On Legitimate Interest Assessment
NPC Circular No. 2023-07 states:
SECTION 4. Requisites for Processing Based on Legitimate Interest; Legitimate Interest Assessment. — Processing based on legitimate interest requires the fulfillment of the following conditions:
A. The legitimate interest is established;
B. The means to fulfill the legitimate interest is both necessary and lawful; and
C. The interest is legitimate and lawful, and it does not override fundamental rights and freedoms of data subjects.
There is no prescribed form for a legitimate interest assessment. The PIC or third party is not precluded from using any existing method, structure, or form, provided that the PIC or third party applies the requisites for processing based on legitimate interest in its assessment.
SECTION 5. The Legitimate Interest is Established (Purpose Test). — A PIC shall determine the existence of a clearly established legitimate interest, including a determination of the objective of the specific processing activity.
A. The purpose of the specific processing activity must be specific, such that it is clearly defined and not vague or overbroad;
B. The purpose of the specific processing activity must not be contrary to laws, morals, or public policy following the principle of legitimate purpose; and
C. The interest established must be declared to the data subject prior to the processing or at the next practical opportunity, following the principle of transparency and the right of the data subject to be informed.
SECTION 6. The Means to Fulfill the Legitimate Interest is Both Necessary and Lawful (Necessity Test). — The means or method chosen for the specific processing activity undertaken to accomplish the legitimate interest of the PIC or the third party should be necessary and lawful.
A. The means to fulfill the legitimate interest must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose, in accordance with the principle of proportionality; and
B. The means chosen to accomplish the legitimate interest is itself lawful. The PIC cannot violate any law in the process of accomplishing its legitimate interest.
SECTION 7. The Interest is Legitimate and Lawful, and it Does Not Override Fundamental Rights and Freedoms of Data Subjects (Balancing Test). — A PIC or third party relying on legitimate interest shall determine whether the processing undertaken does not override the data subject's fundamental rights and freedoms. In doing so, the PIC or third party shall look at the effect or impact of accomplishing the legitimate interest and consider the purpose of processing the interest established and the means by which it is fulfilled.
The factors that may be considered include but are not limited to:
A. Effect or impact of the specific processing activity on the data subject;
B. Measures implemented to protect the personal information involved in the specific processing activity or to mitigate the effect or impact of the specific processing activity on the data subject (e.g., privacy-enhancing technologies);
C. Availability of other means or methods to fulfill the legitimate purpose; and
D. Reasonable expectation of the data subject on the specific processing of their personal information taking into consideration the surrounding circumstances of each case. A PIC shall consider what a reasonable person would find acceptable under the circumstances taking into consideration the interest established.
Section 7(D) refers to the reasonable expectation of privacy test.
Ireland's Data Protection Commission recently fined LinkedIn for failing the legitimate interest test. As background, LinkedIn uses data provided by its users as well as inferred data to place users to categories that can then be used for services such as targeted advertising.
As reported by the IAPP:
The CJEU's test for assessing whether a legitimate interest can be used as a lawful basis includes that it should be pursued, the need to process the data and the fundamental freedoms and rights of the user are not outweighed by legitimate interests.
According to [Ireland's Data Protection Commissioner] Sunderland, LinkedIn sufficiently passed the first two prongs of the test. "We found that the target of advertising carried out by LinkedIn helped its customers target individuals with more relevant jobs and ads, which in turn generated an income," he said.
For the second prong, the DPC "found that the processing was necessary for the pursuit of those legitimate interests." And though the DPC said LinkedIn could have used "less intrusive ways to pursue both its own interests and those of its members and third parties. ... we accepted that LinkedIn had demonstrated at the time of the inquiry there were no less restrictive means of achieving the interest in question that could equally effectively achieve the aims pursued."
It was the third prong of the test, however, that "LinkedIn failed, in that legitimate interests were overruled by the interests and fundamental rights" of the data subjects.
... the agency "identified a range of negative impacts on individuals and this included the wide range of inferred categories of data and a particularly concerning possibility that in the professional context, an individual could be targeted, or more problematically, excluded from job advertisements based on inferred data that would be inappropriate to consider in a professional context, such as gender or age, and there are also a larger number of segments and interest categories." He also noted potential inferences "could be incorrectly segmented."