Privacy & Cybersecurity Law Blog

On October 4, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in case KNLTB (C‑621/22). In this judgment, the CJEU was called upon to clarify the concept of “legitimate interests” and, in particular, whether purely commercial interests can be considered as legitimate under the EU General Data Protection Regulation (“GDPR”).

Background

The case arose from an appeal against a decision of the Dutch Data Protection Authority (“DPA”) in which an organization was fined due to, inter alia, having relied on purely commercial interests as a legal basis for processing personal data. In its decision, the Dutch DPA took the position that the legitimate interest basis under Article 6(1)(f) of the GDPR can only be relied on for data processing activities that are necessary for interests that are enshrined in, and determined by, law. The DPA sustained that legitimate interests must be evaluated as being worthy of protection by the EU legislature or by the national legislature (i.e., an active action from the legislature is necessary for an interest to be legitimate). The controller, on the other hand, argued that a “negative criterion” applies to legitimate interests, meaning any interest may constitute a legitimate interest unless it is contrary to the law (i.e., the interest will be legitimate unless the legislature actively blocks it).

The CJEU’s Decision

In response to preliminary questions raised by the Dutch District Court, the CJEU restated its cumulative three-step test for assessing whether interests should be considered legitimate under Article 6(1)(f) of the GDPR: (1) the controller or third-party must be pursuing a legitimate interest; (2) the processing of personal data must be necessary for the purposes of the legitimate interest pursued; and (3) the interests or fundamental freedoms and rights of the data subject must not outweigh the legitimate interest of the controller or of a third party.

In assessing which interests may be legitimate, the CJEU recalled that, in the absence of a definition of that concept in the GDPR, a wide range of interests are capable of being regarded as legitimate. According to the Court, the GDPR does not require that the interest pursued by a controller be provided for by law in order for the processing of personal data carried out by the controller to be legitimate. With this conclusion, the CJEU rejected the Dutch DPA’s position and acknowledged that pure commercial interests can serve as a legal basis for data processing under the GDPR.

The CJEU also added that unlawful interests cannot be regarded as legitimate, and that for an interest to be legitimate, it should not be possible to achieve the purpose of processing just as effectively by other means that are less restrictive of the fundamental rights and freedoms of data subjects, particularly through less extensive processing of personal data.

Read the CJEU’s decision.