Insight

Transfer of Data in the GDPR: The Definition of Legitimate Interest

The eData Guide to GDPR

October 02, 2018

This installment of The eData Guide to GDPR delves into the legitimate interest derogation, found in Article 49 of the EU General Data Protection Regulation. Where the acceptable methods for cross-border transfer of personal data outlined in Articles 45 and 46 are not possible, under the limited interest exception, a company may conduct investigations and collect documents from EU data subjects without obtaining the written consent of the subjects, provided six conditions are met.

The passage of the General Data Protection Regulation (GDPR) was sure to cause uncertainty among global businesses with operations both in the European Union and elsewhere because of the regulation’s prohibition against cross-border transfers (i.e., transfers of data from the EU to a non-EU country). Global organizations regularly transfer personal data outside the EU for a variety of reasons and require a means to continue doing so that complies with the GDPR. Articles 44, 45, and 46 of the GDPR describe the general prohibition against cross-border data transfer and acceptable methods for transferring personal data across borders. Article 49 further outlines a series of “derogations” (i.e., exceptions) that allow transfers in situations where acceptable methods are not available means of compliance. Certain types of transfers fit neatly within the acceptable methods, such as when the EU Commission has made an “adequacy” determination about a jurisdiction, i.e., decided that it provides an “adequate” level of personal data protection, or when an organization has adopted Binding Corporate Rules to facilitate data movement within a global enterprise. In the event that one of these acceptable methods does not apply, companies can turn to the Article 49 derogations.

General Rule for Cross-Border Transactions

Under Article 44 of the GDPR, transferring personal data to a third country or an international organization may only take place if certain conditions are met.[1] Articles 45 and 46 spell out those conditions. Under Article 45(3), a company may transfer personal data to a third country if the Commission has decided that that country ensures an adequate level of protection, or, in the absence of that decision, under Article 46, personal data can be transferred only if the controller or processor has provided “appropriate safeguards” and the data subjects have available and enforceable rights and effective legal remedies.

These two conditions may be difficult to meet for transfers of personal data because the Commission has thus far only issued adequacy decisions for about a dozen countries.[2] Notably, the United States is not among them.[3] And to meet the requirement under Article 46, a company would need to have implemented specific “appropriate safeguards” listed in the article prior to the transfer; for example, implementing Binding Corporate Rules, approved codes of conduct, or certification under the US/EU Privacy Shield Framework. These Article 46 mechanisms are designed to extend the jurisdiction and application of the GDPR to the organizations voluntarily adopting them, which can be an option for global organizations that regularly share data internally across regions. Adoption of these mechanisms is often not feasible for nonroutine data transfers.[4]

When Article 45 adequacy and Article 46 safeguards are not available compliance mechanisms, a company next must turn to the Article 49 derogations. The first derogation under Article 49 states that a transfer is lawful when the data subject explicitly consents to the transfer “after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.”[5] In many situations, it may not be feasible to obtain each data subject’s consent before transfer.

When obtaining data subject consent is not possible, the “legitimate interest” scenario should be evaluated as a potential method of transfer. The European Data Protection Board (Board) released guidelines on the derogations of Article 49 (Guidelines) that specifically address the legitimate interest exception. The Guidelines state that the legitimate interest derogation “is envisaged by the law as a last resort” where none of the other derogations for a specific situation is applicable. It advises a “layered approach” to its use, considering first whether it is possible to use a transfer tool provided in Article 45 or 46 or one of the other specific derogations set out in Article 49, before resorting to the legitimate interest exception. It states that the data exporter must be able to demonstrate that it was “neither possible to frame the data transfer by appropriate safeguards pursuant to Article 46 nor to apply one of the derogations as contained in Article 49(1) § 1.”

Thus, when a company determines that it will rely on the legitimate interest derogation for a transfer of personal data, the first step will be to explicitly document why the transfer cannot meet the requirements of Article 45 or 46, or the other exceptions provided in Article 49. The next step will be to meet the requirements of the exception itself.

Application of Article 49 Legitimate Interest Derogation

Once a company can demonstrate that it was not possible to frame its data transfer within other lawful scenarios, it can then work to establish that the transfer can lawfully be conducted under the legitimate interest derogation.

Article 49 provides:

[A] transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and of the compelling legitimate interests pursued. (Emphasis added.)

Thus, to transfer data under the legitimate interest exception, an organization needs to meet all of the following requisites:

  1. The transfer is not repetitive
  2. The transfer concerns only a limited number of data subjects
  3. The transfer is necessary for the purposes of a compelling legitimate interest pursued by the controller that is not overridden by the interest or rights and freedoms of the data subject
  4. The controller has provided suitable safeguards with regard to the protection of personal data
  5. The controller informs the supervisory authority of the transfer
  6. The controller informs the data subject of the transfer and the compelling legitimate interest pursued

Requirements Under the Legitimate Interest Exception

(1) Transfer Is Not Repetitive

The Board Guidelines state that to meet this requirement, the transfer may happen more than once, but not regularly, and “would occur outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals.” According to the Board, a data transfer that occurs regularly within a stable relationship between the data exporter and a certain data importer and is “systematic and repeated” would not be considered occasional or not repetitive.

