IAPP Legitimate Interest Webinar

Presentation Transcript
Dave Cohen Dave Cohen
CIPP/US, CIPP/E Knowledge Manager
Gary LaFever Gary LaFever
Rocco Panetta Rocco Panetta
CIPP/E Managing Partner
Panetta & Associati
Ailidh Callander Ailidh Callander
Legal Officer
Privacy International
Legitimate-Interest Processing under the GDPR: How to Satisfy the Legal and Technical Requirements
Dave Cohen Dave Cohen (IAPP)
[00:05] Welcome to the IAPP web conference Legitimate-Interest Processing under the GDPR: How to Satisfy the Legal and Technical Requirements brought to you today by Anonos. My name is Dave Cohen. I am the IAPP’s Knowledge Manager, and I'll be your host for today's program. We'll be getting started with the presentation in just a minute. But before we do, a few program details. Participating in today's program will automatically provide IAPP-certified privacy professionals who are the named registrants with one (1) CPE credit. Others who are listening in can apply for those credits through an easy-to-use online form on our website. We'd also like to remind you that today's program is being recorded. It will be provided free to registered attendees approximately 40 hours following the live event. We encourage you to ask questions at any time during the program by typing them into the Q&A field to the right of your PowerPoint window, and your questions will be answered by the presenters after the presentation during a designated Q&A period.
Welcome & Introductions
[00:58] Now on to our program, I'd like to introduce today's panelists. Gary LaFever is the CEO at Anonos. Gary, welcome to the panel and can you tell us a little bit about your role over there in the company?
Gary LaFever Gary LaFever (Anonos)
[01:08] Thank you, Dave. Yes, I am both the CEO and General Counsel of Anonos, which is important particularly when you're going to use Pseudonymisation technology to enable GDPR-compliant repurposing of data, and legitimate interest is one of the ways that you can do that and a primary focus of what we do, and I look forward to this session.
Dave Cohen Dave Cohen (IAPP)
[01:31] Excellent. Thanks so much, Gary. Joining Gary on the panel, Rocco Panetta is Managing Partner at Panetta and Associates. Rocco, can you tell us a little bit about your practice?
Rocco Panetta Rocco Panetta (Panetta & Associati)
[01:41] Yes. Thanks, Dave. My name is Rocco, and I'm an Italian lawyer in Panetta & Associati Law Firm. I'm a former regulator and I was the Head of Legal of the Italian Data Protection Authority some years ago. I'm also within the IAPP, a member on the Board of Directors. And here, I'm trying to give you a special perspective from the European Union state of the art on legitimate interest and with respect to Italy because there is something interesting to know.
Dave Cohen Dave Cohen (IAPP)
[02:25] Excellent. Thanks so much, Rocco. It's great to have you with us today. And to round out our panel today, Ailidh Callander is a Legal Officer with Privacy International. Ailidh, welcome and can you tell us a little bit about your role in Privacy International?
Ailidh Callander Ailidh Callander (Privacy International)
[02:37] Thank you. Yes, as you said, I'm a Legal Officer at Privacy International and I also lead work challenging corporate exploitation. Privacy International is an international NGO based in London, but we work with a network of partner NGOs around the world to campaign for a world where technology will empower and enable us rather than be used to exploit the data for profit and power.
Dave Cohen Dave Cohen (IAPP)
[03:00] Excellent. Thanks so much, Ailidh. It’s great to have you with us. And with that, let's go ahead and get started and I'm going to turn it over to Gary for that. Gary, it's all yours.
Maximizing Ethical & Lawful Data Utility and Value
Gary LaFever Gary LaFever (Anonos)
[03:08] Thank you, Dave. This is a slide that we like to start with because it sets the stage for perhaps what the world was like or at least what the perception of what it was like prior to the GDPR and what we are now living under and how we can still maximize the value of the data. On the slide at the far-hand side, the ability of the fish to swim where they want, how they want, and do what they want to the extent that that world ever existed, it certainly doesn't under the GDPR. And a lot of people think that the GDPR was just a consolidation and application of the EU Data Protection laws on a unified basis. But actually, there are a number of ways in which it heightened the obligations. And now under the GDPR without the use of special technical controls and if a party tries to rely entirely on consent or even contract, you end up in this limited utility of processing. Obviously, those fish aren't very happy. They can't reach one another, and they're gonna run out of air.

