Future of Legitimate Interest under the GDPR

İrem Mutlu, LL.M.

Legal Counsel, Craftgate

1. Pursuing legitimate interest with direct marketing purposes

a. What are the boundaries of direct marketing?

Under 47. Recital of the GDPR, it is explicitly stated that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. In order to leave no room for doubt, the regulator clearly places an activity within this scope in a matter such as legitimate interest, which is unclear how it will be shaped in practice. Besides, under 70. Recital of the Regulation, the right to object of data subject is emphasized when data is processed with direct marketing purposes. The data subject should have the right to object on profiling to the extent that it is related to such direct marketing, whether regarding initial or further processing, at any time and free of charge. Therefore, it is necessary to develop a sound understanding about the extent of direct marketing when the profiling starts and ends to inform data subject in an appropriate way.

The notion of direct marketing may cover many different types of marketing practices in today’s world. Therefore, to clarify its scope, WP29 has divided direct marketing into conventional direct marketing and other forms of marketing in terms of legitimate interest.[1]

b. Reasonable Expectation: According to whom or what?

Obtaining the contact details of the customers by a computer store and process them for marketing by regular mail of its own similar products and send promotional e-mails when a new product line comes into stock is considered conventional direct marketing. It is assumed that there are not any complex profiles created by the company such as analyzing of customer’s click-stream data. In this case, the customers can reasonably except to receive these e-mails for similar products as a customer of the shop. Thus, it can be based on the legitimate interest ground. WP29 points out that informing clearly about right to object of customers, free of charge and in an easy manner and the transparency of the processing constitute the elements to reach this conclusion. As another example, using the data retaining from electoral register by a candidate to send an introduction letter promoting his/her campaign to each potential voter in his/her district is deemed to be appropriate example of legitimate interest. Assuming the application of the electoral register is established by law, the interest of controller is found clear and legitimate. Provided that the data processed is limited and focused, such use falls into the scope of reasonable expectations of data subjects, here citizens.

The criterium of reasonable expectation has also the aspect of time. The Belgian DPA decided recently that direct marketing messages may be sent to former customers for legitimate interest in certain circumstances.[2] 47. Recital of the GDPR and its recommendation relating to the processing of personal data personal for direct marketing purposes[3] were based on defining these circumstances. Accordingly, when determining whether there is a legitimate interest or not, it should be evaluated whether it can reasonably expect that the data of the persons concerned may be processed for such a purpose at the time and context of the data collection. In the case, since the relationship between the data controller and the data subject ended about two years ago and the data subject did not object to the processing during this period, it was decided that it could still be considered within the scope of reasonable expectation and the complaint was rejected.

c. Does the data match different data?

Data matching from different sources and creating a profile does not fall into the scope of the conventional direct marketing. To illustrate, an online pharmacy carrying out marketing which process data about medicines and other products that customer purchased or obtained by prescription combines this information with demographic information of customers such as age and gender.[4] In addition, the click stream data of customers is processed while browsing on the website. Consequently, a health and wellbeing profile of customers is created which include predictions about being pregnant, suffering from a particular illness, interest in dietary supplements etc. After analyzing this data, the pharmacy uses it to offer non-prescription medicines, health supplements and other products to its customers. In this example, legitimate interest ground cannot be applicable in many ways. First, the marketing activity involves sensitive data, and many people would not reasonably expect that this information is processed purchasing in an online pharmacy shop. Second, the extent and manner of profiling that uses predictive algorithms results in a high level of intrusiveness.

d.  Careful with excessive data!

Similarly, collecting information for targeting purposes sometimes may cause excessive data processing. As an example, a non-profit-seeking body collects data on its social networking sites about liked or shared messages the organization posted, regularly viewed or re-tweeted.[5] Then it sends messages and newsletters to its members according to their profile to carry out fundraising activities. Elderly dog owners who liked articles on animal shelters receive different fundraising appeals from families with small children. Besides, people from different ethnic groups also receive different messages. As it is a philosophical organization, it processes special categories of data such as philosophical beliefs. In the Regulation parallel with the Directive special categories of personal data may be processed during the legitimate activities with appropriate safeguards by an association. However, WP29 found this condition not sufficient for a lawful processing. In this case the way that the data is processed, the amount of data collected and the lack of transparency about the reuse of data exceeds the reasonable expectations of its members, and it can only be relied on the explicit consent.

