On October 4, 2024, the Court of Justice of the European Union (CJEU) issued a ruling in the case C-621/22, addressing whether purely commercial interests can qualify as a legitimate interest for processing personal data under Article 6 para. 1 lit. f of the General Data Protection Regulation (GDPR). This decision challenges the strict stance taken by the Dutch Data Protection Authority (DPA) in recent years, which has held that commercial interests cannot be a valid basis for processing personal data without consent. This ruling is a significant step for businesses that face challenges in obtaining consent and could benefit from relying on legitimate interests instead.
Background of the Case
The Royal Lawn Tennis Federation (KNLTB) was penalized EUR 525,000 by the Dutch DPA for data sharing with sponsors without obtaining members’ consent. This action, done in exchange for payment, was deemed a violation of the GDPR. The DPA concluded that because KNLTB’s actions served purely commercial purposes, they did not qualify as a legitimate interest under the GDPR. This ruling aligns with other cases in the Netherlands, such as VoetbalTV, where the Dutch DPA has strictly interpreted legitimate interest as not applicable in case of purely commercial purposes, often to the detriment of businesses.
KNLTB challenged the DPA’s decision, claiming that sharing member data for sponsorship purposes helped strengthen their association and provided “added value to their membership in the form of discounts and offers from partners”. The CJEU was asked by the national court to clarify if purely commercial interests, such as those claimed by KNLTB, could be considered legitimate under GDPR.
The KNLTB case was submitted to the Amsterdam District Court, which sought guidance from the CJEU.
CJEU’s Ruling: A Broader Interpretation
The CJEU’s decision does not directly answer the preliminary questions, but it clearly establishes a position that challenges the Dutch DPA’s strict interpretation. The Court emphasizes that legitimate interests do not need to be enshrined in law and that commercial interests can indeed qualify as legitimate, provided that all other data protection obligations are met. Specifically, the Court outlined three cumulative conditions that must be satisfied for data processing based on legitimate interest to be lawful:
- The pursuit of a legitimate interest by the controller or a third party (pursuit of a legitimate interest).
- The data processing must be necessary for the legitimate interest pursued, meaning it cannot be achieved as effectively through other, less intrusive means (necessity of processing).
- The interests or fundamental freedoms and rights of the data subject must not take precedence over the legitimate interest of the controller or of a third party (balance of rights).
The court also referenced prior case law, including the Schufa Holding and Meta Platforms cases, which support a broad range of interests as potentially legitimate under GDPR. This ruling is a significant step forward in clarifying the types of interests that may qualify, giving businesses greater flexibility in how they operate while maintaining respect for data protection standards.
To reinforce its position, the CJEU referenced GDPR Recital 47, which confirms that legitimate interests don’t need legislative backing:
“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”
In practical terms, this means that if a commercial interest aligns with the expectations of data subjects and does not harm their rights, it can constitute a legitimate basis for data processing.
The CJEU also made reference to previous rulings, such as the CJEU Google Spain case from 2014, affirming that “the Court has not ruled out the possibility that a commercial interest of the controller which consists in the promotion and sale of advertising space for marketing purposes may be regarded as a legitimate interest” given that such interest is not contrary to the law.
The Impact on Business and Data Protection
The CJEU’s ruling underscores the need for a balanced approach to data protection. While it reaffirms that commercial interests can serve as a basis for data processing under Article 6 para. 1 lit. f, it also stresses the importance of not overriding the rights of data subjects. This decision is particularly valuable for businesses, as it expands the scope of what can be considered legitimate interest.
Positive Shift for EU Businesses
While this is a preliminary ruling, the CJEU’s decision provides valuable guidance. It signals that the GDPR’s goal is to protect individual rights without unnecessarily hindering business operations.
In light of this ruling, businesses across the EU can reconsider how they approach data processing based on legitimate interest, particularly for commercial purposes. Companies should conduct a legitimate interest assessment (LIA), as recommended by the GDPR, with the help of Data Protection Officers or experts to ensure compliance and a balanced approach to protecting data rights.