EU: IAB Europe's guide on legitimate interests assessments for digital advertising - Highlights and concerns
Of the six lawful bases for processing set out in Article 6 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), none has resulted in more confusion than legitimate interests. Recent guidance from the Interactive Advertising Bureau Europe ('IAB Europe') (the European-level association for the digital marketing and advertising ecosystem) on legitimate interests assessments ('LIAs') for digital advertising under the GDPR seeks to dispel some of the confusion around appropriate use-cases for legitimate interests, while at the same time providing practical advice on how to conduct LIAs for digital advertising1. Fergal McHugh, Head of Strategy at Arekibo Communications Ltd, provides an overview of what LIAs are and when they are required, and discusses whether legitimate interests are appropriate for digital marketing and advertising.
The guidance is intended for companies engaged in digital advertising and marketing in the EU. It is also essential reading for any controllers availing of the IAB Transparency Consent Framework ('TCF') and who plan on taking advantage of its support for legitimate interests-based processing. This guidance follows on from, and complements, the IAB Europe-UK Guidance on Data Protection Impact Assessments ('DPIAs') released in 20202.
While consent is typically considered the most appropriate legal basis for processing personal data in digital advertising and marketing contexts, legitimate interests affords considerable flexibility and appears to offer an alternative to the technical challenges associated with acquiring consent (particularly in the complex Ad Tech ecosystem). This makes it very attractive to controllers. However, it is not always immediately clear when relying on legitimate interests will be appropriate.
What is a LIA and when is it required?
A LIA is a legal analysis conducted in preparation for a controller's decision to process personal data based on legitimate interests. It should justify that decision, adducing reasons and evidence as required. By contrast, with DPIAs, the GDPR does not actually mention LIAs, and as such neither mandates them nor provides detail on the procedure to be used. Most LIA approaches follow a formalisation proposed by the UK Information Commissioner's Office ('ICO') on the basis of Article 6(f) of the GDPR which requires that 'processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject3.' The ICO has parsed this set of requirements into a three-step process: a 'purpose' test, a 'necessity test,' and a 'balancing test4.' The IAB Europe guidance uses this process. A brief summary is as follows.
The prospective controller needs to identify a legitimate interest in the data subject's information specifically in terms of how they intend to use that information.
Next, the controller must demonstrate that the processing is necessary and proportional, given the specified purpose. They must also be able to demonstrate that they are taking the least intrusive approach to processing.
Finally, the controller must show that their legitimate interests are not outweighed (or overridden) by the data subject's own interests or fundamental rights and freedoms, and indeed expectations.
As stated in the IAB guidance, this exercise must be conducted with an open mind, and with the goal of being as objective as possible. Although the LIA as a named procedure is not a formal or mandatory requirement, establishing and documenting the legal basis of processing unquestionably is. The decision could of course be undertaken informally, and the results documented subsequently. Nevertheless, the IAB's recommendation is that the required legal analysis take the form of a LIA, incorporating rigorous assessment and documentation of all relevant considerations at each stage of the process. An additional nuance is that relevant internal and external factors such as processing requirements, technology, and indeed legislation may change over time and, if so, the justification for processing will need to be updated. The formal LIA process facilities this.
When are LIAs required? The short answer is when a controller intends to process personal data on the basis of legitimate interests. Notably, if a controller is using the IAB TCF framework and intends to appeal to legitimate interests then a LIA is strongly recommended. The broad thrust of the IAB advice is as follows: where legitimate interests is the intended legal basis for processing, conduct a 'formal' LIA.
LIAs and DPIA
A distinctive aspect of the IAB guidance is the clear recommendation that a given LIA be accompanied by, or ideally preceded by, a DPIA. They are of course distinct activities. A DPIA is focused on modelling risk (usually in cases where personal data is being processed on scale, or 'special category' data is involved) and a LIA is a legal analysis which sets out the interests a controller might have in an individual's data. Nevertheless, DPIAs and LIAs intersect in important ways. The type of processing, the level of risk associated with it, and its purpose and necessity are all crucial inputs into a LIA. Each must be captured and understood prior to appealing to legitimate interests as the legal basis of processing.
As discussed above, a LIA involves conducting and documenting three tests: the purpose test, the necessity test, and the balancing test. In the first test the data processor establishes the objectives of processing before identifying the relevant kind of processing as a candidate for legitimate interests. Establishing processing objectives is also a key step when conducting a DPIA.
