specific processing activity must not be contrary to laws, morals, or public policy following the principle ofĀ legitimateĀ purpose; and
C.Ā TheĀ interestĀ established must be declared to the data subject prior to the processing or at the next practical opportunity, following the principle of transparency and the right of the data subject to be informed.
SECTION 6.Ā The Means to Fulfill theĀ LegitimateĀ InterestĀ is Both Necessary and Lawful (Necessity Test). ā The means or method chosen for the specific processing activity undertaken to accomplish theĀ legitimateĀ interestĀ of the PIC or the third party should be necessary and lawful.
A.Ā The means to fulfill theĀ legitimateĀ interestĀ must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose, in accordance with the principle of proportionality; and
B.Ā The means chosen to accomplish theĀ legitimateĀ interestĀ is itself lawful. The PIC cannot violate any law in the process of accomplishing itsĀ legitimateĀ interest.
SECTION 7.Ā TheĀ InterestĀ isĀ LegitimateĀ and Lawful, and it Does Not Override Fundamental Rights and Freedoms of Data Subjects (Balancing Test). ā A PIC or third party relying onĀ legitimateĀ interestĀ shall determine whether the processing undertaken does not override the data subject's fundamental rights and freedoms. In doing so, the PIC or third party shall look at the effect or impact of accomplishing theĀ legitimateĀ interestĀ and consider the purpose of processing theĀ interestĀ established and the means by which it is fulfilled.
The factors that may be considered include but are not limited to:
A.Ā Effect or impact of the specific processing activity on the data subject;
B.Ā Measures implemented to protect the personal information involved in the specific processing activity or to mitigate the effect or impact of the specific processing activity on the data subject (e.g., privacy-enhancing technologies);
C.Ā Availability of other means or methods to fulfill theĀ legitimateĀ purpose; and
D.Ā Reasonable expectation of the data subject on the specific processing of their personal information taking into consideration the surrounding circumstances of each case. A PIC shall consider what a reasonable person would find acceptable under the circumstances taking into consideration theĀ interestĀ established.
Section 7(D) refers to the reasonable expectation of privacy test.
Ireland's Data Protection Commission recently fined LinkedIn for failing the legitimate interest test. As background, LinkedIn uses data provided by its users as well as inferred data to place users to categories that can then be used for services such as targeted advertising.
As reported by the IAPP:
The CJEU's test for assessing whether a legitimate interest can be used as a lawful basis includes that it should be pursued, the need to process the data and the fundamental freedoms and rights of the user are not outweighed by legitimate interests.
According to [Ireland's Data Protection Commissioner] Sunderland, LinkedIn sufficiently passed the first two prongs of the test. "We found that the target of advertising carried out by LinkedIn helped its customers target individuals with more relevant jobs and ads, which in turn generated an income," he said.
For the second prong, the DPC "found that the processing was necessary for the pursuit of those legitimate interests." And though the DPC said LinkedIn could have used "less intrusive ways to pursue both its own interests and those of its members and third parties. ... we accepted that LinkedIn had demonstrated at the time of the inquiry there were no less restrictive means of achieving the interest in question that could equally effectively achieve the aims pursued."
It was the third prong of the test, however, that "LinkedIn failed, in that legitimate interests were overruled by the interests and fundamental rights" of the data subjects.
... the agency "identified a range of negative impacts on individuals and this included the wide range of inferred categories of data and a particularly concerning possibility that in the professional context, an individual could be targeted, or more problematically, excluded from job advertisements based on inferred data that would be inappropriate to consider in a professional context, such as gender or age, and there are also a larger number of segments and interest categories." He also noted potential inferences "could be incorrectly segmented."