[04:04] So, this is just a metaphor for the need to have new technical controls to support legitimate interest processing in many situations. And the fact of the matter is that with those controls, enforcing appropriate policies, and it's that combination of policies and controls that you deliver demonstrable accountability. And with demonstrable accountability supporting the rights and privileges of the data subjects, oftentimes data controllers can do just about anything that they did before the GDPR, and we actually find with our clients that they can actually do even more in some situations, but they have to do it differently. And so, this slide again, just highlights the fact that the GDPR is not about reducing or limiting the utility or value of the data, but it may require that you do things differently, and that's a big message that we're trying to get across through this webinar.
Evolution of Data Use & Protection: From Localized to Distributed
[05:00] This next slide highlights why this is the case. And it's because the older data protection laws both in Europe, the US, and around the world reflected an earlier viewpoint and data use pattern, which is more localized. So, when data originally went from analog to digital - yes, it did occur at some point in our past - those uses were primarily within small, controlled settings, enclaves as it were. And therefore, there weren't the same risks of re-identification. But as the use patterns change to be much more widespread and distributed, you have to consider a risk-based analysis that includes not only data that's in your possession and control, but also in the possession and control of third parties.

[05:40] So, if you look at the far right hand side of this slide, you find laws that are much more focused on secondary processing and repurposing of data. In my experience as CEO and General Counsel of Anonos, our customers are waking up to kind of what I almost called the GDPR 2.0, which is initially they were focused on being compliant and making sure that they had the ability to respond to data subject access requests, breach notifications, etc. But they weren't yet focused on what's necessary and perhaps what is required to be done differently when you want to make repurposed use of data. And that's a big focus and a big opportunity to use legitimate interest processing versus other legal bases.
New Requirements for 'Distributed' vs 'Localized' Data Use & Protection
[06:21] And again, this slide just re-emphasizes the need here. There's a significant difference between the impact and purview of the laws back in the 1990s and what's happening today in the 2020s. And that's why a revisiting of the technologies that are used that can enforce the policies that you have are important because a lot of times what existed and has been used for years was not designed to support the newer requirements under the GDPR.
Acme Video Corporation Data Processing Ecosystem
[06:51] This slide helps to highlight and we find this particularly helpful and we're helping to bridge discussions between privacy and policy professionals and data users. So, I just want to spend a quick moment on this. All data uses are not the same. All data users can raise different concerns and different opportunities. And therefore, we find that our clients often tell us that figuring out which of these boxes a particular use case fits is very helpful to them. So, the first one is a data-sharing example. But it's a data-sharing example in ways that some people don't think about, which is when you're sharing data from a third party as an input to your operations and different issues arise there as well as different liability concerns whether or not that provider data has done their job correctly. And again, legitimate interest processing is something that could be helpful there.

[07:46] Number two, that's a box that most people typically immediately think of, which is the primary purpose. The actual reason why you collected the data in the first place, and I've given a very simple example here. I'm not going to go into all the details on the slide and I'd like to tell and comfort all the participants that are on this webinar that there's a lot of content on some of these slides and we're making it available to you following the webinar. So, while we may not cover all the materials in the slides, we're doing this so you have an even better resource following the webinar. Also, I just want to note that if you ask a question today and we're not able to get to it during the webinar, that we will try to follow up with that and we'll also be providing a summary of the webinar. So, again, we're not going to cover everything that we could, and we want to get to your questions as soon as possible.

[08:37] But in this example of Acme Video Corporation - just a quick example as the difference between primary processing in box two and secondary processing in box three, which is not necessarily immediately evident to people who are not data processing professionals. And so, in this example, this is a fictitious web-based movie streaming company. And certainly, they need to know whether you're paying on time so that you're entitled to their service and also what level perhaps you're at. Perhaps that can determine the number of movies that you watch a week, or the speed at which the movie downloads, or the kinds of movies that you get to see whether you get the advanced opportunities. Those kinds of things. And so, that would be included within box two. But the second you take historical information regarding my past viewing patterns,and compare that against other customers to make recommendations, that is no longer a primary purpose. And so, that's just a simple example of repurposing data which may require a new legal basis and again legitimate interest can be helpful.
Acme Video Corporation Data Processing Ecosystem
[09:49] And the last one is when you use the output - the outflow of your processing operations to share with third parties. And so, this highlights the fact that those different uses are oftentimes where consent and contract are challenged and where legitimate interest can be helpful. So, again, looking not only at the fact of the source of the data, where you have it, the level of identifiability of the data, but it's also the use case of the data that may impact what your rights and obligations are.
Regulators Limiting Scope of Anonymisation, Consent, Contract
[10:21] And this slide highlights why that's the case because guidance and enforcement actions have made it very clear that what was consent in the past has in fact been narrowed, a much more stringent view of that, and also contract and anonymisation. So, this slide just highlights a couple of recent ones at the top right. The Hellenic BPA telling PwC that their processing of employee-related data was not an appropriate use of consent or contract. It's not that PwC was doing anything improper with the data, but they couldn't rely on those legal bases because of the imbalance between the parties - employee and employer.

