The Court of Justice of the European Union (CJEU) recently gave its preliminary ruling on the interpretation of the legitimate interests condition under Article 7(f) of the Data Protection Directive 95/46/EC (the Directive) in the context of processing by a public authority.
A collision
In 2012, a passenger in a taxi in Latvia suddenly opened the door to get out, and proceeded to damage a passing tram owned by Rīgas satiksme (Rīgas). Rīgas requested the personal details of the passenger (full name, ID number and address) in order to sue for damages so as to repair the tram. It was unknown at this stage that the passenger was a minor. The Latvian police provided the passenger’s full name only, on the basis that Latvian law does not provide for the disclosure of other data to people who are not a party to administrative proceedings leading to sanctions. Rīgas challenged this decision, stating that it required further information to enable it to locate the passenger. This challenge was upheld before later being appealed by the police. Eventually, the Latvian Supreme Court, noting doubts as to the meaning of ‘necessity’ in relation to the interpretation of ‘legitimate interests’ under the Directive, requested an opinion as to whether: (i) the Directive imposed an obligation to disclose personal data to a third party to enable it to bring an action for damages; and (ii) the age of the individual had any bearing as to interpretation.
The CJEU held that under the Directive, a third party may require an individual’s personal data in order to commence civil proceedings against such an individual, and this may satisfy the third party’s legitimate interest; however, it does not impose an obligation to disclose such personal data. Such an obligation would have to originate from national law. Furthermore, the refusal to disclose a minor’s personal data was not justified as the minor had caused the damage. The ruling echoed an earlier opinion by Advocate General Bobek.
Tipping the scales
So what is required for an interest to be legitimate? The Directive requires that personal data must be adequate, relevant and not excessive at the point of collection as well as at the point of processing. Although national law determines the scope of data to be provided, only “necessary and sufficient” data to further a third party’s legitimate interests should be provided. A balance should be sought between effective judicial protection and privacy. Rīgas’ request for the passenger’s address and ID number was deemed necessary for its prospective claim. The ruling also confirmed that if the data belonged to a minor, this fact alone is not enough to render the individual immune from civil liability.
Legitimate interests under the GDPR
Article 6(f) GDPR states that public authorities cannot rely on the legitimate interests ground to legitimise their processing when performing their tasks; this differs from the current position under the Directive. Additionally, it creates a new provision that where the individual concerned is a child, this should be given particular weight.
Going forward, controllers should consider the legitimate interests ground prior to commencing their processing operations to ensure that they are processing only what is necessary and legitimate for their business purposes. Considering legitimate interests could contribute to effective data protection impact assessments, and reflects the principle of accountability under the GDPR.