I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community.
Any organisation that processes personal data needs to have a legal justification for this; in access management that applies both to Identity Providers and to those Service Providers that receive personal data. UK and EU law provide six possible justifications (listed in Article 7 of Directive 1995/46/EC) but none of them is an obvious fit for federated access management. “Consent” might look OK, since the user has requested access to the service, but both UK and EU law are rightly nervous about whether an employee (or a student with a deadline to meet) is really in a position to give “free consent” if refusing may harm either their job prospects or their study outcome. Similarly “necessary for a contract” (either of education or employment) might be OK, but are all the pages you access via federated access management strictly “necessary” for your job/study?
For a while I’ve been wondering whether the “legitimate interests” justification might be the way out of this problem, and the Working Party seem to confirm that:
…an appropriate assessment of the balance under Article 7(f), often with an opportunity to opt-out of the processing, may in other cases be a valid alternative to inappropriate use of, for instance, the ground of ‘consent’ or ‘necessity for the performance of a contract’. Considered in this way, Article 7(f) presents complementary safeguards – which require appropriate measures – compared to the other pre-determined grounds. (p10)
So what are those “complementary safeguards”? The legislation says “except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject” (Art 7(f)). Expanding that, the Working Party describe it as a balancing test: the stronger the legitimate interest being pursued by the data controller and the less harm the processing does to the interests of the data subject, the greater the likelihood that the activity will be lawful. Interestingly
The purpose of the Article 7(f) balancing exercise is not to prevent any negative impact on the data subject. Rather, its purpose is to prevent disproportionate impact. (p41)
Strong legitimate interests include those recognised as fundamental rights, in the public interest, or norms in the community concerned. The impact on the individual will depend on the nature of the personal information, how it is processed and what the individual would reasonably expect. It can be reduced by safeguards such as data minimisation, privacy enhancing technologies (for example pseudonyms), transparency and a right to opt-out. Those claiming legitimate interest should be able to explain their interest and how it satisfies this balancing test.
In the federated access management case it seems to me that both Identity Providers and Service Providers have a legitimate interest in providing the service that their users have requested. The need to provide information about the current user (in particular that they have authenticated) is generally recognised. The impact on the individual should be positive rather than negative, fully in line with their expectations – they are getting the service they requested – and most federation rules restrict any unexpected secondary uses. Data minimisation and privacy enhancing technologies are encouraged by the federated model: service providers can provide user accounts without needing to know anything about individual users. And there is the possibility of opting out by not accessing that service.
Relying on legitimate interests still means users have to be informed about what their personal information is being used for: transparency is required by both general data protection law and the legitimate interests balance.
The Working Party describe legitimate interests as a
balanced approach, which ensures the necessary flexibility for data controllers for situations where there is no undue impact on data subjects, while at the same time providing sufficient legal certainty and guarantees to data subjects that this open-ended provision will not be misused. (p10)
Indeed I’d suggest that the case-by-case analysis required by the legitimate interests justification might even provide better protection than trying to squeeze processing into a pre-defined justification that doesn’t fit, where the pre-defined safeguards may also be stretched to, or beyond, breaking point by the attempt. As the Working Party make clear, legitimate interests is neither a last resort justification nor an open door to processing: for some situations it provides the most appropriate protection for everyone’s interests.