[11:03] On the bottom left, the Dutch DPA telling banks they cannot use their own customer data to do remarketing to their customers based on generalized consent. So, this is a more strict interpretation than perhaps existed before. Some people say it may be close to the same interpretation, but the penalties are so much higher that people are now paying attention. It's actually a combination of both and one that catches people by surprise is at the top left. Literally, in order to comply with member state clinical trial laws, you must have informed consent, which is a heightened requirement for consent. But that consent, while required under the member state clinical trial laws, is not GDPR consent once again because there's an imbalance of power because people whose lives and health are at risk arguably will agree to do anything. So, there's a need to assess legitimate interest as a complement to consent. I think all us on the phone would agree that when consent works, it’s the preferable use case enabling legal basis. But there are times where it simply doesn’t.

[12:14] And the last one oftentimes surprises people in the middle here. In the UK, if you're using data that was previously de-identified and it has been re-identified, that there's actual potential criminal liability. And so again, this goes to anonymisation. A lot of people think the best way to process data when it has to do with processing in the EU is to anonymise that data, so that the data is not subject to the GDPR. Two things. First and this is highlighted at the bottom right, the requirements to anonymise data are actually very, very difficult to achieve and once data has been anonymised if you actually then relink to identities you can get in trouble. So, yet again, a means by which legitimate interest can be helpful.
Global Adoption of 'Functional Separation' Principles
[13:07] Legitimate interest processing is actually a trend in other geographies around the world, but it's called by different things. There's an EU principle of functional separation, which is actually evident in other laws. Under the CCPA in California, it's called de-identification. Similarly, under the Indian Data Protection Law. In a similar concept, it is called anonymisation under the Brazil Law. And part of the struggle that we all have here as privacy professionals is: “What do all these terms mean?” Viewing functional separation as the intended objective, actually, I believe is helpful because not only does it enable you to comply with given jurisdictional requirements from a data protection regime, but also data sovereignty and data localization laws. And again, as I mentioned earlier in the program, many technologies that had been around for decades, by definition, were not architected to support these newer requirements. And so, that's the reason to assess what you're doing and what your clients are doing.
GDPR Statutory Benefits of 'Pseudonymisation'
[14:11] So, this is the tool that is very helpful and has been identified and acknowledged by the Article 29 Working Party as helping to tip the balance in the favor of data controllers for lawful legitimate interest processing - Pseudonymisation. And this term “Pseudonymisation” is newly created under the GDPR at the EU level. You may find people who use the term “Pseudonymisation” as pseudonyms, but they're referring to practices that pre-existed the GDPR and sometimes called key coding or tokenisation. And the requirements of Pseudonymisation under the GDPR are heightened and I'll get to that in a minute.

[14:51] So, why go to all this trouble particularly? And people will say: “Well, why would I pseudonymise my data? It is still personal data.” That's true, but there's a high risk of anonymised data because if it’s re-linkable, you could be liable. And in my view and much more importantly, Pseudonymisation is the only safeguard that's repeatedly called out within the GDPR both recognized and rewarded if you satisfy its requirements with expressed statutory benefits and some of those are highlighted on the slide. So, the ability to support lawful secondary processing [Article 6(4)] and other ones. The two I'd like to highlight here at the top right is it actually again is specifically enumerated in a number of places where it can help you with scientific processing and sensitive special categories. But the one we're focusing on today is the bottom right. That by using Pseudonymisation you can more easily enable and support lawful legitimate interest processing and that has numerous benefits to the data controller and subsequent processors.
Pseudonymisation = Technical & Organisational Controls
[15:59] My last slide here before I turn it over to Rocco. So, what is Pseudonymisation? And there are actually some fantastic resources out there. ENISA actually came out with guidelines on Pseudonymisation in November 2018 at the highest strategic level, and they talked about how it relaxes the obligations under the GDPR and then they updated that in November 2019 just several months ago and that gets into very detailed specifics. You oftentimes hear people say: “Well, with legitimate interest processing, I don't know what I'm supposed to do.” The reality is there is a very detailed Article 29 Guidance on legitimate interest processing. And within that, it acknowledges Pseudonymisation as a safeguard that can tip the balance in favor of the data controller for lawful legitimate interest processing. And then, there are resources such as these ENISA Guidelines that actually get into significant detail.

[16:54] I just want to emphasize yet again before I hand it over to Rocco that the mere fact that someone says they're pseudonymising data, you need to compare that use against these requirements. And these requirements - and this is Article 4 (5) of the GDPR - is you must be able to separate the information value of data from the actual identities of the data subjects and you must show that the only way to go back and forth over that wall as it were on the top left is by accessing additional information that is kept separately and securely. In return and reward for being able to show that that's the case, you actually have expanded data uses as the prior slide had highlighted. And it's actually, while it's still personal data, gives you greater predictability of operations, which enables you to future proof not only your legal compliance, but your business outcomes.

