CJEU Judgement: KNLTB-case

October 16, 2024

Introduction

On 4 October 2024, the European Court of Justice (hereinafter: CJEU) issued an important judgement regarding the interpretation of Article 6 (1)(f) of the General Data Protection Regulation (GDPR). The CJEU ruled that commercial interests of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller under the GDPR. This judgement brings an end to a long-standing debate within the Netherlands. This is because it contradicts the interpretation of the Dutch Data Protection Authority (hereinafter: Dutch DPA), which holds the view, in short, that a purely commercial interest can never be regarded as a legitimate interest. The Court's judgement follows a preliminary question in a case involving the Royal Dutch Lawn Tennis Federation (hereinafter: KNLTB), which had shared its members' personal data with two of its sponsors in exchange for a compensation.

Background

Below noteworthy events are listed that occurred prior to this judgement:

• 1 November 2019: The Dutch DPA published its 'standard explanation note on the legitimate interest ground in Article 6 (1)(f) GDPR' in which the Dutch DPA issued its strict interpretation of what can constitute a legitimate interest. The strict interpretation of the Dutch DPA is that, in short, a purely commercial interest can never be regarded as a legitimate interest.
• 20 December 2019: Following complaints lodged by certain members of the KNLTB, the Dutch DPA ruled that the KNLTB had violated Article 6(1)(a) and (f) of the GDPR in conjunction with Article 5(1)(a) of the GDPR, on the ground that it had disclosed its members' personal data without their consent and without any legitimate basis for disclosing their data. Consequently, the Dutch DPA imposed a fine of EUR 525.000 on the KNLTB.
• 6 March 2020: The European Commission (EC) sent a letter to the Dutch DPA in which the EC stated that that the Dutch DPA's strict interpretation is not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the CJEU. Also, the EC invited the Dutch DPA to readjust the language of the standard explanation note to clearly reflect that commercial interests can be regarded as 'legitimate' interests when (subject to a concrete balancing) they are not overridden by the fundamental rights and freedoms of the data subject.
• 27 July 2022: In another court case, the Dutch court ruled against the Dutch DPA, who imposed a fine of 575,000 euros to VoetbalTV for relying on legitimate interest for making and broadcasting video recordings of matches in amateur soccer. According to the Dutch DPA, there was no legal basis for the processing as VoetbalTV's commercial interest in making the recordings is not considered a legitimate interest. However, the Dutch court ruled that the Dutch DPA misapplied the legitimate interest-test. The Dutch court, however, does not address whether a commercial interest can be a legitimate interest.
• 22 September 2022: The Dutch court submitted preliminary questions to the CJEU regarding the meaning of the concept of 'legitimate interest' of Article 6 (1)(f) GDPR, and in particular regarding whether a purely commercial interest, consisting in the sale of the personal data of the members of the KNLTB, without the consent of those members, to sponsors for direct marketing purposes may be regarded as a legitimate interest.

Key findings of the CJEU's decision

Conditions for legitimate interest as legal basis

The CJEU has previously held that, for processing to be based on the legitimate interest legal basis, three cumulative conditions must be fulfilled:

1. Legitimate Interest: The processing must serve a legitimate interest pursued by the data controller or by a third party.
2. Necessity: The processing of personal data must be necessary for achieving that interest (i.e. for that purpose), which requires an assessment of whether the legitimate interest can be pursued through less intrusive means.
3. Balancing Test: The interests or fundamental freedoms and rights of the concerned data subjects must not outweigh the legitimate interest(s) of the controller or of a third party.

Interpretation of 'legitimate interest' (ad. 1)

The CJEU reaffirmed that 'legitimate interest', while not explicitly defined in the GDPR, encompasses a broad range of interests, including those of a commercial nature.

Importantly, the CJEU clarified that a legitimate interest does not require that such an interest be determined by law, it only requires that the alleged legitimate interest is lawful. This nuance stresses that organisations must ensure their claimed interests do not conflict with existing laws and regulations.

Data minimisation principle (ad. 2)

The CJEU highlighted that the condition relating to the 'necessity' must be examined in conjunction with the principle of data minimisation. Asserting that organisations should seek to limit data processing to what is strictly necessary. The CJEU suggested that informing its members beforehand and asking them if they want their data to be transmitted (i.e. seeking explicit consent from the members) before disclosing their data would align with this principle and safeguard member's privacy rights while enabling the KNLTB to achieve its legitimate interests.

Balancing of interests (ad. 3)

The CJEU emphasised the importance of conducting a thorough balancing exercise. It is essential to consider the reasonable expectations of the data subjects regarding the processing of their personal data. Other factors that should be taken into account are the scale of the processing at issue and its impact on the considered data subjects.

Initial response from the Dutch DPA

In reaction to the CJEU's judgement, the Dutch DPA emphasised its commitment to protecting the privacy rights of individuals. The Dutch DPA reiterated its 'principled opinion' on the law and continues to uphold it even after the CJEU judgement. While acknowledging that the judgement clarifies the legal landscape, the Dutch DPA underscored that this judgement does not grant organisations a free pass to exploit personal data commercially.

The Dutch DPA pointed out that for organisations to successfully claim a 'legitimate interest', they must satisfy all three conditions set forth by the CJEU. The Dutch DPA intends to maintain strict oversight regarding the balancing of interests, particularly emphasizing that the expectations of the data subjects must be considered.

The Dutch DPA's strict interpretation in its standard explanation note had been the subject of debate and was criticised by many for years. Also, this initial response from the Dutch DPA has elicited many critical reactions, primarily because the Dutch DPA appears to act more like a privacy activist than a regulator.

Remarks on the judgement

The judgement serves as a critical reminder for organisations navigating GDPR compliance, particularly in contexts when relying on legitimate interest for data processing. Key implications include:

• Enhanced transparency: Organisations must prioritise transparency and clear communication with data subjects regarding how their data will be processed.
• Importance of all (legitimate interest) conditions: While the judgement allows for certain data processing under legitimate interests, organisations must also meet the other two conditions for relying on a legitimate interest, including the necessity test and a balancing of interests. The Dutch DPA announced it will continue to closely scrutinise both aspects. Consequently, it remains crucial for data controllers to assess and demonstrate that such processing is necessary and lawful and does not infringe on the fundamental rights and freedoms of data subjects.
  According to the EDPB Guidelines on legitimate interest, information from the balancing test can be provided by the controller to data subjects in advance of any collection of personal data (which can be included in the privacy notice). In any case, the controller should make it clear to the data subjects that they can obtain information on the balancing test upon request. Please note that these Guidelines are still subject to public consultation until 20 November 2024.
• Reasonable expectations: In the context of the balancing exercise, organisations must carefully consider the reasonable expectations of data subjects as well as the scale of the processing at issue and its impact.