Legitimate interests must not be illegitimate (duh)

The wait is over. CJEU determined that a "pure commercial interest" can serve as a legitimate?interest under GDRP article 6(1)(f) provided it is not illegitimate. It does not have to follow?from law or be enumerated in law, but the interest should not be contrary to law.

More conditions apply before you can rely on such legitimate interest. The Court enumerates them helpfully and also hints that these may not have been fulfilled in the specific case at hand, but (rightfully) leaves it for the referring court to determine.

I fed the Dutch language judgement to ChatGPT and asked for Axios' Smart Brevity. Here goes:

The Big Picture: The European Court of Justice (CJEU) clarified how organizations can process personal data for commercial purposes under the GDPR.

Why it matters: This ruling impacts how entities justify using personal data without consent for commercial gain, emphasizing individuals' rights.

Background:

• Who: Koninklijke Nederlandse Lawn Tennisbond (KNLTB), the Dutch tennis federation.
• What happened: In 2018, KNLTB sold members' personal data to sponsors (TennisDirect and Nederlandse Loterij Organisatie) without members' consent.
• Data shared: Names, addresses, birthdates, phone numbers, email addresses, and club affiliations.
• Purpose: Sponsors used the data for direct marketing; KNLTB received payment.

Legal Challenge:

• Regulator action: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined KNLTB €525,000 for violating GDPR Articles 5(1)(a) and 6(1)(a) and (f).
• KNLTB's defense: Argued the data sharing was based on "legitimate interests" under Article 6(1)(f) GDPR.
• Key question: Can a purely commercial interest justify processing personal data without consent?

Court's Decision:

• Legitimate interest defined: A commercial interest can be a "legitimate interest" if it's lawful and not contrary to the law.
• Three conditions for lawful processing under Article 6(1)(f) GDPR:Existence of a legitimate interest: The organization's commercial gain.Necessity: Processing must be strictly necessary to achieve that interest.Balancing test: Individuals' rights and freedoms must not override the organization's interest.
• Outcome: Processing is lawful only if all conditions are met; the interest doesn't need to be established by law but must be legal.

Implications:

• Transparency required: Organizations must inform individuals about data use and seek consent when appropriate.
• Reasonable expectations: Members should expect how their data will be used; unexpected data sharing may violate their rights.
• Less intrusive alternatives: Entities should consider methods that infringe less on privacy, like obtaining prior consent.

What's next: The Dutch court must assess whether KNLTB's actions met these conditions, balancing its commercial interests against members' privacy rights.

Bottom line: Commercial interests can justify data processing without consent under GDPR, but strict conditions apply to protect individual rights.