Blogs

Companies abuse a loophole in data protection law

By EDRi · December 19, 2012

This article is also available in:
Deutsch: [Firmen nutzen Lücke im Datenschutzgesetz | https://www.unwatched.org/EDRigram_10.24_Firmen_nutzen_Luecke_im_Datenschutzgesetz?pk_campaign=edri&pk_kwd=20121219]

Personal data of internet users are often processed on a legal basis too
weak to provide a real protection of the users’ right to privacy. On 11
December 2012, EDRi member Bits of Freedom published a report about
the flaws of the so-called “legitimate interest” ground as a basis for
data processing.

This ground is the last of six grounds included in article 7 of the Data
Protection Directive (95/46/EC). Data controllers are free to choose on
which of these six grounds they base the processing of personal data,
provided the data does not fall under a specific consent-regime (such as
sensitive data or location data). Processing based on legitimate
interest allows data controllers to process personal data without
the consent of their users, provided that the interests of the data
controller or third parties are weighed against the interests and
rights of these users.

In practice, this legal ground creates a loophole in the data protection
regime. Bits of Freedoms report demonstrates that the use of the
“legitimate interest” ground by companies such as Facebook and Google
leads to the over-collection of personal data as such companies often
let their own interests prevail over the interests of their users. The
balance test is not subject to any authorization and the users are not
in a position to effectively challenge the test. This means that in
practice, a company is free to collect a lot of personal information
without the users’ consent.

As addressed in the latest EDRi-gram, the consequences of wrongful data
processing can be very severe. The BoF report presents recommendations
to fix this loophole in data protection law. European data protection
rules are currently under debate in Brussels. These rules should
generally provide better protection of the rights and interests of
users. Processing based on the legitimate interest ground should be
limited and the right to object against processing based on legitimate
interest must be improved.

A loophole in data processing (11.12.2012)
https://www.bof.nl/live/wp-content/uploads/20121211_onderzoek_legitimate-interests-def.pdf

ENDitorial: What could possibly go wrong? (5.12.2012)
https://edri.org/edrigram/number10.23/what-could-possibly-go-wrong-data-protection

(Contribution by Janneke Slöetjes – EDRi member Bits of Freedom –
Netherlands)