Without any precedent on concrete examples of what is legitimate and what is not, this clause in the GDPR is its biggest weakness.
If a company sells something online they only really need your address & name for delivery + credit card details. Then you could argue it is legitimate to use an email to create an account, fair enough. But without precedent it's so easy to just say 'in order to increase revenue (legitimate intrest) we're going to use all emails to send a newsletter, boosting sales'. And then you could use the 'Right to object' in the GDPR as a fallback for your actions.
I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
The legitimate interest has been around for a while. It was also a legal basis to process personal data under the 1995 Data Protection Directive which the GDPR replaced. If you are interested in learning more about the notion of legitimate interest and balancing it against the interests of individuals, there is a 2014 opinion from the body of EU data protection regulators that explains the concept with a number of examples. [1]
> If a company sells something online they only really need your address & name for delivery + credit card details.
That would likely be "necessary for the performance of a contract" which is also a legal basis to process personal data. [2]
> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
That could be a violation of the ePrivacy Directive which provides that email marketing requires consent. [3]
The PECR regulations specifically state that consent is the only basis for electronic marketing. The ICO guidelines also state that legitimate interest is fine for marketing, but not electronic marketing.
Anyone who dropped explicit consent for emails, text messages or phone calls is a fool.
Can you point to explicit guidance for this (legit. interest as insufficient for electronic mktg)? I'd love to see a reference as we're having this discussion internally.
> You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.
You only need consent when legit interests don't apply, so this is basically saying it isn't sufficient.
Also:
(47) … The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Sure. I admit, I simplified things because hackernews can be a rather hostile environment on this topic. It's not that you can't use consent, it's (as you say) that legitimate interest is insufficient as most types of electronic marketing require consent and those where it is possible is made much harder to justify as a long-term strategy.
Also, the ICO has an FAQ on exactly this at https://ico.org.uk/for-organisations/guide-to-the-general-da... . It is the question "Can we use legitimate interests for our marketing activities?". The whole thing is useful, but the bit below the yellow call-out is specifically about electronic marketing, and says:
"If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-privacy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing. It is the GDPR standard of consent that applies, because of the effect of Article 94 of the GDPR." There's also a helpful table of possibilities below.
There's still the so-called 'soft opt-in', which is for cases where you're emailing someone that you've recently sold something to (or given a quote to) about a similar product or service and that you've given the explicit choice to refuse communications both when you collected the data and every time you've subsequently used it.
It's certainly possible to use legitimate interest for some forms of electronic marketing, but only in very specific circumstances. To give you an idea of it in practice, one of my clients has a marketplace style site. If you try and book a service but the booking falls through, for example because the service provider is unavailable, they'll email you within a couple of days if you don't look for someone new, pushing some suggestions. Then they'll stop emailing. That's legitimate interest through soft opt-in. They also send emails periodically about new service providers in your area, that is not covered by the soft opt-in so requires consent. Same for their general service newsletters.
There is also a PDF guide at https://ico.org.uk/media/1555/direct-marketing-guidance.pdf which has some good info. The header for the electronic marketing section is "General rule: only with consent", which I think is good advice. As others have said, there are other obligations under GDPR, so even if you can stretch the soft opt-in beyond what was intended, you're likely to run up against hurdles when it comes to the balancing test, or your data minimisation obligations. The soft opt-in is specifically for cases where a member of the public would expect to get communications because of the recent sale or enquiry, as time passes that expectation goes away and it starts to become very hard to justify in a GDPR context.
After sitting in on more legal meetings than I care to recall, this isn't as weak as it sounds.
The big arguments you can make 'Well I need to collect lots of user data for ad targeting because it is a legitimate interest that I make money to support the costs of the site' have already been clarified (you can't without explicit consent).
The data authority in each EU country has some freedom to rule on this as necessary but they feedback from the EU is that they will err on the side of telling you to justify in string terms your need for data.
That is exactly the legal advice we received (UK online estate agent). My guess is that so many companies are doing this, it will end up in the UK Supreme Court (post-Brexit). Even if they rule against the companies, there will most likely be a moratorium on those currently failing to comply rather than 1000s of companies being fined.
That scale slides around every day. And 'being surprised' and 'being happy' are very different things also.
