GDPR Legitimate Interests: When it isn’t legit
A Hungarian fine reminds us to balance our Legitimate Interests
“Legitimate interests is the most flexible lawful basis for processing,
but you cannot assume it will always be the most appropriate.”
UK Information Commissioner’s Office
Just because we can do something with people’s personal data doesn’t mean we should. Just because no other lawful basis seems a good fit, doesn’t mean we can just rely on legitimate interests. GDPR and UK regulatory guidance makes this very clear.
A recent fine in Hungary gives us a helpful reminder of the conditions we need to meet when relying on legitimate interests, and perhaps gives us an example of when it is isn’t appropriate.
The GDPR fine
In this case a bank was relying on legitimate interests to analyse recordings of customer service calls. The Hungarian Data Protection Authority (NAIH) found the activity to be unlawful and issued its highest fine to date of 670,000 Euros.
Artificial intelligence-based software was used to conduct the analysis. This used a list of keywords, and based on what was described as the customers’ ’emotional state’, they were automatically prioritised for bank staff to call back.
While this may immediately strike some as pretty intrusive, we know businesses are relying on legitimate interests for a wide range of activities, which may be equally or less intrusive.
Regulatory guidance in the UK says legitimate interests is most likely be appropriate when the processing would have minimal privacy impact and when it’s within people’s reasonable expectations. So, how can we make sure we are using this lawful basis wisely?
How legitimate interests’ conditions were not met
The Hungarian regulator did not rule the AI analysis of call recordings itself was unlawful, but found the bank had failed to satisfactorily meet the core requirements for relying on this lawful basis under GDPR.
Lack of transparency
The bank said its purposes for this activity were quality control, preventing complaints and increasing the efficiency of customer support. However, it was found the bank’s privacy notice only referred to these activities in general terms.
The privacy notice merely mentioned quality assurance and complaint prevention as purposes for processing. There was no reference made to the voice analysis conducted.
Furthermore it was ruled there wasn’t enough granularity provided in the privacy notice about the reliance on legitimate interests for this activity.
I’ve also written about another recent fine in Sweden surrounding a failure to adequately provide necessary privacy information – Is your Privacy Notice complete?
Right to object not provided
Not only had customers not been adequately informed their calls were being analysed, but the bank also didn’t tell people about their right to object. In fact the bank had determined it wasn’t able to provide customers with this right.
Inadequate Legitimate Interests Assessment
The bank’s assessment of its legitimate interests is said to have only established that the processing was necessary to achieve its purposes of retaining customers and improving efficiency.
The LIA didn’t separate out the different processing operations related to these interests. It failed to assess whether the automated call recording analysis was proportionate and failed to take into account the interests of customers.
Inadequate Data Protection Impact Assessment
The bank had identified that it’s ‘profiling and scoring activity’ was ‘high risk’ and had duly conducted a necessary DPIA. However, it was found to have failed to provide suitable solutions to address risks.
Overall the bank was found to have trivialised the risks to people’s fundamental rights, to have failed to provide adequate information and to have ignored the right to object.
Furthermore, it’s suggested in the ruling informed consent might be the only appropriate lawful basis for such activities.
Legitimate Interests Checklist
Here’s a quick reminder of the core elements we need to consider when relying on Legitimate Interests. The following is based on UK GDPR guidance from the Information Commissioner’s Office.
- Reasonable expectations – Are we handling people’s personal data in a way they would reasonably expect? (If we aren’t, do we have a very strong justification for what we are doing?)
- LIA – Have we conducted a Legitimate Interests Assessment? This 3-part assessment should cover:
1) Identifying a legitimate interest
2) Demonstrating the processing is necessary to achieve this
3) Balancing our interests against people’s interests, rights and freedoms
- Privacy rights – Are we able to fulfil people’s privacy rights, such as their right to be informed? This is a crucial point, which may go some way to making sure what we are doing is within people’s reasonable expectations.
- Opt-out – Can we offer people the opportunity to object?
- Explaining our legitimate interests – Are we clearly telling people what activities we rely on legitimate interests for? It’s a legal requirement to spell out our legitimate interests in a privacy notice.
- Record – Have we kept a record of our LIA?
- Review – Do we keep it under review?
- DPIA? – If a more significant privacy impact is identified, have we considered conducting a DPIA?
Whatever we’re choosing to rely on legitimate interests for, this case reminds us that we can’t just use it to process personal data because no other lawful basis ‘works’.
And where we do rely on legitimate interests, we need to make sure we up front and honest about it, and give people the chance to say no. We’d need an exceptionally strong case not to provide the fundamental right to object.