Legitimate Interests:A Legal Basis to Process

Maintaining Protection While Facilitating ICT Growth

• The primary mechanism for data protection governance is purpose specification notices and consent

• This is particularly true in Latin America

• However, data-driven innovation is hard to explain, involves the creation of new data and challenges the effectiveness of notice and consent

• Data stewardship models (accountability) may provide an effective answer

Legitimate Processing Beyond Consent

• The global data protection community increasingly recognizes that consent does not protect individuals effectively– Data increasingly leads to the creation of new data

– Compatible purposes are not anticipated by either controllers or individuals

– Notices do not drive awareness

• EU Directive has always had the concept of legitimate business interests– Always required a balancing

• New “draft” guidance gives direction– Greater recognition by authorities

Legitimate Interest Guidance

• Legitimate interest should be used if appropriate– Do not use consent where it is not effective

• Must balance the legitimate interests of the controller against all issues of individuals

• Balancing processes must be describable to enforcement agencies and interested individuals

This Session

• Will place European law into comparative context

• Provide examples of the balancing process

• Discuss legitimate interests as it relates to marketing analytics

Data Privacy v. Data Protection

• U.S. privacy laws protect ‘reasonableexpectations of privacy’

• EU data protection laws prohibitprocessing of personal data – unless a statutorily accepted justificationapplies

Big Data Defined

• Data

• Personal data and the myth of anonymity

• Big?

• New purposes, e.g., statistics, traffic, health, security, marketing

Data Privacy and Legitimate Interest

• What is legitimate?

• How balance privacy interests v. data usage interests?

• Who decides on legitimacy and balancing?

Data Privacy and Consent

• When is consent really informed, voluntary, specific, express and in writing?

• Can it be – with respect to big data?

• Should it be?

Merchant

Acquiring Bank Issuing Bank

Cardholder

• Contracts with an Acquiring Bank to

process payments and settle funds

• Accepts MC card as a form of

payment

• Agrees to payment terms of

the Issuing Bank

• Transacts with Merchant

who accept MC card

• Processes payment

transaction with MC

• Settles funds with MC on

behalf of their Merchant

• Has financial

relationship with

Cardholder

• Extends credit/issues

MC card

Overview of MasterCard’s Transaction Processing Business

MC Transaction

Routing

MC authorizes, clears and settles payment transactions

between merchants, processors and banks

MC Data Center

MC Transaction

Routing

Data Collected

No Contact Information

Account Number

Transaction Amount

Transaction Date

MerchantReported

Fraud

Legitimate Interest Analysis

Legitimate Interests

Anti-fraud

Internet Security

Anti-Money Laundering

Misuse

Legal claims (dispute resolution)

Parties in Interest

Issuers

Acquirers

Merchants

Cardholders (data subjects)

Fraudsters/Criminals

Balancing Test

• Controllers’ Legitimate Interests

• Impact to Data Subjects– Assess the impact

– Types of data

– The way the data is processed

– Reasonable expectations of the data subject

– Safeguards• De-Identification, aggregation and data

minimization

• Transparency

• Right to Object

Current Framework. Legitimate Interests in Directive 95/46/EC

CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE

Article 7

Member States shall provide that personal data may beprocessed only if:

(a) the data subject has unambiguously given his consent; or

(b) processing is necessary for the performance of a contractto which the data subject is party or in order to take steps atthe request of the data subject prior to entering into acontract; or

(c) processing is necessary for compliance with a legalobligation to which the controller is subject; or

(d) processing is necessary in order to protect the vitalinterests of the data subject; or

(e) processing is necessary for the performance of a taskcarried out in the public interest or in the exercise of officialauthority vested in the controller or in a third party to whomthe data are disclosed; or

(f) processing is necessary for the purposes of the legitimateinterests pursued by the controller or by the third party orparties to whom the data are disclosed, except where suchinterests are overridden by the interests (f)or fundamentalrights and freedoms of the data subject which requireprotection under Article 1 (1).

