CJEU: Commercial interest may be considered necessary for controller's legitimate interest

On 4 October 2024, the CJEU released its judgment on KNLT vs AP (C-621/22) ("October Judgment") which clarified that a commercial interest of a data controller may be relied on as a legitimate interest under Article 6(1)(f) EU GDPR, subject to certain conditions. This is contrary to the strict position of the Dutch Data Protection Authority ("AP" or "Dutch DPA") in its related guidance from earlier in the year (see our previous April/May Data Wrap here).

The October Judgment was the culmination of a five-year saga between the Dutch DPA and the Royal Dutch Lawn Tennis Association ("KNLT") which began shortly after the Dutch DPA issued its 2019 guidance on legitimate interests. The 2019 guidance introduced a stricter approach to the scope of legitimate interests and, excluded purely commercial interests from constituting a legitimate interest under Article 6 GDPR.

In line with this guidance, the Dutch DPA issued a fine of €525,000 to KNLT on the basis that KNLT unlawfully relied on "legitimate interests" as a lawful basis for sharing the personal data of its members with its sponsors – this included a company that sold sports products and a provider of games of chance and casino games, so that the sponsors would be able to send advertisements and promotional offers to KNLT members. According to the Dutch DPA, the personal data included names, gender information and addresses of over 300,000 members.

In September 2022, KNLT appealed against the fine to the Amsterdam District Court which then referred a number of questions to the CJEU relating to the appeal. The questions included whether "a purely commercial interest… [namely] the provision of personal data in return for payment without the consent of the data subject concerned, could be regarded as a legitimate interest" and "if so, what circumstances determine whether a purely commercial interest is a legitimate interest"?

In response, the CJEU referred to the three-pronged test for legitimate interests as set out in Meta Platforms (C-252/21) and SCHUFA Holding (C-26/22 and C-64/22), which states that for a legitimate interest to arise:

1. there must be a pursuit of a legitimate interest by the data controller of a third party;
2. the processing of personal data for the purposes of the legitimate interest pursued must be necessary; and
3. the interest of fundamental freedoms and rights of the data subject concerned must not outweigh the legitimate interest of the controller.

The CJEU also held that the meaning of "legitimate interest" in Article 6(1)(f), EU GDPR did not need to be "limited to interests enshrined in and determined by law" (though it does need to be lawful), and that Recital 47 of the GDPR expressly stated that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest". 

As such, the CJEU concluded that the processing of personal data to satisfy a commercial interest of the data controller "may be regarded as necessary for the purposes of the legitimate interest purposes by the controller" but that the following conditions must also be met:

• Necessity and data minimisation: The processing of personal data for such commercial interest "cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects" (i.e. the processing must be necessary and the data controller should adhere to the data minimisation principle);
• Data subject rights: The data controller must comply with its transparency requirements, including informing data subjects of the purposes and lawful basis of such processing and ensuring they have a right to object; and
• Balancing test: The data controller must conduct a balancing test of the opposing rights and interests at stake, taking into account (as set out in Recital 47 of the GDPR) whether: (i) the data subjects could reasonably expect, at the time when their personal data was collected, that the data would be disclosed to third parties (e.g. including for commercial purposes); and (ii) the legitimate interest is characterised by a relevant and appropriate relationship between the data subjects and controller.

Ultimately, it will be for the referring court in this instance to consider the facts of the case and determine whether the above conditions are met. For example, the CJEU mentioned that the Dutch courts may wish to consider the fact that members' data was shared with providers of casino games may mean that this activity fell outside of a "relevant and appropriate relationship between the data subjects and controller". As such, the assessment as to whether a commercial interest can amount to a legitimate interest should be assessed on a "case-by-case" basis.

Either way, the CJEU makes clear that the Dutch DPA has taken too narrow an approach to defining legitimate interests and it will be interesting to see how the Dutch DPA will revisit it's related guidance, including most recently, its more controversial guidance from earlier this year on data scraping where it stated that "data scraping will almost always be a violation of the General Data Protection Regulation".