Brazilian Data Protection Authority publishes guidelines on Legitimate Interest legal basis
Guidelines advise controllers on the parameters and limits for the application of legitimate interest and the legal basis provided for in the LGPD, and establishe a balancing test model
Subjects
On February 2, 2024, the Brazilian Data Protection Authority (ANPD) published the Guidelines on the Legal Bases for Personal Data Processing: Legitimate Interest. It provides guidance on the practical application of this legal basis, which is provided for in the Brazilian Data Protection Law (Law No. 13,709/2018 – “LGPD”) and provides general parameters for its interpretation.
The ANPD reinforced the need for a careful and duly substantiated analysis for each case in which data processing is carried out based on legitimate interest, so that the controller can assess whether such processing meets the requirements of the LGPD and whether the fundamental rights and freedoms of the data subjects are being respected. In addition to legitimate interest, the Guideline also mentions the need to carry out an analysis when the processing is based on the guarantee of fraud prevention and the security of the data subject, which is one of the legal bases provided for justifying the processing of sensitive personal data.
Main points for controllers to consider
- Nature of personal data: the ANPD reaffirms that legitimate interest does not apply to the processing of sensitive personal data. Therefore, if the processing involves data of this nature, the controller must check whether there is another legal basis that justify the processing, among those provided for in Article 11 of the LGPD;
- Identifying the legitimacy of the interest: Interest is a broad concept that covers any benefit or advantage that may result from the processing of personal data. The interest will be considered legitimate when it meets three conditions: compatibility with the legal system; based on concrete situations; and connection to legitimate, specific and explicit purposes;
- Defining whether the interest is of the controller or a third party: It is necessary to check whether the interest on which the processing activity is based is that of the controller itself or of a third party. The interest of a third party can be that associated with any person other than the controller, whether natural or legal, or a group of people. Interests of the community, which encompass society as a whole, can also be used as grounds for adopting the legal hypothesis of legitimate interest. Even if the main interest is that of a third party, the controller is always the agent responsible for proving that the processing aims to fulfill legitimate purposes;
- Fundamental rights and freedoms: the LGPD emphasizes the preponderance of the fundamental rights and freedoms of the data subject within the scope of the legal basis of legitimate interest, which must be balanced by the controller. Therefore, the use of this legal basis presupposes that the controller carries out an assessment to identify the risks related to the fundamental rights and freedoms of the data subjects, including whether the impacts caused are proportionate and compatible with these rights and what safeguards should be adopted in the specific case to mitigate the risks. The ANPD highlights the importance of controllers providing a channel that is easily accessible to data subjects, so that the rights provided for in the LGPD can be exercised as necessary;
- Legitimate expectation of the data subject: the controller must assess and be able to demonstrate that the processing of personal data for the intended purpose is reasonably expected by the data subjects in that context. The analysis of legitimate expectation can be based on various factors, such as: the existence of a previous relationship between the controller and the data subject; the form and source of the data collection (e.g. whether the collection was carried out directly by the controller, whether the data was shared by third parties or collected from public sources); the context and period of data collection; and the intended purpose of the collection and its compatibility with processing based on legitimate interest. ANPD emphasizes that, in order to guarantee effective compliance with the legitimate expectations of data subjects, the controller must provide mechanisms for exercising rights;
- Necessity, transparency and recording of operations: the LGPD reinforces the importance of complying with the principles of necessity and transparency when processing is based on legitimate interest. In other words, the controller must ensure that only minimal data is processed and reinforce transparency measures. Regarding the registration of transactions, ANPD highlights that the controller may formalize the analysis carried out, in particular the balancing test, regarding the use of legitimate interest in such a document.
Children and adolescents’ data
In line with Statement No. 1/2023 published by the ANPD, the guidelines recognize that legitimate interest can be used for processing children and adolescents’ data, as long as it complies with the principle of their best interests. In addition to the general points mentioned above, the controller must be able to demonstrate: what was considered to be the best interest of the child or adolescent; on the basis of which criteria the rights were weighed against the legitimate interest of the controller or a third party; and that the processing does not generate risks or impacts in a disproportionate or excessive manner. The guidelines highlight that if the result of the balancing test is inconclusive, or if adequate security and risk mitigation measures are not identified, another legal basis may be adopted.
The ANPD has also emphasized its previous view that the processing of children and adolescents’ data may constitute high-risk processing. Therefore, the controller must prepare a Data Protection Impact Assessment, regardless of the balancing test, if the processing is considered to be of high risk to the guarantee of the general data protection principles and to the civil liberties and fundamental rights of the data subjects, in accordance with the other parameters established by the ANPD.
Balancing test (Legitimate Interest Assessment)
The balancing test is a proportionality assessment considering the context and specific circumstances of the processing, which must consider the impacts on and risks to the rights and freedoms of data subjects. ANPD presents a model balancing test, which is not mandatory.
The model presented by the ANPD is based on three phases:
- Purpose: Analysis of the context in which the processing is carried out, as well as the nature of the personal data involved, identification of the interest that justifies the processing and the legitimacy of the controller or third party to which the interest belongs;
- Necessity: Analysis of whether the personal data is necessary, relevant, and up to date to fulfill the intended purpose. The ANPD also recommends assessing whether less intrusive forms can be used;
- Balancing and safeguards: Final balancing of the interests of the controller or third party against the fundamental rights and freedoms of the data subject. To do this, the controller must assess the risks that data subjects may be subject to and whether the data processing is within their legitimate expectations. At this phase, when the personal data belongs to children or adolescents, the prevalence of their best interests must also be assessed.
Moreover, the ANPD highlights that the identification of a risk or negative impact on data subjects does not in itself rule out the possibility of using the legitimate interest. This is because the LGPD does not require zero impact, but rather that the controller assess such impacts and take them into account when adopting safeguards.
Podcast
You can listen to our Único podcast episode on the subject (available in Portuguese).
For more information on these subjects, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.