PRINCIPIOS RELATIVOS A LA LEGITIMACIÓN DELTRATAMIENTO DE DATOS

Artículo 7

Los Estados miembros dispondrán que el tratamiento de datospersonales sólo pueda efectuarse si:

a) el interesado ha dado su consentimiento de formainequívoca, o

b) es necesario para la ejecución de un contrato en el que elinteresado sea parte o para la aplicación de medidasprecontractuales adoptadas a petición del interesado, o

c) es necesario para el cumplimiento de una obligación jurídicaa la que esté sujeto el responsable del tratamiento, o

d) es necesario para proteger el interés vital del interesado, o

e) es necesario para el cumplimiento de una misión de interéspúblico o inherente al ejercicio del poder público conferido alresponsable del tratamiento o a un tercero a quien secomuniquen los datos, o

f) es necesario para la satisfacción del interés legítimoperseguido por el responsable del tratamiento o por eltercero o terceros a los que se comuniquen los datos, siempreque no prevalezca el interés o los derechos y libertadesfundamentales del interesado que requieran protección conarreglo al apartado 1 del artículo 1 de la presente Directiva.

Future framework. Legitimate Interests in the Proposed GDPREUROPEAN COMMISSION’S PROPOSAL

(http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf)

Very similar to 95 Directive, except:

- Call out for the protection of minors

- Carve out for processing carried by authorities in the performance of their task

- Delegated acts

LIBE COMMITTEE’S REPORT (http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf)

- Last resource (when the other basis do not apply)

- Explicit & separate information to the data subject

- Publishing of the reasons

- Prepopulated list of scenarios

A29 WP Opinion 6/2014. Past, Present & Future http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf

• Historical lack of harmonized interpretation

• As valid as any other ground- Not a last resort (when everything else fails)- But not the ‘weakest link’ either

• What is considered a legitimate interest?- Lawful, clearly stated, real & present- From trivial to compelling- Necessity test

• What about the data subject interest or fundamental rights? - Broad interpretation- Legitimacy not required

• The complexity of the balancing test- Nature of the interest & nature of the impact- Nature of the data & the processing- Data subject’s expectations - Provisional balance- Role of additional safeguards & opt outs

• Recommendations for GDPR- Recitals on factors & documentation- Substantive provision on explanation by controllers

Legitimate Interests Absent in Latin America

Argentina (Ley 25.326 - 2000)http://www.jus.gob.ar/media/33481/ley_25326.pdf

- General rule: Free, express and informed consent (“consentimiento libre, expreso e informado”)

Mexico (LFPDPPP – 2010)http://inicio.ifai.org.mx/LFPDPPP/LFPDPPP.pdf

- General rule: implicit consent (“consentimientotácito”)- Sensitive data: express consent (“consentimientoexpreso”)- Exception for de-identified data (“datos disociados”)

Perú (Ley nº 29733 – 2011) http://www.educacionenred.pe/noticia/?portada=8167

- General rule: prior, informed, express and unambiguous consent (“previo, informado, expreso e inequívoco”)- Sensitive data: in writing - Exception for de-identified data (“datos disociados”)

Costa Rica (Ley nº 89698 – 2011) http://www.archivonacional.go.cr/pdf/ley_8968_proteccion_datos_personales.pdf

- References to both express and informed consent

Nicaragua (Ley nº 787 – 2012) http://legislacion.asamblea.gob.ni/normaweb.nsf/9e314815a08d4a6206257265005d21f9/e5d37e9b4827fc06062579ed0076ce1d

- Consent is the general rule, through written or electronic means- Exception for de-identified data (“datos disociados”)

Colombia (Ley 1581 de 2012) http://www.sic.gov.co/documents/10157/0/Ley_1581_2012.pdf/

- Previous & informed authorization (“autorizaciónprevia e informada”)

Brazil (Marco Civil – 2014)http://www.planalto.gov.br/CCIVIL_03/_Ato2011-2014/2014/Lei/L12965.htm

- Express consent (“consentimento expresso”)- Data Protection Bill still to be released