[T]ransfers should be interpreted in a way which does not contradict the very nature of the derogations as being exceptions from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.[6]

(2) Transfer Concerns Only a Limited Number of Data Subjects

The Guidelines state that there is no threshold number for what constitutes a “limited number” of data subjects. The acceptable number will depend on the context of the transfer, in that the amount must be “appropriately small taking into consideration the type of transfer in question.”

The Board gives the example of a data controller that needs to transfer personal data to detect a “unique and serious security incident in order to protect its organization.” That company should analyze how many employees’ personal data it would have to transfer in order to achieve this goal. In this situation, the Board states that “the transfer should not apply to all the employees of the data controller but rather to a certain confined few” in order to meet the requirement.[7]

(3) Transfer Is Necessary for the Purposes of a Compelling Legitimate Interest of a Controller That Is Not Overridden by the Interest or Rights and Freedoms of the Data Subject

The Guidelines state that a “compelling” legitimate interest is a higher threshold than a general legitimate interest test. “Compelling legitimate interest” here means the interest is relevant and “essential for the data controller.” The example given by the Board is where the transfer of personal data is essential in order to protect an organization or system from “serious immediate harm or from a severe penalty which would seriously affect its business.”[8]

Once a company has determined that it has a compelling legitimate interest to transfer the data, it must conduct a balance test to ensure that that interest is not overridden by the “rights and freedoms” of the data subject. According to the Guidelines, this means that the data controller must carefully consider any possible negative effects on the data subject, including the “likelihood and severity” of any such effects and any possible damage to the data subject. The company should consider both material and nonmaterial damage (such as loss of reputation of the data subject).[9]

While the Board provides guidance on how to apply the compelling legitimate interest balance test, the Guidelines do not discuss the consequences of when the rights and freedoms of the data subject outweigh the compelling legitimate interest of the data subject in a given scenario. Instead, the Board discusses protecting the data subject from any of the predicted possible damage by providing “suitable safeguards” (which are also part of a separate requirement, discussed below). The Guidelines state that the balance test “highlights the special role that safeguards may play in reducing the undue impact of the data transfer on the data subjects and thereby in possibly influencing the balance of rights and interests to the extent that the data controller’s interests will not be overridden.”[10]

Thus, if during the compelling legitimate interest balance test, the data controller predicts that there may be possible negative effects to the data subject, the damage can be neutralized by providing suitable safeguards to protect the subject. If the controller can provide these suitable safeguards, then the rights and freedoms of the data subject would not outweigh the compelling legitimate interest, and the controller would meet this portion of the legitimate interest requirement.

(4) Controller Provides Suitable Safeguards with Regard to the Protection of Personal Data

Although suitable safeguards are discussed above in relation to neutralizing possible harm to the data subject in the compelling legitimate interest balance test, the Board warns that providing suitable safeguards is also a separate legal requirement that still must be considered, even in the absence of any safeguards needed to meet the legitimate interest requirement.

However, as far as what those safeguards might entail, the Board states that there is no “general requirement.” Safeguards to consider include the following:

  • Measures aimed at ensuring deletion of data as soon as possible after the transfer
  • Limiting the purposes for which data may be processed following the transfer
  • Whether it is sufficient to transfer pseudonymized or encrypted data
  • Technical and organizational measures aimed at ensuring that transferred data cannot be used for purposes other than those strictly foreseen by the data exporter[11]

(5) Controller Informs the Supervisory Authority of the Transfer

The Guidelines state that this requirement does not mean that the supervisory authority needs to authorize the transfer. Rather, providing this information to the authority serves as a way of providing an additional safeguard, in that it allows the authority to assess the implications of the data transfer if additional scrutiny is warranted.

As far as compliance with this requirement, the Board recommends that the data exporter record “all relevant aspects of the data transfer e.g. the compelling legitimate interest pursued, the ‘competing’ interests of the individual, the nature of the data transferred and the purpose of the transfer.”[12]

(6) Controller Informs the Data Subject of the Transfer and the Compelling Legitimate Interest Pursued

The Guidelines make it clear that the data controller must inform the data subject of the transfer and the compelling legitimate interest that the controller is basing the transfer on, and that this is a separate requirement from the information that must be provided by Articles 13 and 14 of the GDPR (“Information to be provided where personal data are collected from the data subject” and “Information to be provided where personal data have not been obtained from the data subject,” respectively).[13]

The compelling legitimate interest derogation (and thus the requirement to inform the data subject of the transfer and of the compelling legitimate interest pursued) was not in previous iterations of data protection laws in the EU. Guidance provided by the Board is relatively silent on this issue, simply reiterating Article 49’s language that notice must be provided to the data subject in addition to any requirements under Articles 13 and 14. Thus, it is still unclear exactly how much information a controller would need to provide to a data subject in order to satisfy this requirement.

