FPF and Data Privacy Brasil Webinar: Understanding ‘Legitimate Interests’ as a lawful ground under the LGPD
Author: Katerina Demetzou
On Thursday, 20th of May 2021, the Future of Privacy Forum (FPF) and Data Privacy Brasil (DPB) co-hosted an online event for launching the English translation of a Report on Legitimate Interests as a lawful ground for processing personal data under Brazil’s Data Protection Law, the Lei Geral de Proteção de Dados (LGPD). The Report explores the role of this lawful ground through use cases and a theoretical framework.
Miriam Wimmer, one of the Directors of the Brazilian Data Protection Authority, gave the keynote address, followed by a panel discussion with Bruno Bioni, Director of DPB and co-author of the Report; Lara Kehoe-Hoffman, VP Privacy and Security Legal and Data Protection Officer of Netflix; Marcela Mattiuzzo, Partner at VMCA Advogados; and Hielke Hijmans, Member of the Board of Directors of the Belgian Data Protection Authority. The event was moderated by Gabriela Zanfir-Fortuna, Director for Global Privacy at the Future of Privacy Forum.
Below you will find the most important points that were raised during the discussion, starting with an overview of how the LGPD absorbed legal concepts from the GDPR, including that of “legitimate interests” (LI) as a lawful ground for processing personal data, while molding them on the Brazilian legal culture (Section 1). A brief presentation of the Report on Legitimate Interests under the LGPD follows, including an explanation of what is the “normative equation” of LI under the LGPD and examples of processing scenarios where LI is usually relied on lawfully (Section 2). The summary continues with mapping out misconceptions and current key points of debate about relying on LI as they emerged from the panel discussion (Section 3), to end with a list of the main takeaways (Section 4).
1. Legitimate Interests under the LGPD: inspired by the GDPR, but developing under their own rhythm in Brazil
In her keynote address, Miriam Wimmer highlighted two important aspects that should be taken into consideration when looking at the data protection legal landscape in Brazil. First of all, only recently did Brazil adopt a Data Protection Law, which ultimately came into force in September 2020. It was not before 2018 that the debate around the right to data protection opened up to the broader stakeholder community that also included business representatives, academics, and civil society groups. The recent history of the LGPD suggests that various topics remain unexplored and immature, therefore explanatory guidelines are required.
A second aspect is the fact that the LGPD has been very strongly influenced by the GDPR and the European approach to the right to data protection. More specifically, in Brazil, the right to data protection is associated with the protection of fundamental rights and it relates to the idea of informational self determination & control over the way that processing of personal data takes place.
Similarly to the GDPR, the LGPD has embraced an ex ante approach by requiring the data controller to abide by certain legal obligations before proceeding to any processing operations. Additionally, the LGPD enumerates data protection principles which have drawn inspiration from the OECD guidelines and the GDPR and has in place data subject rights that empower individuals to exercise control over their data. Most importantly, the LGPD, as is the case for the GDPR, aims to enable and not restrict data flows while simultaneously guaranteeing a high level of personal data protection.
Ten lawful grounds for processing
After laying out this background, the Director of the ANPD made some important points specifically relating to the LI ground. To begin with, having LI as a legal ground for processing shifts the focus away from consent as the only ground that ensures self determination and control of individuals over processing operations.
The LGPD provides for ten legal bases for processing. According to Wimmer, data controllers should not treat the LI basis either as a last resort or as a preferred option. On the contrary, and given that there is no hierarchy among the ten legal bases, data controllers should decide on the most appropriate legal ground according to the concrete circumstances of each case. However, Wimmer considers that further analysis and a better understanding is needed with regard to the meaning and the circumstances under which each basis shall be chosen over the others.
Under the LGPD, the LI ground is about balancing the legitimate interests of the data controller or a third party and the fundamental rights and freedoms of the data subjects. It consists of three tests, namely the purpose test, the necessity test and the balancing test. Under Article 10 LGPD, the personal data that are to be processed need to be strictly necessary for the defined purposes and there is a requirement of enhanced transparency.
The relationship between “Legitimate Interests” and Data Protection Impact Assessments
Additionally, the law gives the ANPD the possibility to require a Data Protection Impact Assessment (DPIA) from the data controller that processes data on the basis of the LI ground. This last requirement has spurred a debate on whether a DPIA is the most appropriate type of assessment given that it is complex and that not all processing operations based on the LI ground present significant risks. Instead, a legitimate interest assessment appears to be the preferred option.
Miriam Wimmer also mentioned that while the LI is a mature concept in the EU, this is not the case for Brazil and therefore there is still need for guidance on what exactly are legitimate interests under the LGPD and in which cases would they serve as an appropriate legal basis. One of the most heated debates around LI during the legislative process of the LGPD was around whether LI will end up being a carte blanche for data controllers. The ANPD aims to ensure that the LI legal ground will not be abused and will be used appropriately.
