A story about legitimate interests

5 min read

Georgia Iacovou

02 Aug 2019

This is a real-life application of ‘legitimate interests’ — read it and marvel at its disturbing flexibility

A couple of months ago our CEO Rich had an amazon package delivered while he was out. The delivery person decided to leave it with the Pret A Manger across the road. Therefore, Pret now have his name and address without his consent. But, one could argue, this was necessary for his package to get get delivered. It was a legitimate interest.

Tweet from CEO Rich about how Amazon package ended up at Pret without consent

The comments under this post range from talking about legitimate interests and saying things like ‘I hate to break it to you Richard but all I did was Google you and now I know everything about you and any business that you’ve ever interacted with knows the same 🤷🏻‍♀️’.

So while these comments are true, what they fail to grasp is nuance. The comments about how everyone already has your data anyway is just useless defeatism; a kind of ‘it’s already broken so just keep breaking it’ stance. Sure, Richard’s (and yours and everyone’s) data is all over the place, but isn’t that all the more reason to at least make an attempt at some data hygiene?

Then there were comments that said his consent was not necessary because handling the package like this was a legitimate interest. Just so we’re all on the same page, ‘legitimate interests’ refers to article 6 of the GDPR which outlines the lawful ways in which you can process data. There is a way you can do it without getting consent:

[if] Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Taken from the GDPR, read the full thing here

Cor, what an engaging read. In normal-speak what this means is the entity processing the data can do so without your consent as long as it has a legitimate interest to do so. The second part of it explains that the entity cannot do this if it somehow conflicts with your human rights (those are always getting in the way of data processing🙄).

The ICO themselves describe legitimate interests as ‘the most flexible of the six lawful bases’, and have extensive guidelines on when it’s appropriate to use them. The guidelines help, but they don’t allow us escape from…

The grey area, where we all now live

Let’s just take a quick look and see if the ICO guidelines help us figure out whether or not Rich’s data was lawfully processed:

  1. The processing is not required by law but is of a clear benefit to you or others: In our case, Rich benefits by getting his package on time
  2. There’s a limited privacy impact on the individual: is this not up to the individual? Someone might not care that a few Pret employees now have access to their address. Another might care a lot and consider it an invasion of privacy. Also remember that he does live with his wife and she uses that Pret regularly too. It’s more than just his data.
  3. The individual should reasonably expect you to use their data in that way: This isn’t like when you make a payment online and enter your card details — in that case you reasonably expect the card details to be used to take the payment. Does anyone reasonably expect their package to be dropped off at a nearby Pret?
  4. You cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing: this one is interesting because on the one hand it probably would have been annoying for Rich to organise for redelivery, but on the other hand leaving it at Pret didn’t seem like the most optimum option.

You can see where these guidelines would clarify things in certain situations, but I don’t know if it’s clarified anything in our situation. What this illustrates is how vague legitimate interests is, and may explain how you get interpretations like this. Guess this is called a grey area for a reason.

Rich put his trust in Amazon and now he's somehow expected to also trust the Pret A Manger employees from across the road with his personal details.

Don’t forget that we have third-parties at play here. Amazon have used MyHermes to get the package delivered. That means they have put their trust in MyHermes to do the right thing. Rich put his trust in Amazon and now he’s somehow expected to also trust the Pret A Manger employees from across the road with his personal details.

How a user's data travels from one third party to another without consent The Journey of Rich’s data — no consent necessary

Rich has his own legitimate interests

Such as keeping his name and address relatively private. Remember, the GDPR says you can process data without consent except: “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”

Some consider it a fundamental right and freedom to have privacy, and part of having privacy is ensuring strangers do not know your full name and address. But you have to give out your name and address if you want to get packages delivered. So does this ultimately boil down to trust?

Basically, yes. Rich gave Amazon his address. That action implies he trusts Amazon (and all their third parties) to use his address in the correct way. The story I just laid out before you is a great application of legitimate interests but, annoyingly, it does not mean that legitimate interests were being exercised in any official way. While the story of Rich’s package delivery is true, the legitimate interests remain slippery and elusive…

the author

Georgia Iacovou

Content Writer