GDPR Article 21 provides a “right to object” whenever personal data are processed based on either Legitimate Interests or Public Interests. In both cases, an individual can highlight “grounds relating to his or her personal situation” and require the data controller to consider whether there remain “compelling legitimate grounds for the processing which override the interests, rights and freedoms” of that individual. If there are no such grounds then processing must cease.
Responding to an objection therefore requires the data controller to analyse both the “grounds for processing” and the “interests, rights and freedoms” of the individual. However the different origins of “Legitimate” and “Public” interests mean the data controller’s ability to do so is likely to be very different depending on which basis is used for processing.
For Legitimate Interests there should be little difficulty. Before processing can start, Article 6(1)(f) requires the controller to define the interests served, Article 13(1)(d) requires them to inform data subject of those interests; Article 6(1)(f) requires them to consider what “interests or fundamental rights and freedoms” might be affected by the processing. On receipt of an Article 21 objection, the controller simply has to re-assess the risks to that particular individual’s interests, rights and freedoms and determine whether or not those change the balance with the interests that have already been defined and declared. If they do, the objection must be granted and the individual excluded from processing.
But for Public Interest (Article 6(1)(e)), the data controller’s initial duty is merely – according to Article 6(3) – to identify an applicable law that identifies a “task carried out in the public interest” for which the processing is necessary or else assigns them “official authority”. Responsibility for the content of the law is given to the legislator: it must “meet an objective of public interest and be proportionate to the legitimate aim pursued”. However there is no obligation on the legislator to declare either what that “objective of public interest” was, or what risks were considered when ensuring that it is “proportionate”. This leaves a challenging task for any Public Interest data controller required to “demonstrate compelling legitimate grounds … which override the interests, rights and freedoms”. How can they assess whether the objecting individual’s “particular situation” changes that balance, when they may have no idea how the balance was assessed in the first place?
A possible approach might be to focus on the risk side. Arguably the data controller should have done some sort of risk assessment when determining whether their chosen means of processing was “necessary” for the legally-defined task, or if a different approach would be less intrusive. Having done such a general assessment, it should be easier to determine whether a given individual’s “particular situation” changes that assessment significantly. If the individual is exposed to a risk that was not previously considered then there must be doubt – without additional information – whether the legislator’s original proportionality test would still be satisfied. If there are no new risks, but an apparently increased exposure, then it’s worth considering whether additional safeguards could be applied to bring the individual within the original (presumably acceptable to the legislator) range. As in my other Right to Object post, identifying new safeguards that can make processing safer for everyone is a highly positive outcome of the Objection process. If, however, no suitable safeguards can be found for an increased risk, it seems unlikely that the controller will be able to demonstrate the required “compelling legitimate grounds” to continue processing after an objection.
Finally, it’s worth noting that starting processing for a Legitimate Interest requires “legitimate grounds”; but continuing after an objection has the stronger requirement that those grounds be “compelling”. This makes sense for both Legitimate and Public Interests, since overruling an objection is, itself, likely to leave the individual feeling harmed. When assessing an objection, data controllers should seek reassurance that the risks are safely within the range originally contemplated, not on the borderline.