[17:54] And so, this requirement that you can't jump back and forth over the wall as it were between information value and identity, that is not supported by many of the traditional uses of technologies that we used to call Pseudonymisation. For example, the assignment of a static recurring persistent token to the same person again and again and again has been shown many times that if you do that I can infer, link, and cross reference that data to figure out who somebody is without requiring access to that data in what I refer to as the walled garden or the courtyard. So, again, in summary, there are many benefits to legitimate interest processing. And there are many benefits to the use of Pseudonymisation as a GDPR recognized and rewarded safeguard to enable lawful Pseudonymisation. So, with that, Rocco, I'll hand it over to you.
The Legitimate Interest as Lawful Basis
Rocco Panetta Rocco Panetta (Panetta & Associati)
[18:50] Thank you so much, Gary. I'm also wanting to say congratulations for your presentation, especially this reference to Pseudonymisation is very useful, I think, to the audience. Before we start with my focus on legitimate interest as a lawful basis first and then to some Codes of Conduct that had been approved recently by the Italian Data Protection Authority where the use of legitimate interest is really the most important element that we can emphasize with these Codes of Conduct.

[19:36] Let me just add one word on Pseudonymisation because for those that are interested to read more about that, there are also very useful resources coming from the former Article 29 Working Party - so the previous version of the European Data Protection Board. In April 2014, Article 29 published the first real comprehensive report on the use of techniques that could be considered anonymisation or Pseudonymisation technique, and it is very important to refer to that document as well because you can read in this way how regulators consider these methods and how they deal with techniques.

[20:39] So, let's go now to my first slide here called “The Legitimate Interest as a Lawful Basis.” As almost everybody knows, the most famous lawful basis for data processing is consent. But consent is the most famous but is not used as a legal basis. The most used legal basis is the fulfillment of an obligation coming from a contact where the data controller and the subject is part. So, the second most important legal basis for data processing is the fulfillment of an obligation coming from law at the national or at the European level. Then, there is consent. And the fourth probably underestimated legal basis is legitimate interest.

[21:53] Legitimate interest is not new to the new legal basis introduced by the GDPR. Legitimate interest was already provided for by the Directive 95/46. As you know, the Directive granted a big, big room to member states to interpret the Directive itself in different and various ways. So, in certain jurisdictions, legitimate interest was emphasized in older jurisdictions. Like in Italy, legitimate interest was restricted and we are going to see in a while. But what is legitimate interest is that the processing could be lawful according to Article 6(1)(f) of GDPR when it is necessary for the purposes of the legitimate interest forced by the controller or by a third party. Reading the room, it seems very straightforward, but it is not so simple to deal with - legitimate interest. First of all because it is not an absolute right in the hands of the data controller. Legitimate interest must be balanced with interest or fundamental rights and freedom of data subjects and this exercise is really not simple.
The Balance of the Legitimate Interest Before the GDPR
[23:41] I’ll say before the GDPR, in certain jurisdictions like Italy, the evaluation and the assessment of legitimate interest could be used as a legal basis was in the hands of the Data Protection Authority. So, the Supervisory Authority was used to be called to express itself after an exercise called prior checking in order to see if the legitimate interest of the data controller was able to be considered valuable and sound. And so, after a prior checking exercise, the DPA (Data Protection Authority) then says: “Okay. You have a legitimate interest.” Or “No, you don’t have a legitimate interest.” Or “Yes, but this legitimate interest must be balanced with data subject interest.” So, sometimes, the legitimate interest was not valued as the data controller had in mind.
The Balance of the Legitimate Interest After the GDPR
[25:07] So, what happens now? Now, legitimate interest is in the hand of the data controller. This is a signal and a matter of accountability. So, the data controller is in the position thanks to the GDPR to assess by itself the legitimate interest as a lawful basis and after of course the so-called legitimate interest assessment whereby the first element that need to be considered is if between the data controller and the data subject is an already existing kind of relationship because also based on the GDPR but also by reading the European Data Protection Board Guidelines and some literature, it’s very difficult to use legitimate interest as a legal basis when you are not basing processing all that data subject and it is already part of your client-customer patient basis, not already under your control as a data controller.
The Codes of Conduct according to the GDPR
[26:37] Let's move to the Codes of Conduct because the time is running very fast and I want to introduce this topic not because I want to change just the argument of presentation but because the Codes of Conduct could be a source of legitimate interest as a legal basis because according to Article 40 of GDPR and Article 41, a group of associations or other bodies representing categories of data controller and data processor can propose to the national Data Protection Authority and then as the case may be, this can also be brought to the attention of the European Data Protection Board under International European label and can propose a number of the rules and behavior and the practical suggestions in order to identify new ways of data processing, new purposes of data processing, or already existing purposes of data processing that by means of a new way of considering local data processing and the best way is to use that approach in legitimate interest.