2.     Profiling and Behavioral Targeting

One step beyond the pursuing legitimate interest for direct marketing purposes, and a more dangerous future dimension is profiling and behavioral targeting. Today’s marketing industry is passionate about behavioral targeting focusing on user experience. Mark Wilmot explains the beginning of this era with these words probably with no expectation about this potentially dangerous practice in the future:

“Something amazing happens when marketing efforts are actually relevant to people. We see this step as initiating that crucial dialogue. And shoppers, for their part, are replying; essentially giving permission to marketers to learn their habits and respond accordingly.”[6]

Even though something amazing happened in marketing industry as Wilmot claimed, individuals and organizations face complex, sometimes intangibles, and often ambiguous trade-offs. Individuals have many doubts on whether the security of their data is provided and the misuse of information they pass to other entities is avoided. In contrast, they are also eager to share their personal data with peers and third parties’ information that makes mutually satisfactory interactions possible. Organizations want to know more about the parties they interact with day by day, tracking them across transactions. Yet, they do not want to use invasive policies that complicate customer experience.[7]

a. The role of big data

One of the most effective tools that enables profiling and behavioral advertising is big data. Big data is defined by International Telecommunications Union as “a paradigm for enabling the collection, storage, management, analysis and visualization, potentially under real-time constraints, of extensive datasets with heterogeneous characteristics.”[8]Despite the different definitions of big data depending on the specific disciplines, most of them focus on “the growing technological ability to collect process and extract new and predictive knowledge from great volume, velocity, and variety of data.”[9] Although the detailed analysis of the effect of big data on the protection of personal data goes beyond the scope of this thesis, in the part of legitimate interest, it is desired to draw attention to the effect of these concepts brought by technology to the subject.

A new quantitative dimension of data which can be evaluated and used in real time can be used to deliver tailored services to consumers thanks to big data. Behavioral trackers gather data from people browsing the web and use that data to tailor the information that those people receive usually with economic interests.[10] The data processed is not limited with the websites visited, but it also includes when, how, what links are followed, every click made and the timing between them.[11] All these gathered information can be analyzed, and profiles can be created based on their behaviors.

Profiling is one of the processes that may rely on automated decision-making according to predetermined patterns or factors.[12] Obtaining consent of data subjects and individuals in big data processing presents a challenge for data protection law. Here the consent covers both the consent to being subject to tailored advertisements and profiling and the consent to the use of masses of personal data to refine and develop information-based, analytical tools.[13]

b. Two fundamentals: Awareness and Control

Regarding the profiling and targeted advertising, the fundamental points are the awareness and the control of individuals on their data. It may not necessarily be a problem if individuals are aware that they are subject to tailored adverts. However, profiling, and targeted advertising will cause problems in context of rights of individuals when it is used for the manipulation them. For instance, emotion-detection techniques which use facial expressions and voices to infer emotional states are increasingly available to merchants. Besides the effects on commercial domain, rumors or fake new may also be disseminated through manipulative platforms. Pleasing or exciting individuals, confirming their biases, triggering negative feelings and provide symbolic rewards and punishments are certain methods to canalize people with the help of behavioral targeting.[14] As to the political arena, for example, groups of undecided voters can be addressed via political messages tailored to their “personality” and attitudes.[15]

Combination of personal information across web services is one of the most used tools to guarantee best possible quality of service by companies today. Developing a privacy policy with a clause stating it will combine all personal information without any data retention period cannot be sufficient for users to have an individual control over specific combinations of their data. WP29 found an imbalance between company’s legitimate interests and data subjects’ rights in these cases.[16] Thus, in its view, the only way out for these companies is considered an informed consent provided that other principles are met.

c. Advertising network providers

Advertising network providers are bound by Article 5(3) of the ePrivacy Directive.[17] The ePrivacy Directive requires informed consent processing data by placing cookies or similar devices on users' terminal equipment or obtaining information through such devices. To be able to obtain an informed consent, WP29 imposes on the advertising network providers the obligation of creating prior opt-in mechanisms which needs an affirmative action by the data subjects indicating their willingness to receive cookies or similar devices and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.[18] Advertising “network providers should i) limit in time the scope of the consent; ii) offer the possibility to revoke it easily and iii) create visible tools to be displayed where the monitoring takes place” to maintain the awareness of the data subjects.[19] Due to the nature of the behavioral advertising the principle of transparency and providing clear and comprehensive information play a key role processing data.

