CJEU: Commercial interests can qualify as legitimate interests under the GDPR

In today’s ruling in Case C‑621/22 (KNLT v. AP), the Court of Justice of the European Union (CJEU) has finally clarified that a commercial interest of a controller may be regarded as necessary for the purposes of the legitimate interests pursued by that controller.

Dr. Sachiko Scheuing, FEDMA Co-Chair: “The ruling brings significant relief to the industry, especially for small and medium-sized enterprises (SMEs) that face challenges in collecting consent at scale. After five years of uncertainty, we now have the long-awaited legal certainty that companies can continue using Legitimate Interest as a legal basis, as they have for decades.”

History of the case: In 2019, the Dutch Data Protection Authority (AP) fined the Royal Lawn Tennis Federation (KNLT) €525,000 for unlawfully relying on ‘legitimate interest’ (Art. 6(1)f of the GDPR) as a legal basis for sharing members’ data with sponsors for promotional use. In line with its 2019 publication on legitimate interest, the Dutch DPA argued that the KNLT’s solely commercial interest could not quality as a legitimate interest under the GDPR. The KNLT appealed to the Amsterdam District Court, claiming that a legitimate interest exists unless that interest is contrary to law. The Dutch DPA disagreed, arguing that for the purposes of the GDPR a legitimate interest must be a concrete interest pertaining to the law, constituting law, and enshrined in a law. The Amsterdam court referred the matter to the Court of Justice of the European Union (CJEU) on the following three questions:

1. How should the District Court interpret the term ‘legitimate interest’?
2. Should the term be interpreted as the [Dutch DPA] interprets it? Are these interests which exclusively pertain to the law, constitute law, are enshrined in a law? Or;
3. Can any interest be a legitimate interest, provided that interest is not in breach of the law? More specifically: should a purely commercial interest, such as the interest at issue here, the provision of personal data in return for payment without the consent of the data subject concerned, be regarded as a legitimate interest under certain circumstances? If so, what circumstances determine whether a purely commercial interest is a legitimate interest?

Answering these questions altogether, the CJEU recalled that the EU legislature did not require that the interest pursued by a controller be provided for by law in order for the processing of personal data carried out by that controller to be legitimate within the meaning of Article 6(1)(f) of the GDPR. Instead, according to the Court, the EU legislature required that the alleged interest be lawful.

This does not mean that any organisation can rely on legitimate interest by simply claiming the lawfulness of their commercial purpose. As reminded by the CJEU, a controller must also ascertain that :

• The processing is necessary, namely that the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, and
• The rights and freedoms of data subjects do not override the controller’s interest, taking into account:
  • The reasonable expectations of the data subjects
  • The scale of the processing at issue
  • The impact of the processing on the data subjects

FEDMA welcomes the CJEU ruling which re-asserts the status of ‘legitimate interest’ as a valid legal basis, correctly referencing Recital 47 of the GDPR with direct marketing purposes as legitimate interests for data controllers. The Court also rightfully stresses that legitimate interest does not provide a blank check for controllers to process personal data without restrictions. To comply with the GDPR, controllers must conduct a balancing test, implement appropriate transparency measures, and ensure that data subjects have the right to object to data processing at any time.