The exact language of Article 49 states that the controller must “inform the data subject of the transfer and of the compelling legitimate interests pursued.” This language is clearly less onerous than the notice requirements under Articles 13 and 14, which require the controller to inform the data subject of the identity and contact details of the controller, the recipient of the data, the categories of the personal data that will be transferred, the purposes of the processing, the legal basis for the processing, etc. Rather, it appears that Article 49 simply requires a notification that the transfer is taking place and a description of what the compelling legitimate interest basis is for the transfer. An example of a compelling legitimate interest can be found in the Guidelines, which state that protecting a company from “serious immediate harm” or from “a severe penalty which would seriously affect its business” would both be considered compelling legitimate interests.[14] Presumably then, to comply with the requirement to inform the data subject about the transfer under the compelling legitimate interest derogation, a data controller could simply inform the data subject that a transfer of his or her data (without specifying the type of data) was taking place to protect the business from a severe penalty that would seriously affect its business.

Some sources have noted that notifying the data subject and the supervisory authority of the transfer may cause logistical issues during certain types of investigations.[15] However, as stated above, one of the requirements of using this derogation is demonstrating that it was “neither possible to frame the data transfer by appropriate safeguards pursuant to Article 46 nor to apply one of the derogations as contained in Article 49(1) § 1.” This would include, in some cases, “demonstrating verification of whether the data transfer can be performed on the basis of the data subjects’ explicit consent to the transfer.”[16] Thus, because it is necessary to “demonstrate serious attempts”[17] at other viable transfer mechanisms, the data subject would (at least in many cases) have already been informed about the possibility of a data transfer by the time the controller resorted to the compelling legitimate interest transfer mechanism.

This interpretation would follow the Board’s guidance that the compelling legitimate interest derogation is a “last resort,” only to be used when no other transfer mechanism (including consent of the data subject) is possible.

Conclusion

Under the legitimate interest derogation set out in Article 49 of the GDPR, a company can conduct investigations and collect documents from EU custodians without obtaining written consent of the custodians, provided certain conditions are met. As described above, to rely on the legitimate interest derogation, a company must do the following:

  • Expressly document why the transfer does not meet any of the acceptable means of transfer listed in Article 45, 46, or 49(1) § 1 of the GDPR. For example, where the information and document are collected directly from EU custodians pursuant to an investigation but where there has been no adequacy determination made by the Commission nor Binding Corporate Rules in place.
  • Expressly document why the transfer will not be repetitive. For example, because investigations are fact specific and each involves outside counsel requesting collection of specific documents, these types of collections are not routine instances of data collection and would not be considered repetitive.
  • Expressly document why the transfer involves a limited number of data subjects. For example, investigations tend to be narrowly focused on a small number of custodians and thus are inherently limited in their nature.
  • Expressly document why the transfer is necessary for purposes of compelling legitimate interests of the company that are not overridden by the privacy rights and freedoms of the custodians. For example, investigations for the purpose of evaluating enterprise risk and compliance-related issues should satisfy the requirement of a compelling legitimate interest, and further, because the data sought is information that only incidentally may contain personal information (such as names and titles) related to the custodian’s work and business activities, the business interests should also outweigh concerns with individual privacy and freedom. Additionally, the Board specifically states that a transfer for the purpose of preventing “serious immediate harm or severe penalty” is a compelling legitimate interest.
  • Impose suitable safeguards. For example, in the collection and transfer of data pursuant to an internal investigation, a company can endeavor to narrowly focus the collections and screen the documents before transfer to ensure the requisites above are met. Screening can be done by the outside counsel handling the investigation and should involve (1) confirming that the specific documents requested were received and (2) that personal or sensitive personal information of other individuals is not contained in the documents received or is minimized.
  • Notify the supervising authority. This can be done per the company’s privacy officer.
  • Inform the custodian of the transfer and the compelling legitimate interests on which the company relies to facilitate the transfer.

[1] Article 44 states, “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”

[2] Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the United States (limited to the Privacy Shield framework).

[3] The United States and European Union have designed a Privacy Shield framework to enable organizations to voluntarily self-certify compliance with certain data protection requirements. Once certified, the commitment is enforceable under US law, including by the Federal Trade Commission and US Department of Commerce.

[4] “Appropriate safeguards” here can be provided by (a) a legally binding and enforceable instrument between public authorities or bodies; (b) Binding Corporate Rules; (c) standard data protection clauses adopted by the Commission; (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission; (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

[5] GDPR Art. 49(1) § 1.

[7] Id. at 15.

[8] Id.

[9] Id. at 16.

[10] Id.

[11] Id.

[12] Id. at 17.

[13] Id.

[14] Id. at 15.

[15] “Finally, this derogation also requires that the company inform the competent data protection authority and the data subject of the transfer. Disclosure of data could then be subject to potential legal challenges before EU data protection authorities . . . .” Brief for Amicus Curiae European Company Lawyers Association in Support of Respondent 16.

[17] Id.