
What is the ‘legitimate interests’ basis? - Tomte
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/
======
lordlarm
Without any precedent on concrete examples of what is legitimate and what is
not, this clause in the GDPR is its biggest weakness.

If a company sells something online they only really need your address & name
for delivery + credit card details. Then you could argue it is legitimate to
use an email to create an account, fair enough. But without precedent it's so
easy to just say 'in order to increase revenue (legitimate intrest) we're
going to use all emails to send a newsletter, boosting sales'. And then you
could use the 'Right to object' in the GDPR as a fallback for your actions.

I know of multiple companies where they prior to GDPR asked for explicit
concent during signup for being allowed to send newsletters, but who post-GDPR
dropped the concent and use 'Legitimate intrests' to justify it. Basically
leaving the individual worse off.

~~~
snowwolf
I forget where I saw it, but I thought this was a good test of whether it is
legitimate interest. It went something like:

"Would a 'reasonable' person be surprised if you told them about how you were
using the data?"

~~~
JoeAltmaier
That scale slides around every day. And 'being surprised' and 'being happy'
are very different things also.

I'd prefer to have hard limits. No collecting any info from my computer about
me that aren't explicit in the interaction itself (asking for email is ok;
scraping installed apps while doing that to gauge my interests is not)

~~~
matthewmacleod
“Reasonable person” tests are pretty common and well-understood in general.
One of the reasons that the GDPR in particular avoids being overly
prescriptive about _how_ to meet its requirements is to avoid situations where
it becomes inapplicable or obsolete due to changes in technology or habits.

~~~
true_religion
In the US, a reasonable person test is meaningless without a body of precedent
setting cases.

If the language of a new law uses it with regards to a new technology, then no
one can be sure what the courts will decide.

It may be different in the EU, as the legal system is quite different.

------
isostatic
I love that completely hypothetical example of a public figure on a train
making a political point.

[cough] [https://www.bbc.co.uk/news/uk-
politics-37167700](https://www.bbc.co.uk/news/uk-politics-37167700)

I mean why bother attempting to obscure it when it's such a commonly known
about case.

~~~
DanBC
Important to point out that the VM rebuttal has been debunked and most of
those supposedly empty seats have children and shorter people in.

That choice to mislead the public makes it a bit of a weird example to use by
ICO.

------
ckastner
Note that this only addresses the _lawfulness_ of the processing under Article
6 GDPR, which itself is only one of the required _principles_ relating to the
processing of personal data that must be upheld under Article 5.

Other principles that must be upheld, for example, are _data minimization_
(lit c) or _storage minimization_ (lit e).

I know that one of the supervisory authorities has already ruled that the
principle of data minimization trumps the lawfulness argument of "legitimate
interests" in certain cases. Certain records must be destroyed when the
legally mandated terms for keeping them have expired (eg 7 years).

------
fr0xk
Hackers becoming lawyers, journalists becoming hackers! xD

------
dannyw
Facebook’s ability to not allow you to opt out of personalised advertising is
the white elephant in the room, and a clear sign that GDPR is not sufficient.

~~~
mpweiher
Who says that Facebook is compliant?

Enforcement hasn't really started yet, but what I've read is that they are
preparing some pretty big cases.

~~~
icebraining
In fact, Max Schrems (who previously got FB to start giving people access to
their data) has filed a complaint hours after the GDPR went into full effect:
[https://www.irishtimes.com/business/technology/max-
schrems-f...](https://www.irishtimes.com/business/technology/max-schrems-
files-first-cases-under-gdpr-against-facebook-and-google-1.3508177)

