ECJ: How is “legitimate interest” to be interpreted in the GDPR?

The ECJ, on the basis of a reference for a preliminary ruling under Art. 98 para. 1 of the Rules of Procedure of the Court of Justice to rule on an interesting point of law of the GDPR.

Original proceedings in the Netherlands

The main proceedings relate to an action brought by the plaintiff before the Rechtbank Amsterdam (District Court Amsterdam, the Netherlands) against the defendant’s decision of July 30, 2020. By that decision, the defendant dismissed as unfounded the plaintiff’s appeal against the decision of December 20, 2019, by which it had imposed a fine of EUR 525,000 on the plaintiff for a breach of the General Data Protection Regulation (“GDPR”).

Subject matter and legal basis of the reference for a preliminary ruling

The reference for a preliminary ruling pursuant to Article 267 TFEU concerns the question whether the term “legitimate interest” within the meaning of Article 6 para. 1(f) GDPR extends exclusively to interests defined by law (positive test) or any interest provided that it is not contrary to law (negative test) and, in particular, whether a purely commercial interest – such as the interest in making personal data available for consideration without the data subject’s consent – can be considered legitimate in certain circumstances and, if so, which circumstances are decisive for this.

Template questions

1. How must the law bank interpret the term “legitimate interest”?
2. Is this term to be interpreted as the defendant interprets it? Does it cover only interests that are part of the law, legal and set forth in a statute? Or:
3. Can any interest be a legitimate interest provided it is not contrary to law? More specifically: Can a purely commercial interest and the interest at hand, namely the provision of personal data against payment without the consent of the data subject, be classified as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

Brief description of the facts and the main proceedings

• The plaintiff is a sports association. Its members are composed of the tennis clubs affiliated to it and their members. The plaintiff works with sponsors, including Nederlandse Loterij Organisatie BV and SportshopsDirect BV. In 2018, Plaintiff provided data on a portion of its members to these sponsors in exchange for a fee, which used the data for promotions via sales letters and telephone solicitation
• Based on several advertisements alleging that the plaintiff had unlawfully disclosed personal data of its members to the aforementioned sponsors, the defendant initiated an investigation regarding the plaintiff’s compliance with the GDPR. According to the defendant, the plaintiff provided data of its members to the two sponsors in question without the members’ consent and without a lawful reason for sharing such data
• By decision of December 20, 2019, the defendant imposed a fine of 525,000 euros on the plaintiff. The plaintiff appealed against this decision. By decision dated July 30, 2020, the defendant dismissed the complaint as unfounded. The plaintiff brought an action against the latter decision before the referring court.

Main arguments of the parties to the main proceedings

• According to the GDPR, personal data may only be processed if this processing is based on a legal basis. Art. 1 GDPR lists these legal bases exhaustively. It is undisputed between the parties that Plaintiff did not have the consent of its members for the disclosure of those members’ data to the Sponsors. However, the plaintiff claims that he had a “legitimate interest” in this within the meaning of Art. 6 1 lit. f DSGVO, which the defendant denies. The parties thus disagree on the interpretation of the term “legitimate interest” and its scope.
• According to the defendant, there must be a legitimate and thus concrete interest “belonging to the law, statutory and established in a law” (positive test).

In this regard, the defendant argues, inter alia, the following:

• It follows from the 47th recital of the GDPR that the processing of personal data of persons who should not reasonably expect such processing cannot be based on a legitimate interest. It must be an interest of the controller that is recognizable in advance and that the data subject can expect. An interest that is not sufficiently identifiable in advance cannot be a legitimate interest. This interpretation also finds support in the position of the European Council in the context of the first reading of the GDPR.
• According to Art. 52 of the Charter, restrictions with regard to Art. 8 of the Charter (right to protection of personal data) would have to be provided for by law and respect the essence of this right. It follows from the fourth recital of the GDPR that the GDPR in fact implements Article 52 of the Charter. In this light, an interest within the meaning of Art. 6 para. 1(f) of the GDPR, which is essentially a restriction of the right to the protection of personal data, must therefore at least affect public interest objectives recognized by the Union or be necessary to protect the rights and freedoms of others.
• The collection and processing of personal data for the purpose of resale without the consent of the data subjects violates Article 8 ECHR. If the plaintiff has a legitimate interest, the limitation of Art. 8 ECHR is provided for by law, namely in the GDPR. Prior to the introduction of the GDPR, this restriction had not been provided for by law, so that the GDPR eliminates the previous contradiction with Art. 8 ECHR. The applicant’s position basically means that the protection now provided by the Charter and the GDPR is less than that guaranteed during the period when only the ECHR applied, which is incompatible with Article 53 of the Charter.
• According to the plaintiff, there is a legitimate interest unless this interest runs counter to the law (negative test).
• A “legitimate interest” need not be based on a fundamental right or a legal principle. It follows from the GDPR that other interests could also constitute a legitimate interest. Thus, the recital of the GDPR classifies “direct marketing” as a legitimate interest. Advocate General M. Bobek had stated in his opinion in the Fashion ID case (C-40/17) that no interest per se was excluded. In this sense, there was a decision of the Court of Justice that recognized a legitimate interest that did not correspond to a fundamental right or a principle of law (C-131/12, Google Spain). In addition, the Rechtbank Midden-Nederland (District Court of Midden- Nederland, the Netherlands) stated in a decision dated November 23, 2020, that a legitimate interest is established via a negative test.

Brief presentation of the rationale of the template

• According to the referring court, the question of whether the plaintiff has a legitimate interest in processing the personal data of its members cannot be answered beyond reasonable doubt. Neither does the settled case law of the Court of Justice provide an answer to this question (there is no “acte éclairé”) nor does Art. 6 para. 1(f) GDPR clarifies the definition and scope of the term “legitimate interest” (there is no “acte clair”). Moreover, this provision is not formulated so clearly that there can be no doubt as to its interpretation and scope.
• On the one hand, the referring court refers to the above-mentioned decision of the Rechtbank Midden-Nederland, in which reference is made to the opinion of Advocate General M. Bobek in the Fashion ID case. In that letter, he states that Directive 95/46 also contains neither a definition of the precise content of the concept of “legitimate interest” nor an enumeration thereof. In his opinion, this term is apparently quite elastic and open, no interest is excluded per se, provided that it is not illegal in itself, this term can encompass a wide variety of interests and therefore not only legal interests, but also quite a few factual, economic and ideal interests can constitute a legitimate interest. This seems to speak in favor of the plaintiff’s point of view, according to which any interest, consequently also a purely commercial interest, can be a legitimate interest. Furthermore, the referring court considers that the applicant’s view is also justifiable because the GDPR clearly prescribes when a processing operation must have a provision of law as its legal basis. On the other hand, according to the referring court, it seems difficult to reconcile the protection offered by the GDPR with the fact that the desire to make money from the personal data of data subjects without their consent is classified as a legitimate interest. In the view of the referring court, therefore, in the case of a fundamental right such as the right to protection of personal data, the defendant’s view is also justifiable. However, the referring court points out that even before the entry into force of the GDPR, the limitation of Article 8 ECHR was provided for by law. Indeed, the “legitimate interest” ground for processing was at that time provided for in Article 8(f) of the Wet bescherming persoonsgegevens (Personal Data Protection Act)