[28:25] Let’s say, we recently asked them in Italy. In Italy, the Garante (Italian Data Protection Authority) has already had a very strong tradition of using Codes of Conduct. Italy was one of the few jurisdictions that was already under the Directive 95/46 and approved eight Codes of Conduct compared to other jurisdictions where these Codes of Conduct was never used. After entering into force of the GDPR after May 2018, the Garante was again the first to pass the first two Codes of Conduct by using again the legitimate interest by recognizing the legitimate interest of the data controller as the legal basis for a number of data processing.
The Codes of Conduct according to the GDPR: Monitoring of Approved Codes of Conduct
The Codes of Conduct according to the GDPR: Transfers subject to appropriate safeguards
The first Codes of Conduct Approved by the Italian DPA
[29:07] Maybe let me jump here. Let’s go to see in which field the Garante passed and approved the Codes of Conduct. First, in the field of the Business Information market. Second, in the field of the Credit Information Systems. Both in 2019 and both approved by the Garante, which is the Data Protection Authority in Italy.
The new Code of Conduct for Business Information
[30:09] Let's see first briefly the new Code of Conduct for Business Information. What is business information? It's data on the evaluation of patrimonial, economic, financial, credit, business, industrial, organisational, productive, and professional aspects of a natural person. A lot according to me. Business information means really an important leverage for doing businesses in a safe environment. And according to the Garante and according to this Code of Conduct, consent of that subject is not required by law by the Code of Conduct, which is of course a secondary source of law. And companies that offer information on the business reliability of entrepreneurs of companies and managers - so natural persons that drive a company - may process the personal data of the natural person registered without their consent on the basis of the company’s legitimate interest. So, this is a real and concrete example on how legitimate interest is being considered as a legal basis by the Data Protection Authority.
The new Code of Conduct for Credit Information Systems
[31:36] In the field of Credit Information System, the Garante had the same approach. Again, the operator and the participant to the Credit Information Systems may carry out the processing of personal data registered on the Credit Information Systems without requiring the consent of the data subject on the basis of their legitimate interest to process this data. What kind of data are processed within the Credit Information Systems? The Credit Information Systems are those databases through which banks and financial intermediaries exchange information on loans applied for and granted to their customers exclusively for purposes related to credit protection and the containment of the related risk. So, I’m going to pass now to Ailidh because it’s time to stop. So, Ailidh, it’s your turn.
The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Ailidh Callander Ailidh Callander (Privacy International)
[32:39] Thank you very much, Rocco. And thank you very much to Gary also and for your presentation. Both of them have spoken a lot about legitimate interest. I wanted to go back to the wording of the position as Rocco did. In our experience, there had been a lot of attention paid to the second part - the legitimate interest part - and very little attention paid to the second part that is the interest and the fundamental rights of individuals. That’s really one of the concerns. Whilst it has been described as perhaps not as often used and not seen as a consent as a legal basis, it is definitely one that we’ve seen impact us both before and after GDPR took effect. It has been described perhaps kindly by the UK Information Commissioner as one of the most flexible legal bases. But in reality, our concern is that it has been exploited and is open to abuse in many sense in a way that it had been implemented to date and that it has been used badly I would say with the failure to demonstrate as we take into account the rights and interest of the data subjects. So, that’s the key issue going forward.

[33:52] As you all know, before you even think about legal basis and further processing and we’ve been talking in the abstract with some specific examples but really I’d just like to reiterate how important it is to step back and say: “Well, what is it that you’re trying to achieve and why? And in what context? And what are the consequences of that for individuals and society?” Because the lawful bases as set out in the GDPR are just part of that full context, and I think it’s extremely important to take into account the full context and the other principles when thinking about this as well including fairness and purpose limitation and data minimisation. So, I just kind of wanted to get very clear that it’s very important to think about the whole context here. And so, moving on some of that and the wording, which is really important, this second part and obviously a key part as well is where the data subject is a child that has to also be taken into consideration.
Privacy International files complaints agains seven companies for wide-scale and systematic infringements of data protection law
[35:07] I wanted to speak about a specific example where we looked at the application of this and as a legal basis and that was post-GDPR taking effect where we’re particularly concerned that certain industries such as the data broker industry and why the AdTech industry may continue to act as business as usual whereas actually there has been a fundamental shift in the legal regime and the standards that are required and we researched various companies and ended up complaining about seven companies - Acxiom, Experian, Equifax, Oracle, Quantcast, Criteo, and Tapad.

[35:58] One of our arguments - and there were a number and we set out in our submissions to the DPAs in the UK, in Ireland, and in France - while we considered that their processing did not meet the requirements of the GDPR both in terms of the number of the principles but also in terms of the requirement for legal basis and that neither consent nor legitimate interest were satisfactory conditions for processing in this instance. In particular, when they were processing special categories of personal data and one of the issues that we came across with the use of legitimate interest as a legal basis was the lack of any attempt to break down that interest. There was a huge reliance on commercial interest without any granularity of the different interests and the different legal basis for the different types of processing and no demonstrable evidence as I said as to how individual’s rights had been taken into consideration.