However, Borgesius argued that in some cases it can be relied on the necessity for performing a contract as a legal basis, as the ‘contract’ would imply that the user discloses personal data, in exchange for using the social network site.[20] When the user opens an account in a social network site, it may be defended that behavioral targeting is necessary for the performance of the contract. In the same direction, European social network providers have suggested that behavioral targeting is necessary for a contract:

“Whether analyzing user data for ad targeting or suggesting individual services is lawful is a controversial topic. We would highly appreciate if the future legal framework for processing of user data would clarify that these ways of analyzing and using user data do not necessarily require consent but rather are part of the processing that is necessary for the performance of a contract to which the data subject is party.”[21]

Concerning the possibility of relying on the legitimate interest ground in behavioral targeting cases, unlike WP29, it was implied that there are alternatives to consent by the ICO.[22] It is presumed that the ICO hinted at necessity for the controller’s legitimate interests as a possible legal basis.[23] It has been confirmed that online marketing relates to the freedom to conduct a business by Advocate General by the CJEU.[24] As known, having a legitimate interest is not sufficient to be relied on this ground. It seems questionable whether tracking people’s browsing behavior is the least restrictive manner for the ad network to enable advertisers to promote their products. For instance, contextual advertising is another method possible to display related ads without tracking people’s behavior such as ads for law books on websites about law. On the other hand, an ad network that specializes in behavioral targeting could try to argue that tracking people is necessary for its business.[25] Therefore, the fulfillment of the necessity criterium will be dependent on the circumstances of the case. Concerning the principle of the proportionality since behavioral targeting requires mostly large-scale data protection this criterium appears not easy to be passed. Yet, some practical architectures such as Adnostic which is a browser plug-in which enables targeting without compromising user’s privacy building a profile based on the user’s browser. [26] Lastly, balancing the interests, it is accepted that people have a reasonable expectation of privacy on Internet use confirming by the ECtHR.[27] In addition, there are various factors that should be considered such as the seriousness of the infringement of the data subject’s fundamental rights, the sensitivity of the data, the scale of data collection, and the risks involved.[28]

d. German Case is noteworthy.

In a recent case from State Commissioner for Data Protection in Germany it was examined that a bank obtaining a meaningful data set through its mobile applications by comparing information such as purchasing volume, frequency of use of bank statement outputs, transfer amount, both with the data in the same category in its branches and with the data of a credit institution.[29] It was explained that the purpose of this processing activity is to identify customers who have an increasing inclination towards digital media and to use electronic communication channels more to deal with contractual or advertising purposes. Even though general information was given to the customers on the subject, their explicit consent was not obtained. The State Commissioner decided that the data controller failed the balance test that must be applied within the scope of legitimate interest under Article 6/1/(f) of the Regulation. Due to the data analysis enriched with the information received from the branches and the credit institution, the processing activity exceeded the reasonable expectations of the customers. At this point, the quote from Data Protection State Commissioner Barbara Thiel is noteworthy:

“The data controllers for such evaluations often do not obtain the consent of the customers.Instead, they refer to a balancing of interests according to the Article 6/1/f. However, this legal basis does not allow profiles to be created for advertising purposes by evaluating large databases…Those data subjects usually do not expect data controllers to use databases on a large scale to identify their inclination towards certain product categories or communication channels.”[30]

3. Last But Not Least

As can be understood, the debate on behavioral targeting and necessity for the controller’s legitimate interests as a legal basis has not been settled. In conclusion, the challenges awaiting the information society in the future is mentioned at every possible opportunity focusing on the fact that they change and deepen the personal data protection law in many aspects and may even leave it inadequate at some points. However, it cannot be denied that the issue has a more sensitive point when viewed from the perspective of legitimate interests. One of the most emphasized issues from the starting point to the conclusion of the thesis is that legitimate interest is a clause used by both the public and private sectors when the other legal grounds are not applicable. As such, technological developments have changed the methods of processing personal data, making it much more complex and chaotic, and the decrease in predictability in legal texts and contracts in this context, all eyes have turned to the legitimate interest clause. Since it is known that seeing any field as a way out usually results in abuse, it has been tried to convey which issues and purposes should be considered in this section. Financial data, data on criminal offences and sensitive personal data require a delicate balance, especially when it comes to fraud or security purposes. When the economic interests are mentioned, it is useful to carefully evaluate profiling and behavioral advertising methods.