The Brazilian Data Protection Authority (ANPD) opened on 16 August 2023, through this link, a public consultation regarding the Preliminary Study on the personal data processing legal basis of legitimate interest. The consultation will be open for 30 days (until 15 September) on the Participa Mais Brasil platform.
The Preliminary Text aims to define and provide guidance on the application of the legitimate interest of controllers and third parties, based on the Brazilian General Personal Data Protection Law (LGPD). It also includes a simplified step-by-step for the analysis of legitimate interest, as well as guidelines and a template for the Legitimate Interest Assessment (LIA).
Among the main points of the Preliminary Text, the following are worth highlighting:
- The interest will be considered legitimate when: (i) it is compatible with the legal system; (ii) it is based on concrete situations; and (iii) it is linked to legitimate, specific and explicit purposes.
- Personal data processing can be carried out in order to protect the controller’s and third parties’ legitimate interests, which includes the interests of the collectivity. When legitimate interest is used as a legal basis for personal data processing, the legitimate expectation of the data subject must be observed.
- Personal data processing based on legitimate interest must be preceded by an LIA, which must take into account the legitimacy of the interest, the necessity of the processing, the impacts on the data subjects’ rights, and their legitimate expectations in comparison with the involved interests. To this end, the Preliminary Text presents a balancing test template segmented into the phases of: (i) purpose; (ii) necessity; and (iii) balancing and safeguards.
- Regarding the personal data processing of children and adolescents based on legitimate interest, the Preliminary Text indicates that its enforcement tends to be residual. The controller must take into account, as a priority, the best interest of the child or adolescent. Moreover, they must prepare and keep a record of the reason for the processing, which must be appropriate to the case and capable of demonstrating the following:
(i) What was considered to be the best interest of the child or adolescent
(ii) The criteria by which their rights were balanced against the legitimate interest of the controller or a third party
(iii) That the processing does not generate disproportionate or excessive risks or impacts, considering the condition of children and adolescents as individuals with rights
- According to the Preliminary Text, processing based on legitimate interest should not be considered if the LIA is not conclusive or if security and risk mitigation measures appropriate to the legal basis are not identified.
- When the personal data processing activity is based on legitimate interest, the Preliminary Text highlights the requirement of such activity being included in a Record of Processing Activities in detail and referring an LIA – and if there is high-risk processing, the activity must also be included in a Data Protection Impact Assessment (DPIA).
- The Preliminary Text also emphasizes the need for compliance with the principles of necessity and transparency.
- The Preliminary Text emphasizes that the use of legitimate interest as a legal basis in the processing of personal data by the Public Authorities is not appropriate, due to the asymmetry of powers, and should be limited. Legitimate interest may be admitted as a legal basis when the use of the data is not compulsory or when the state’s actions are not based on the exercise of typical state prerogatives, which result from the carrying out of legal obligations and assignments.
Additionally, the Preliminary Text provides a discussion on the processing of sensitive personal data grounded on the legal basis of guaranteeing the prevention of fraud and the security of the data subject. The text highlights that there are similarities between the legal basis of guaranteeing prevention of fraud and the security of the data subject and legitimate interest. Therefore, the guidelines on the LIA can also be applied in cases of use of the legal basis of guaranteeing the prevention of fraud and the security of the data subject. We emphasize here that the use of legitimate interest is not applicable to the processing of sensitive personal data.
Finally, it is important to point out that the Preliminary Text attempts to subsidize the content of the Guidelines on the legal basis of legitimate interest and is based on the collaboration of processing agents and society, combined with the technical expertise of the ANPD.
* * * * *
Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.