Assessing Legitimate Interest vs Consent

Assessing Legitimate Interest vs Consent

Overview

GDPR Article 6(1) provides six lawful bases for processing. Consent (Article 6(1)(a)) and legitimate interest (Article 6(1)(f)) are the two most commonly used bases for commercial data processing. Choosing the wrong basis creates compliance risk: relying on consent when it cannot be freely given undermines validity, while relying on legitimate interest when consent is required (e.g., for electronic marketing under the ePrivacy Directive) violates sectoral law.

Decision Framework: When to Use Each Basis

Use Consent When:

1. Regulatory requirement: Specific legislation mandates consent (e.g., ePrivacy Directive Article 5(3) for non-essential cookies, Article 13 for unsolicited electronic marketing)
2. Special category data: Processing sensitive data under Article 9(2)(a) requires explicit consent
3. Automated decision-making: Processing under Article 22(2)(c) requires explicit consent
4. International transfers: Article 49(1)(a) explicit consent for transfers without adequacy/safeguards
5. User control priority: The processing is entirely optional and the data subject should have full control

Use Legitimate Interest When:

1. Power imbalance exists: Consent cannot be freely given (employer-employee, public authority-citizen)
2. Processing is necessary: The processing is necessary for the controller's or third party's legitimate interest and is proportionate
3. Reasonable expectation: The data subject would reasonably expect the processing (Recital 47)
4. Withdrawal would be problematic: If consent withdrawal would cause operational issues (e.g., fraud prevention)
5. No specific consent requirement: No ePrivacy or sectoral law mandates consent

Power Imbalance Indicators

Per EDPB Guidelines 05/2020 (paragraphs 13-25) and Recital 43, consent is presumed not to be freely given when a clear imbalance exists:

The Three-Part Legitimate Interest Assessment (LIA)

Per CJEU case law (C-13/16 Rigas, C-40/17 Fashion ID) and Article 29 Working Party Opinion 06/2014:

Part 1: Purpose Test

Is the interest legitimate?

• The interest must be lawful (not in itself illegal)
• The interest must be real and present (not speculative)
• The interest must be sufficiently clearly articulated

CloudVault SaaS Inc. examples of legitimate interests:

• Network and information security (Recital 49)
• Fraud prevention and detection
• Direct marketing to existing customers (Recital 47)
• Internal administrative purposes within a group (Recital 48)
• Service improvement based on aggregated usage analytics

Part 2: Necessity Test

Is the processing necessary for the legitimate interest?

• Could the same interest be achieved with less data?
• Could the same interest be achieved without processing personal data?
• Is the processing proportionate to the interest pursued?

Part 3: Balancing Test

Do the data subject's rights and freedoms override the legitimate interest?

Decision Tree

START: Need to establish lawful basis for processing activity
  │
  ├─► Q1: Does specific legislation require consent?
  │     (ePrivacy Art. 5(3) for cookies, Art. 13 for e-marketing,
  │      GDPR Art. 9(2)(a) for special categories, Art. 22(2)(c) for automated decisions)
  │     │
  │     ├─ YES → Use CONSENT (mandatory)
  │     │
  │     └─ NO → Continue to Q2
  │
  ├─► Q2: Is there a power imbalance between controller and data subject?
  │     (employer-employee, public authority, service dependency)
  │     │
  │     ├─ YES → Consent likely INVALID; consider LEGITIMATE INTEREST
  │     │         (or legal obligation/public task if applicable)
  │     │
  │     └─ NO → Continue to Q3
  │
  ├─► Q3: Is consent conditioned on the service?
  │     (Would refusing consent result in service denial or degradation?)
  │     │
  │     ├─ YES → Violates Art. 7(4); consent likely INVALID
  │     │         Consider LEGITIMATE INTEREST or restructure the service
  │     │
  │     └─ NO → Continue to Q4
  │
  ├─► Q4: Is consent withdrawal operationally feasible?
  │     (Can you stop processing immediately if consent is withdrawn?)
  │     │
  │     ├─ NO → LEGITIMATE INTEREST may be more appropriate
  │     │        (e.g., fraud prevention cannot stop mid-transaction)
  │     │
  │     └─ YES → Continue to Q5
  │
  ├─► Q5: Does the data subject reasonably expect this processing?
  │     │
  │     ├─ YES → Either CONSENT or LEGITIMATE INTEREST may work
  │     │         Choose based on control preference and overhead
  │     │
  │     └─ NO → CONSENT is more appropriate
  │               (unexpected processing needs explicit agreement)
  │
  └─► Q6: Final determination
        ├─ If consent: Implement full Art. 7 requirements (freely given, specific,
        │   informed, unambiguous, withdrawal as easy as giving)
        └─ If LI: Document three-part LIA, implement opt-out mechanism,
            include in privacy notice per Art. 13(1)(d)/14(2)(b)

Common Scenarios at CloudVault SaaS Inc.

Key Regulatory References

• GDPR Article 6(1)(a) — Consent as lawful basis
• GDPR Article 6(1)(f) — Legitimate interest as lawful basis
• GDPR Article 7(4) — Conditionality prohibition
• GDPR Recitals 47, 48, 49 — Guidance on legitimate interest scenarios
• Article 29 WP Opinion 06/2014 on Legitimate Interest (WP217)
• EDPB Guidelines 05/2020 on Consent — Power imbalance analysis
• CJEU C-13/16 (Rigas) — Legitimate interest balancing test
• CJEU C-40/17 (Fashion ID) — Joint controller LI responsibility
• ePrivacy Directive Articles 5(3) and 13 — Sector-specific consent requirements
• WP29 Opinion 2/2017 on Data Processing at Work — Employee consent limitations