Extract from Cassandre Coyer’s article “The Netherlands’ Unusual Take on GDPR Sparked Criticism. But Could It Catch On?”
The Netherlands’ data protection authority’s strict interpretation of the GDPR’s “legitimate interest” ground for processing data has sparked a wave of criticism from privacy law professionals, local courts and even the European Commission.
While privacy law professionals don’t believe the Dutch interpretation is likely to catch on in other EU nations, what happened in the Netherlands underscores the tensions between local DPAs and the European Commission on interpretations of the GDPR, which will likely prompt more guidance to come out in the near future.
The Dutch Take on Legitimate Interest
Under the General Data Protection Regulation (GDPR), organizations must be able to rely on a ground to allow for lawful processing of data, said Quinten Kroes, a partner at Brinkhof in Amsterdam. One of the lawful grounds listed by the EU is the one often referred to as “legitimate interest.”
To rely on legitimate interest, organizations must pass a three-pronged test, including whether the processing of data is necessary to meet that interest and whether there is an appropriate balancing of interests between the data controller and subjects, Kroes said.
In 2019, the Dutch DPA took the controversial position that the legitimate interest ground could not be used for a commercial interest.