I'd prefer to have hard limits. No collecting any info from my computer about me that aren't explicit in the interaction itself (asking for email is ok; scraping installed apps while doing that to gauge my interests is not)
“Reasonable person” tests are pretty common and well-understood in general. One of the reasons that the GDPR in particular avoids being overly prescriptive about how to meet its requirements is to avoid situations where it becomes inapplicable or obsolete due to changes in technology or habits.
It's a valid concern, but I don't think the line is as muddy as it seems at first glance: would I expect a Pyongyang hotel room to be bugged? No. But I also would not assume that it's not. With this construction you get two kinds of being surprised, with one taking all the variability derived from suspicions and the like while the other should remain quite stable. Just like most people were simultaneously surprised and not surprised at all by the Snowden revelations.
Obviously one would have to explicitly exclude from the "reasonable" test the kind of surprise that was not triggered by Snowden, because otherwise all our greatest fears would become legal by definition.
That's part of the "balancing test", which is one of the three tests mentioned in the article. It's definitely not sufficient to show your data processing fits the legitimate interest basis.
technically, they do not need your creditcard details. That's transient information that is only relevant at the time of purchase, as it needs to be forwarded to a financial institution to process the payment. Immediately after forwarding, the credit card information becomes entirely irrelevant (the financial institution's clearance or rejection is the ultimate goal here, to enable a transfer of funds).
And technically (at least in terms of "if it comes to litigation") your name is equally irrelevant: there is no reason to store it, there only needs to be an agreement on which label markings the buyer specifies are to be used. While the name is common, any sequence of letters or even emoji would work just fine, as long as the recipient can recognize the shipping label as being "theirs" rather than "we don't know who this package is for".
The only truly required information is the address, without which delivery cannot be made. That information will have to be stored for a longer period of time (as delivery is almost never an in-house affair), at which point it is subject to GDPR.
(But of course, in the real world, people typically consent to their information being stored in a profile locked behind some kind of login. Sometimes, though, once a case goes to trial, the real world becomes less important than the unrealistic ideal one based on requirements imposed by law)
Processing data, even ephemerally, is subject to GDPR. GDPR is not primarily about storage. The fact of the matter, though, is that most ephemerally-processed data is necessary to perform a contract, and thus legal under GDPR.
I suppose the law probably is very easy to game because I remember receiving a letter via regular postal mail from one of the top utilities company in Spain that literally said "to comply with GDPR we will contact you for marketing purposes in _OUR LEGITIMATE INTEREST_. If you do not agree, contact us at this website."
Their turnover is 50B EUR so my understanding is that they earmarked some budget to check with a lawyer to ensure GDPR compliance.
Moral: ensure that your legitimate interest is to sell more and then you are fine.
That's not gaming it, it's a feature. GDPR isn't designed to stop companies contacting you, it's designed to ensure companies have to think through what they're doing and have process for handling objections and problems. You have to do a "balancing check" to document your reasoning for why your legitimate interest is sufficient for what you're proposing to do.
> I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.
Can you name names? Not saying I don't believe, it's just that this seems like a pretty nonsensical approach. If companies though that some pre-GDPR law required them to get consent than isn't that law still in force post-GDPR?
Note that this only addresses the lawfulness of the processing under Article 6 GDPR, which itself is only one of the required
principles relating to the processing of personal data that must be upheld under Article 5.
Other principles that must be upheld, for example, are data minimization (lit c) or storage minimization (lit e).
I know that one of the supervisory authorities has already ruled that the principle of data minimization trumps the lawfulness argument of "legitimate interests" in certain cases. Certain records must be destroyed when the legally mandated terms for keeping them have expired (eg 7 years).
Facebook’s ability to not allow you to opt out of personalised advertising is the white elephant in the room, and a clear sign that GDPR is not sufficient.
GDPR says explicit consent is enough for data tracking. FB gives a really clearly written prompt on, "By using FB I...". Pretty sure they are compliant, regardless of your moral judgments.
If a company sells something online they only really need your address & name for delivery + credit card details. Then you could argue it is legitimate to use an email to create an account, fair enough. But without precedent it's so easy to just say 'in order to increase revenue (legitimate intrest) we're going to use all emails to send a newsletter, boosting sales'. And then you could use the 'Right to object' in the GDPR as a fallback for your actions.
I know of multiple companies where they prior to GDPR asked for explicit concent during signup for being allowed to send newsletters, but who post-GDPR dropped the concent and use 'Legitimate intrests' to justify it. Basically leaving the individual worse off.