2. Exploring use cases and practical tests: the Report on Legitimate Interests under the LGPD
Bruno Bioni, one of the co-authors of the Report whose translation into English was launched during the event (together with Mariana Rielli and Marina Kitayama), introduced its structure and content. The Report begins by presenting the history behind the introduction of the LI ground in the LGPD, followed by a detailed analysis of its singular normative design under the law.
Article 7 enumerates LI as one of the lawful grounds for processing, Article 10 specifies the requirements for application of the LI ground and Article 37 requires the keeping of records when the LI is used as the basis for processing. In the Report, the combination of these articles is considered to be the ‘normative equation of Legitimate Interests under the LGPD’.
The policy paper takes the view that the Legitimate Interest Assessment is a four-step process consisting of: a legitimacy test, a necessity test, a balancing test and the assessment of safeguards.
The Report then analyzes the possibility that the ANPD has to request the controller to perform a DPIA in cases where the LI ground is used. According to DPB, the process of performing a DPIA should not be triggered by the legal ground used in each case, but by the high risk profile of each specific processing operation.
In the last part, the Report presents ten case studies in order to help practitioners apply the LI ground in practice.
There were multiple scenarios mentioned by the speakers whereby the use of LI as a ground is prima facie appropriate. Some examples are: fraud detection and prevention systems security, employment data processing (e.g. company directory, ethics reporting hotlines), general corporate operations (e.g. conducting audits), analytics for product and service improvement.
Speakers also discussed why LI is a necessary legal ground to be included as an option in sophisticated, comprehensive data protection legislation meeting the demands of the digital economy, while also aiming to provide safeguards for the protection of both individual and collective rights and interests. In practice, lawfully relying on LI demands thoughtfulness from data controllers.
They need to perform at least three separate tests (legitimacy, necessity, balancing), carefully assess whether LI is indeed the most appropriate legal ground in the case at hand, and they have to take into consideration the data subject’s expectations and interests. Among these, as Hijmans pointed out, the balancing test is very challenging because by its very nature it is a subjective exercise that needs to be further objectified if possible.
3. Misconceptions and Key Points of Debate about relying on LI
There were several misconceptions about relying on LI identified during the panel discussion, common to the LGPD and the GDPR, but primarily emerging from the longer practice under the GDPR.
Panelists agreed that a common misunderstanding is that there is a hierarchy among the different lawful grounds for processing. In both jurisdictions, all lawful grounds for processing are equal and their application should depend on the specific circumstances of each case. For instance, consent should not be considered the main legal basis for processing data, as it is often the case in practice, with the other lawful grounds seen as exceptions.
The question of whether a purely commercial interest can serve as a legitimate interest was mentioned not as much as a misconception, but as the subject of current lively debate around LI and a challenging issue to be solved in the upcoming updated guidance of the European Data Protection Board on LI.
Another misconception was identified around the question of whether processing personal data on the basis of legitimate interests is less protective for the rights of individuals compared to other lawful grounds. Speakers commented that this is not the case, especially where controllers are diligent about the necessary assessment and balancing of interests required to lawfully rely on LI for processing personal data, and about complying with all the rights individuals have even in relation with personal data processed on the basis of LI.
It surfaced from the panel discussion that what is very important, from a practical point of view, is the ability to understand first of all what personal data controllers are collecting. Secondly, it is important to precisely identify what they intend to do with the personal data, or the purpose of processing. Then, the basic filter through which every decision on whether to rely on LI should pass through is that of the individual’s reasonable expectations and the filter of fairness. This is why both the principle of accountability and the principle of fairness are key in being able to lawfully rely on LI as a lawful ground for processing.
4. Main Takeaways
The Report on Legitimate Interests under the LGPD published by Data Privacy Brasil and translated into English with support from FPF is a significant contribution to develop the theory and practice of the new data protection legal framework in Brazil. The launch of the English version of the Report prompted an engaging discussion that furthered the understanding of how LI should be applied in practice to take into account both the rights and interests of individuals on one hand, and the interests of controllers and third parties on the other hand. These are the key takeaways that emerged from the keynote and panel discussion:
- All discussants agreed that LI should neither be the preferred nor the last option for legitimising processing of personal data. There is no hierarchy among the possible lawful grounds for processing.
- It is crucial that data controllers understand what personal data they are processing and why they are processing that data. Having this clear, organizations can make the choice for the most appropriate legal ground, complying with the principle of accountability.
- The principle of fairness should be central to the discussion on the LI ground. Along with reasonable expectations of the individuals, fairness should constitute the filter through which the decision to rely on LI must pass.
- The obligation to perform a DPIA should not be attached to the choice of applying the LI ground as the appropriate legal basis. However, a legitimate interest assessment that follows the structure and reasoning of a proportionality test, should instead be performed.
- More guidance from the ANPD is expected to clarify how the tests for lawfully relying on LI should be performed.