The communications between the EC and Dutch DPA, which were uncovered by Dutch newspaper NRC in response to a Freedom of Information Act request, provide a glimpse into the tension between the EC and local DPAs on their views and interpretation of the GDPR. While the DPAs seem to be getting more and more strict when interpreting the law and forcing businesses to stop activities, it appears that the EC is determined to remind them that the GDPR's aim is to allow the conduct of business while ensuring a high level of data protection. The proactive intervention by the EC is more than welcome, as we currently see that the GDPR is more and more used as a showstopper by EU DPAs. Not only does this approach conflict with the intentions of the EU legislator and existing case law of the EU Court of Justice, it has severe implications for businesses operating in the EU. The destructive effects of the Dutch DPA's legitimate interest position have already been painfully clear in one enforcement case, where the company VoetbalTV went into bankruptcy due to the lengthy investigation and imposed fine.
European Commission letter
The letter of the EC makes it clear that the EC wishes the Dutch DPA to change its strict position. The EC explicitly states that categorically excluding commercial interests as potential legitimate interests undermines the fundamental freedom to conduct a business as enshrined in the Charter of Fundamental Rights of the EU. The EC furthermore views that the Dutch DPA's interpretation conflicts with the three-part test following from case law of the EU Court of Justice that must be applied when assessing whether a legitimate interest exists that outweighs the rights and freedoms of the data subjects. This three-part test consists of the following steps:
establishment of the existence of a legitimate interest behind the processing;
assessment regarding the necessity of the processing in question;
balancing the legitimate interest of the controller with the fundamental rights and freedoms of the data subject.
The EC views that the Dutch DPA disregards these steps as it stops its assessment at the first step by determining that no legitimate interests exist in case of pure commercial interests, without even considering steps 2 and 3.
The EC furthermore criticizes the Dutch DPA for disregarding existing guidance of the WP29 and EDPB, which does not categorically exclude the pursuit of purely commercial interests. The EC also reminds them that the recitals of the GDPR clearly state that certain purely commercial interests can be legitimate interests, such as direct marketing.
Dutch DPA response
It seems that the Dutch DPA was unaffected by the criticism as it still stands by its position. In fact, the chairman of the Dutch DPA responded to the EC that he fundamentally disagrees with their views. He believes that the EC's interpretation of legitimate interest does not follow logically from case law of the EU Court of Justice and that this issue needs to be crystallized further. The chairman underlines the fact that the Dutch DPA is an independent entity and that the interpretation of legitimate interest is still being discussed with other DPAs and within the EDPB.
The response of the Dutch DPA is not surprising. The Dutch DPA has already issued fines based on its strict legitimate interest interpretation, which were overturned by Dutch Courts. These court decisions did not persuade the Dutch DPA to change its position, but resulted in the Dutch DPA appealing with the Council of State, the highest Dutch general administrative court. We are expecting a decision by the Council of State within the next few weeks. Hopefully, the letter of the EC will have an impact.
Authored by Joke Bodewits and Chantal van Dam.