[37:01] This is an ongoing issue, and the UK Information Commissioner has an ongoing investigation into number of data brokers and the number of Data Protection Authorities looking at companies in the AdTech industry and that’s where I think it’s interesting to mention the UK Information Commissioner’s report that they published in June last year following on from our complaints but also the complaints of other civil society organisations where they really underline the lack of understanding of legal basis including the interaction with the ePrivacy framework and really a fundamental misunderstanding of what was required by the legitimate interest basis. And this was repeated in a recent announcement where they reiterated again that the justification for using legitimate interest in this industry is insufficient and they highlighted that many companies’ assessments in the sense that their Data Protection Impact Assessments where they would have been required to take into account the impact on individual’s rates were generally immature and lacked appropriate detail and failed to follow guidance that is available and that reflects our investigation and experience as well. So, in that sense, I wanted to highlight some of the things that legitimate interest as a legal basis is and some of the things that it is not.
Processing Must Meet a Three-part Test
[38:43] And so, as I mentioned as well, there are things that it is and there are things that it’s not. But it always in terms of breaking it down is there is this kind of three-part test that can be done in the sense of what is that legitimate interest. What is the purpose you’re trying to achieve? And in our view, just saying that you have a commercial interest that is just your business interest and not going any further than that is not sufficient. You have to have a clear and specific interest. And then you have to show that it’s necessary and that’s a proportionality element. And then, the third element is the balancing element where you have to show how you take into account individual rights.
And so, there must be that clear, specific interest and I would underline the importance to not only identify the interest but to do that in a transparent manner so that it's very clear to individuals whose data is being processed and others what that interest is.
[39:22] And so, there must be that clear, specific interest and I would underline the importance to not only identify the interest but to do that in a transparent manner so that it's very clear to individuals whose data is being processed and others what that interest is. And then secondly and a very, very important point is that the Guidance is key. This basis should only be used in cases where an individual would reasonably expect their data to be used in that way and in circumstances where it would have minimal privacy impact and there must be a compelling justification. And in much of the work, we see that this is absent. People’s data is being used in ways that they would not reasonably expect that can have significant privacy implications and no compelling justification is provided.

[40:32] And going back to a point Rocco mentioned, there must be a relevant and appropriate relationship. Yet, often we see legitimate interest being relied on where there is no relationship with an individual and that’s a core part as well. And core to this is this responsibility for considering and protecting people’s rights. This is paramount, and this has to be demonstrable as well and this goes back to keeping that record of what the interest is including an information for individuals but then also carrying out impact assessments whether that’s a Data Protection Impact Assessment or a specific legitimate interest assessment. And although a legitimate interest assessment is not a specific requirement, it is something that’s recommended and one thing that is very beneficial is that these are published at least the gist or as much as can be published as possible and really should be made available because otherwise how can an individual understand how their rights have been taken into consideration but for others to be able to scrutinize and consider the implications.

[41:54] And then as I said, what it is not and it is not a basis that can be used without limits and it can’t just be molded to fit or justify any processing operations and it is not there to just justify any business model that exists. It requires that thorough consideration of individual’s rights, and it’s also not available for all processing operations. So, for example, it’s not open to public authorities. It’s not available for personal data revealing special category data and it’s not available where there’s interaction with the ePrivacy framework and that’s a really cool point and this goes back to the issue I covered earlier where the RTB report by the ICO really showed that kind of failure to really consider how the ePrivacy regime interacts with the data protection regime and to really consider that consent in that case is what is required by the ePrivacy regime. So, that failure has been highlighted and those consents raised. So, it’s important to be very clear where this is an appropriate legal basis and where it is not. But where it is appropriate it can be really important too for ensuring that the rights are respected.

[43:25] And so, I think just to conclude in terms of the importance of legitimate interest, it is one of a number of legal bases. But before you get to that legal basis, it is essential to kind of take that long, hard look at what is it that you’re trying to do, what are you trying to achieve and why, and what are the consequences both to individuals and society and certain business models that profit from data do risk infringing rights, exacerbating inequality, and endangering democracy and these are consequences that affect us all. So, it’s really essential to consider the wider consequences when thinking about any data processing and also what legal basis is appropriate. And I will now pass back over to Dave. Thanks very much.
Questions & Answers
Dave Cohen Dave Cohen (IAPP)
[44:18] Terrific. Thanks, Ailidh. That was fantastic. All of you - Rocco and Gary - that was an excellent presentation and we do have some time now to enter the question and answer portion of our program. We’ve got some great questions in the queue here, so I would remind everybody that the field is just to the right of the PowerPoint window. You can type in your questions and we will ask them anonymously to the panelists so now is a great time to submit those questions. Go ahead and type them in there.