Secondly, the controller must test for the necessity of the processing. Only necessary processing can be considered eligible under the GDPR framing of legitimate interests. Again, note the intersection with a DPIA here: establishing the necessity of processing is also central to a DPIA. In addition, the iterative 'data minimisation' techniques (and other risk mitigation exercises) which form part of the DPIA process will likely have a correlate in the LIA process where a controller will be seeking the least intrusive approach possible, in order to achieve the required balance.
The third step is the balancing test where the controller needs to weigh up their legitimate interests in the processing with the data subject's rights, freedoms, and expectations. As the guidance notes, the risks associated with processing are crucial to assessing the balance between the controller's interests and those of the data subject. The ability to implement appropriate safeguards mitigating against risk will mean that data subjects' freedoms are less likely to be impacted by the proposed processing, good news for the controller. Once again, a robust DPIA will assist this key balancing exercise.
The IAB's practical recommendation is that, with respect to digital marketing and advertising, a DPIA is going to provide a rigorous route to achieving steps 1 (purpose) and 2 (necessity) and clear the way for step 3. Also, as IAB notes, a robust LIA is an involved, time-consuming undertaking. Leading out with a DPIA can prevent squandering time on a LIA which concludes with a negative decision. Special category data is a good example here. A comprehensive DPIA should help controllers identify and manage the risks of both intentional and (potentially) unintentional processing of special category data. Lack of clarity here is likely to tip the balancing exercise away from the appropriateness of legitimate interests. In any case, early understanding of both processing intent and risks avoids costly issues late on.
The IAB recommendation here is clear. The DPIA procedure offers a rigorous approach to getting clarity on the nature and purpose of the intended processing. In preparing for a LIA, a controller might find themselves undertaking a DPIA-like process by default. As such it is better to intentionally conduct a DPIA and feed it into a more robust LIA.
Is legitimate interests appropriate for digital advertising and marketing?
The IAB guidance appears at a time when increasingly both marketers and privacy aware users are perplexed about when it is appropriate to appeal to legitimate interests when processing personal data. Adding to the confusion is Recital 47 of the GDPR where processing personal data for the purposes of 'direct marketing' is provided of as an example of a case where a controller might appeal to legitimate interests. Recital 47 also mentions fraud prevention as a possible case where legitimate interests might apply. Fraud, and associated matters of efficiency and appropriateness of content and context, are topics of some significance in the digital advertising/Ad Tech space. Nevertheless, in practice cases of processing where legitimate interests is the most appropriate legal basis may not be as common as might be expected.
What is clear is that if legitimate interests can apply to digital marketing, prospective controllers need to go well beyond such umbrella terms when describing their processing purposes. As IAB notes, 'digital marketing' is not defined in the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') or the GDPR. Controllers need to specify precisely what their purpose is in order to frame its eligibility. In addition, IAB warns that the description of purposes supplied in the TCF taxonomy may not be sufficient for the purposes of demonstrating a legitimate interest.
An example of the required specificity at work, provided in the guidance for illustration purposes is frequency capping. This description goes well beyond general categories like 'supporting publishers with targeted ads,' picking out a distinct activity whose benefits can be listed and ranked, as they accrue to advertisers/publishers (greater efficiency) and to data subjects (less repetition). Each discrete purpose must be pushed through the LIA process and documented. It is this level of granularity that makes the LIA process complex and involved, and underlines why a LIA benefits from a prior DPIA.
As stated in the guidance, merely being able to describe a purpose with distributed benefits is far from sufficient, the balance of interests is all important here. In the case of frequency capping, the putative benefits on the data subject side might be easily outweighed by risk and intrusiveness of the processing.
Taken on face-value, frequency capping represents an almost ideal candidate for reliance on legitimate interests. Nevertheless, concerns about how frequency capping gets implemented in the complex Ad Tech ecosystem (and the difficulty of being able to supply evidence of appropriate safeguards) may tip the balance in the direction of the data subject, and toward consent as a more appropriate legal basis.
Does processing data in association with cookies preclude appeal to legitimate interests? The IAB guidance is clear on part of this question. Legitimate interests cannot be used as a basis for setting non-essential cookies as these require consent meeting the GDPR standard. The guidance is less clear with respect to subsequent processing of personal information collected in association with cookies.
The problem with reliance on legitimate interests for the subsequent processing of data collected in association with cookies is that the cookies themselves require consent, on the basis of a specific, intended processing purpose (a nuance recently underscored by the French data protection authority ('CNIL') on this topic)5. As such, under the current legislation, the approach appears to be redundant. When working with cookies there is no room for unforeseen processing. Reading the guidance in conjunction with the legislation it is difficult to see how legitimate interests can provide a reasonable option for strategies that also involve cookies and trackers.
