Legitimate interest constitutes an alternative basis for lawful processing that might be applicable to the use of data gathered from social networks, even though publicauthoritiescannotrely upon this basis when acting. For those who can use this legal basis, three cumulative conditions should be met:
- the pursuit of a legitimate interest by the data controller or by the third party, or parties, to whom the data are disclosed,
- the need to process personal data for the purposes of the legitimate interests pursued, and
- the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.
Thus, in principle legitimate interest could be theperfect legal basis for processing in this context. However, there are some good reasons to consider that this basis will not always apply to the use of data for scientific research:
- First, legitimate interest should apply to all joint controllers, in case that joint controllership applies to the processing. In the Fashion ID case, the
CJEU specified that in such circumstances “it is necessary that each of those controllers should pursue a legitimate interest […] through those processing operations in order for those operations to be justified in respect of each of them”.
- Second, controllers should be able to demonstrate that the balancing test has been adequately performed (see “Balancing Test” section in the “Actions and Tools” part of these Guidelines). This means that joint controllers are able to establish that the processing is necessary to achieve those legitimate interests. This is hard to reach, since “necessary” requires a connection between the processing and the interests pursued. This means that it should be considered whether other less invasive means are available to serve the same end. Similarly, processors should be able to demonstrate that their legitimate interests at stake are not overridden by the data subject’s interests or fundamental rights and freedoms. This is all hard to demonstrate, especially if minors are involved in the processing. 
- Third, legitimate interest could hardly apply as a legal basis for lawful processing if such processing involves intrusive profiling and tracking practices, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.
- Fourth, instead, if we are considering data pertaining to data subjects who have already had a previous relationship with the ICT researcher and innovator through the social network, using legitimate interest as a legal basis seems pretty reasonable. However controllers should take into consideration if the previous relationship was similar to the one that is about to be built.
If legitimate interest is finally chosen as the legal basis for processing, controllers shall keep in mind that the duties of transparency and the right to object require careful consideration. Data subjects should be given the opportunity to object to the processing of their data for targeted purposes before the processing is initiated. Users of social media should not only be provided with the possibility to object to the processing when accessing the platform, but should also be provided with controls that ensure the underlying processing for specific purposes of their personal data no longer takes place after they have objected to the processing.
|Checklist: legitimate interest
☐ The controllers have checked that legitimate interest is the most appropriate basis for processing.
☐ The controllers have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
☐ The controllers have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests.
☐ The controllers are not using people’s data in ways they would find intrusive or which could cause them harm, unless there is a very good reason.
☐ If the controllers foresee the processing of children’s data, they have taken extra care to make sure that legitimate interest is a suitable database.
☐ The controllers have considered safeguards to reduce the impact where possible.
☐ The controllers have introduced adequate tools to ensure that the right to object is easy to implement by the data subjects.
☐ If the controllers have identified a significant personal data protection impact, they have considered whether they also need to conduct a DPIA.
☐ The controllers include information about their legitimate interests in their privacy information.
19 CJEU, Judgment in Fashion ID, 29 July 2019, C-40/17, para. 95 – ECLI:EU:C:2019:629. ↑
2See Article 29 Working Party Opinion 06/2014 on the concept of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP217, 9 April 2014 https://ec.europa.eu/justice/Article-29/documentation/opinion- recommendation/files/2014/wp217_en.pdf ↑
3Article 29 Working Party, Opinion on profiling and automated decision making, WP 251, rev. 01, p. 15, see also Article 29 WP, Opinion on legitimate interest, p. 32 and 48: « Overall, there is an imbalance between the company’s legitimate interest and the protection of users’ fundamental rights and Article 7(f) should not be relied on as a legal ground for processing. Article 7(a) would be a more appropriate ground to be used, provided that the conditions for a valid consent are met ». ↑
4Guidelines 8/2020 on the targeting of social media users Version 2.0 Adopted on 13 April 2021, at: https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf, p. 11) ↑