[44:47] Ailidh, let’s go ahead and start with you just on that last point there, and I think Rocco mentioned this as well. What seems really interesting is there is this interpretation that there is a difference between the letter of the law and what the law actually requires and those processing purposes that may or may not be surprising to individuals. It seems like that was kind of a major theme here that there perhaps was a gap between those two. So, given having heard you just say that and Rocco having you comment on that as the third of your bullet points as well on balancing those individual rights versus these legal requirements, there is a question on the queue that says: Given the last slide, Ailidh, that you were mentioning (slide 24), can you use legitimate interest for B2B marketing since it is technically still outside the scope of ePrivacy or no? And Rocco, perhaps you would like to comment on this after Ailidh provides comments, if you have any.
Ailidh Callander Ailidh Callander (Privacy International)
[45:44] Thank you. Yes, I mean, obviously, it does depend on the context and what processing you’re talking about. I think what I was trying to get at was that the letter of the law respects rights but the problem has been when this has been interpreted and implemented in practice that has not been the case. In terms of B2B marketing, it would really depend on what marketing that was being carried out and the way that that interacts with the other regimes.
Dave Cohen Dave Cohen (IAPP)
[46:34] That makes good sense. Rocco, do you have any comments on this? I’m sure you’ve dealt with this with some of your clients.
Rocco Panetta Rocco Panetta (Panetta & Associati)
[46:40] Yes, let me add just something that probably could sound a little bit surprising but considering that the marketing online is ruled by the ePrivacy Directive and then the ePrivacy Directive is still not yet substituted by the ePrivacy Regulation, which is still under draft, in a different jurisdiction, the ePrivacy Directive has been implemented in a different way. And for instance - I’m sorry if I’m bringing you the Italian case again. But in Italy, the B2B is not out of the scope of the privacy rules at the time of the ePrivacy Directive. Now, the ePrivacy Directive was modified or has to be newly interpreted thanks to the GDPR that the B2B in Italy is under the ePrivacy framework at large. And so, as you can see, legitime interest is a way to take into consideration a number of elements. But please, always be careful of what your local legislation is applying to the local jurisdiction because this could make a lot of difference.
Dave Cohen Dave Cohen (IAPP)
[48:18] Terrific. And Ailidh, did you have some follow up to that as well?
Ailidh Callander Ailidh Callander (Privacy International)
[48:22] I think I just wanted to add that this issue of kind of changing the legal basis as the kind of processing progresses was something that we were particularly concerned of when we looked at these companies and it has been called out by the ICO this idea that you may seek to justify the collection on the consent just to satisfy the ePrivacy part of it, but then just go and do whatever else under legitimate interest. The way that this has been implemented and practiced undermines both those legal bases and it undermines that necessity to think first. What is it I am going to be using this data for? And how am I being transparent about this. So, I think that there is a risk there that undermines both those justifications and getting mixed up in terms of using both of these in tangent.
Dave Cohen Dave Cohen (IAPP)
[49:31] Wonderful. And, Gary, did you have some comments to make on this topic as well?
Gary LaFever Gary LaFever (Anonos)
[49:50] I just wanted to jump in because this is not what's required. Yes, it's one of three. You do have to have a legitimate interest in the use of the data. You didn't have to show that you can’t get the data from other sources. It’s the third one, which is the balancing of interest test that a lot of people haven’t satisfied in the past. And so, if you note in the ICO report, they don’t say that legitimate interest processing could never be used within the AdTech ecosystem, but they say the way that it has been attempted does not work. And so, it is possible if you had the right technical safeguards to show and prove statistically through audit, etc., that you have demonstrable accountability and that’s really a focus. Demonstrable accountability that can show that you have mitigated the risks of the data subjects that it may be available.

[50:39] And so, this comes back to the fact that legitimate interest is one of six legal bases. It is available for many, perhaps not all processes, but it’s not something you just claim. You have to prove and you have to prove that with demonstrable accountability that is a combination of both the appropriate policies to ensure that the rights of the data subjects are respected and protected, and those techniques and technologies that enforce that to ensure that those rights have been mitigated. So, it is possible to achieve but not the way that people had done in the past and may require a restructuring of how data has been done. And what we’ve heard from our customers at Anonos is that they actually do want to do this right and they’re looking for guidance and the guidance does exist. Again, I’ve talked about the ENISA documents and I would highly recommend those. So, I just wanted to comment. It’s not that it’s never possible, but you have to do it in accordance with obviously both the statute and the interpretation guidance and enforcement actions.
Dave Cohen Dave Cohen (IAPP)
[51:41] That makes really good sense, Gary. And getting back to this question about what bases to choose with regard to your legal justifications for the processing of the data as legitimate interest and/or consent, we have an interesting question here from the audience. Ailidh, I think I’m going to direct this one to you and it goes back to the information you were discussion on slide 24 mentioning that legitimate interest is not available where the personal data falls within the ePrivacy Directive, and the question is: Is it possible to use consent to collect the data under the ePrivacy Directive and then use legitimate interest for secondary use of the data? It’s kind of interesting here.
Ailidh Callander Ailidh Callander (Privacy International)
[52:21] I think that's the point I was trying to get in the sense that I think that that’s muddying the water here in the sense of what is that secondary purpose and what basis did you get consent in the sense that you can’t just switch legal basis necessarily like that and that’s something that was, as I mentioned, called out in India if you report as well because yes you need consent under the ePrivacy framework to access information on any equipment and for the majority of the tracking techniques that there are. But that that is in place too and because it acknowledges the intrusive nature of this processing and that’s where the guidance from the Article 29 Working Party pre-GDPR and the report I mentioned today too is that it’s quite clear that there are issues in the way that this being carried out and that’s almost being used like a checkbox and I would say often implemented badly but then moving on from that, it’s using legitimate interest then to justify whatever else you want to do with it and that can be quite a tricky position to be in.
Dave Cohen Dave Cohen (IAPP)
[53:45] That’s great. And, Gary, did you have some follow on on this?
Gary LaFever Gary LaFever (Anonos)
[53:49] Yeah. I totally agree with Ailidh on this. The checkbox approach of legitimate interest just does not work. Period. You have to show that you have assessed the risks. You have to show that you put the data subject on notice at the time of the data collection. But for example, if you put the data subjects on notice at the time of data collection that they have the opportunity to consent to further processing that that processing would be conducted using legitimate interest and then you go on to some detail and provide even further access to more information that they wanted. And then, they would have the right to revoke that consent at a later time. The issue is that consent for describing some of the analytics and automated facilitation of decision making would be very difficult to satisfy because of the requirements with specificity.

