Legitimate Interests: Italian DPA Issues Decision and CIPL Provides Recommendations

As the countdown to GDPR continues, it is becoming clear to many that legitimate interests will be a popular choice for legal basis of processing under Article 6(1).

Legitimate interests is found in Article 6(1)(f) of the GDPR, which states that one way in which data processing may be considered lawful is where:

[P]rocessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Recent Italian DPA Decision

Recently, the Italian data protection authority (“Garante”) announced in its monthly newsletter that it had ruled against automotive service company Belron Italia in a decision under Article 24(1)(g) of Italy’s Data Protection Code, Legislative Decree No. 196/2003, on Belron Italia’s use of legitimate interests as a legal basis for processing.

The legitimate interest to be served by the processing, according to Belron Italia, would be for insurance antifraud purposes. Specifically, Belron Italia sought to create a database to record and track the data of its customers who had requested a quote for automobile window repair and then cross-reference that data against lists of individuals who had applied for window insurance or filed an insurance claim within six months. Belron Italia would then share this information with its affiliated insurance companies to assist them in preventing fraudulent insurance claims.

In their decision, the Garante cited three main concerns:

  1. It is typically the domain of public bodies to investigate and police fraud. Allowing a private organization to create a database for such a purpose would effectively result in granting a supervisory role to that private organization where there are no guarantees of partiality.
  2. The use of such a database would result in an unjustified presumption of fraud on individuals who had requested a quote for window repair but did not follow through with an actual replacement, resulting in potentially harmful and unfair effects on innocent data subjects.
  3. Belron Italia presented insufficient analysis as to whether their interests, and the interests of the insurance companies, would be overridden by the interests in the rights and freedoms of data subjects.

The Garante’s decision is an important case study, as it is useful in understanding how DPAs might approach legitimate interest analyses in the future under the GDPR. Until recently, legitimate interests have been rarely used as a legal basis for processing, so this decision by the Garante serves as important guidance on the approach of DPAs.

Overall, the message is clear: to rely on legitimate interests as a legal basis for processing under the GDPR, companies will need to not only assess the interests of their business or society in general, but also document a thorough analysis that includes a context-specific assessment weighing the benefits against the interests and risks to the rights and freedoms of individuals.

CIPL Recommendations

We encourage companies to take a look at the Centre for Information Policy Leadership (CIPL) at Hunton & Williams LLP’s recent white paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR, which makes many important points, including:

  • Legitimate interest will be an essential grounds for processing in the modern information age, as it is future-proof and technology-neutral.
  • Legitimate interest will be more effective than other grounds (including consent), as it exemplifies the GDPR’s accountability framework and risk-based approach.
  • The Article 29 Working Party’s 2014 opinion on legitimate interests (Opinion 06/2014) provides useful and relevant examples and enables a stronger understanding.
  • The European Data Protection Board (EDPB) should create a database of legitimate interests cases to facilitate proper implementation, and should seek the advice of various stakeholders, including EU member state DPAs, industry and civil society.
  • The flexibility offered by the legitimate interest ground makes it useful given GDPR’s broad scope. It will be particularly useful as a legal basis for low-impact processing activities.

The Countdown Continues

As always, OneTrust will continue to track these and other developments as we prepare for when GDPR goes into effect on 25 May 2018.