GDPR has been in effect for the last month and while there has been a tremendous about of discussion around what the law ultimately will mean for the online advertising industry, IAB members continue to grapple with mixed interpretations of the law in the absence of clearer regulatory guidance. Key among the outstanding questions is the role of legitimate interest as a valid legal basis for processing activities related to personalized advertising.
While companies will need to make determinations of their own regarding when and how legitimate interest may be used, there is an argument to be made that in certain circumstances legitimate interest is not only an acceptable legal basis, but was specifically considered by lawmakers as an appropriate basis.
It is helpful to remember that the concept of legitimate interest predates GDPR, having first been introduced with GDPR’s predecessor, EU Directive 94/46/EC. Section 7(f) of the Directive stated that processing of personal data may take place where it is necessary for the legitimate interests pursued by the controller, subject to an additional balancing test against the data subject’s rights and interests. In other words, Article 7(f) allowed processing subject to a balancing test, which weighed the legitimate interests of the controller – or the third party or parties to whom the data are disclosed – against the interests or fundamental rights of the data subject.
In 2014, the Article 29 Working Party provided additional guidance on key factors to consider when applying a balancing test. Notably, the guidance highlighted the important role that safeguards and privacy-protective measures and policies can play in reducing the undue impact on data subjects and thereby favoring companies’ legitimate interests in a balancing test. The guidance highlighted [self-regulatory] opt-outs, aggregation and anonymization techniques, privacy-enhancing technologies, and transparency as examples of possible safeguards.
While GDPR left legitimate interest largely unchanged, the addition of Recital 47 provides additional clarity into when and how legitimate interest is to be applied. Notably, the law states “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” While this statement is not definitive, it very clearly leaves open the possibility that direct marketing may be carried out via legitimate interest where the processor can demonstrate that 1) the have a legitimate interest, 2) that the processing is necessary in pursuit of that legitimate interest, and 3) that the individual’s rights and interests are not overridden.
Over the last month, publishers have been struggling to maintain pre-GDPR revenues in Europe as publishers and advertisers have adopted a cautious compliance stance. IAB is confident that as guidance and best practices develop, and as industry-wide solutions such as the IAB Europe and IAB Tech Lab Transparency & Consent Framework receive increased market adoption, the digital advertising industry will exercise its available compliance options and successfully operate in Europe, while regulators will recognize the significant contribution the industry makes to society.
IAB encourages our members to join our regular discussions on the latest GDPR Developments. Visit gdpr.iab.com for publicly available resources and look for invitations to our upcoming member events.