[54:41] And so, you can have consent for one process, put them on notice that they’re data would be processed under legitimate interest and provided you have the technical controls in place to actually balance the interest and provided they have the right to revoke that consent at a later time. More sophisticated analytics could be supported using legitimate interest. So, I think Ailidh’s point is it’s not a checkbox at all and that’s what the industry has used it for in the past. And so, for companies who want to do sophisticated processing, they have to do the assessment. They have to do the impact assessment. They have to show that they have the safeguards in place. So, it’s not that it’s impossible. But it’s not possible the way that the industry has said in the past.
Dave Cohen Dave Cohen (IAPP)
[55:25] Terrific. And Rocco, I wonder if you have any additional comments there? And Rocco, I also have another one here from the queue that I think would be a very practical question that many are probably wondering about. And it's this: What would you consider a “good documentation practice” to corroborate the data controller’s position who relies on the legitimate interest as a legal basis to lawfully process personal data? I’m sure you deal with this with many of your clients. Do you have any comments first on what we were just talking about and then also on the documentation question?
Rocco Panetta Rocco Panetta (Panetta & Associati)
[55:56] Yeah. Sure. You know, the phenomenology of data processing and also the best way to assist a client in this respect is to know your client in the best possible way and to suggest to him how to react to legitimate interest assessments as the case may be. What I want to say is that it is never possible to rely only to a software or to an automatic procedure to assess the legitimate interest. This is a complex exercise that requires skills coming from the legal department from the DPO where appointed because never forget that the Data Protection Officer is not only a subject adapted to monitor the implementation of the GDPR within an organization, but there’s also a consultancy function and also an external lawyer. So, the sum of legal opinions, internal assessments, and also an exchange of emails based on this kind of reasoning could be useful for the purpose of being accountable in taking the decision on legitimate interest.
Dave Cohen Dave Cohen (IAPP)
[57:46] Perfect. And I think that's just about all we have time for. Thank you for that Rocco. And thank you Ailidh and Gary for the excellent presentations here. I want to make a quick mention that we can let you know that Gary referred earlier to the ENISA documents that just came out in the last edition in November and some of you may be wondering where you can find those. You can certainly submit to questions@anonos.com. We can provide the link for that to get you a copy of that.

[58:26] And also, we got a tremendous amount of questions here and some excellent questions from you, the audience. Thank you so much for submitting those. We didn’t have time to get to all of them. So, we will do our best to export those anonymously and provide some written answers. So, keep an eye on the Anonos website in the near future for some answers to those questions that we can address.
Web Conference Participant Feedback Survey
[58:47] So, before we let you go, I would like to get your feedback on this program. There's a live link in front of you there if you're listening to this as a live web conference. If you can click on that link and bring up a browser tab and let you know how we’re doing here and how you enjoyed the program, give us some feedback. We’re always seeking to improve. We’d really appreciate that. It’s a very short survey. We’ve timed it. It takes literally 2 minutes. So, we’d very much appreciate your feedback. Also, importantly, there is a field in that survey that asks what topics you’d like to hear about on future IAPP Privacy Education Web Conferences. So, we’d very much appreciate you letting us know that as well.
Thank You!
[59:28] And a huge thank you to Anonos for supporting this program and making it free and available to all of you out there in the IAPP membership and beyond. We very much appreciate it. And importantly, thank you, Gary, Rocco, and Ailidh. Thank you to all of you for sharing your expertise with the audience here today.
Attention IAPP Certified Privacy Professionals
For questions on this or other IAPP Web Conferences or recordings or to obtain a copy of the slide presentation please contact