Nevertheless, although the guidance recommends caution here, it does not explicitly rule legitimate interests out. One reason for this may be, as the guidance notes, this is a 'developing' area of legislation and this may change in the future. It also a developing area from a technology perspective; new 'cookie-less' solutions for use-cases which currently rely on trackers may offer opportunities for processing on the basis of legitimate interests that are not currently available.
IAB TCF and legitimate interests
The IAB's TCF is a powerful collaborative tool supporting the standardisation of how businesses operating in the digital advertising ecosystem (publishers, Ad Tech vendors, and agencies etc.) can deliver targeted ads using personal information and, in principle, meet the requirements of the GDPR.
The IAB guidance emphasises that while the TCF can support processing on the basis of legitimate interests, simply meeting the conditions of the TCF does not guarantee the applicability of that basis. As is also recommended, the TCF taxonomies can be useful as tool in systematically describing and categorising purposes and impacts, etc. Nevertheless, the LIA must be conducted prior to the configuration of legitimate interests as the basis for in the TCF Global Vendor List ('GVL'). In short, one cannot bypass the LIA process via a TCF legitimate interests configuration.
While the TCF is designed to support processing of personal data which can meet the requirements of the GDPR, its potential for doing so has been challenged. For example, the Belgian Data Protection Authority ('Belgian DPA') has recently conducted an investigation into the TCF v2.0, prompted by complaints made by the Irish Council of Civil Liberties (among others). An important complaint was that the TCF does not provide adequate protections for special category personal data, even though exchange of such data is facilitated by the TCF, specifically in the case of real-time bidding ('RTB'). The Belgian DPA agreed, and its findings also point to a wider lack of safeguards and security for personal data within the TCF.
Clearly the Belgian DPA's findings (provisional as they are) will need to be taken into account when conducting LIAs. They are relevant, for example, to the 'necessity' test, where the level of intrusiveness is of concern, and to the balancing test where the interests (and the vulnerabilities) of the data subject are weighed against the interests of the processor. Concerns about the security and integrity of special category data will quickly shift the balance of legitimate interests away from the controller. Also of relevance is the Belgian DPA's Recommendation on the processing of personal data for the purposes of direct marketing, from 17 January 2020. The suggestion here is that reliance on legitimate interests for direct marketing (a category which for the Belgian DPA includes digital advertising and marketing) will be the exception rather than the rule. As such, the future of legitimate interests-based processing for digital advertising under TCF looks bleak6.
The extent of this problem can be gleaned from ICO's report on RTB from 2019 which is a valuable resource for prospective controllers seeking to understand the compliance challenges they face using RTB. One of the ICO's findings was that a significant amount of processing of personal data as part of RTB falls between the two stools of valid notice and claims of legitimate interests. Like the Belgian DPA, the ICO concluded that, 'the scenarios where legitimate interests could apply are limited7.' While these findings no longer have relevance for the EU, they are a good indication of a more general trend.
Organisations can draw their own conclusions here, but it appears that legitimate interests is not a panacea for situations where controllers are seeking to overcome the challenges of acquiring consent across such a complex ecosystem. Nevertheless, the fact remains that the TCF relies on a significant amount of processing based on legitimate interests in order to overcome these challenges. If regulatory trends continue in their current direction, significant challenges lie ahead for the TCF.
Where does that leave us with respect to digital advertising? The short, provisional answer here is that is difficult to see how processing of personal data for digital advertising (and digital marketing more broadly) can be conducted on any other legal basis than consent. If we take the comprehensive two-phase approach the IAB recommend (a DPIA feeding into an LIA) it is likely that the DPIA phase will produce a map of processing which, if examined in the clear light of day, will almost invariably push the data controllers in the direction of consent.
Fergal McHugh Head of Strategy
Arekibo Communications Ltd, Dublin
1. Available at: https://iabeurope.eu/wp-content/uploads/2021/03/IAB-Europe-GDPR-Guidance-Legitimate-Interests-Assessments-LIA-for-Digital-Advertising-March-2021.pdf
2. Available at: https://iabeurope.eu/wp-content/uploads/2020/11/IAB-Europe_DPIA-Guidance-Nov-2020.pdf
3. Article 6(f) of the GDPR.
4. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/
5. Available at: https://www.cnil.fr/fr/questions-reponses-lignes-directrices-modificatives-et-recommandation-cookies-traceurs
6. See: https://www.autoriteprotectiondonnees.be/publications/recommandation-n-01-2020.pdf
7. See: https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf