Legitimate interest assessment as a precondition for the lawfulness of data processing

On 11 January 2023, the Italian data protection authority (“Garante“) issued a decision against Commify Italia Srl for several violations of the GDPR. The decision demonstrates that the lawfulness of data processing may depend on whether the controller has conducted the legitimate interest assessment, or not.

Background

Commify is a company operating a platform called Skebby. Skebby enables Commify’s customers to send text messages, such as notifications, reminders, and one-time passcodes (OTPs), to their end users via web applications or application programming interfaces (APIs). Commify’s customers are businesses that wish to send messages to their end users.

In the context of the Skebby service, Commify carries out automated checks on the content of the messages sent by its customers to the customers’ end users. The checks involve scanning the content of the text messages, including the sender alias (alphanumeric string that identifies the sender in place of the phone number), against certain keywords, URLs, or domains. The purpose of the scanning is to identify potentially fraudulent text messages, such as phishing messages, and to automatically block the delivery of such messages.

Following a complaint from a customer of Commify, the Garante carried out an investigation of Commify’s data protection practices. As a result of the investigation, the Garante found that Commify has violated several provisions of the GDPR. The focus of this blog post is the violations related to Commify’s unlawful scanning of the content of the text messages sent by customers to their end users.

Commify cannot rely on legitimate interest without having conducted and documented a legitimate interest assessment

During the investigation, Commify invoked legitimate interest as the legal basis for scanning the content of the text messages. Commify justified this processing activity with the need to avoid involvement in any legal proceedings that may be initiated against third parties. Considering the increasing frequency of fraudulent use of digital services, involvement in legal proceedings would result in an additional burden on Commify’s work activities.

The Garante found that Commify could not rely on legitimate interest without having conducted and documented the legitimate interest assessment. The goal of a legitimate interest assessment is to determine whether the controller’s data processing activity “passes” the three-part test: purpose test (identifying the legitimate interest); necessity test (considering if the processing is necessary); and balancing test (considering the individual’s interests). Only if the outcome of this assessment is positive may the controller rely on the legitimate interest.

The Garante considered that, in any event, scanning of the content of text messages is highly prejudicial to the freedoms of data subjects, and cannot be justified with the controller’s need to avoid involvement in legal proceedings. Involvement in such legal proceedings is purely hypothetical and must be considered as an inherent business risk.

On the other hand, Garante suggested that the scanning of the messages is not inherently unlawful. The Garante acknowledged that the risks associated with the use of digital services cannot be underestimated and that the GDPR explicitly mentions the ability to invoke legitimate interest in preventing fraud (in recital 47). The decision also recognises that there is a more significant interest than Commify’s interest in avoiding legal proceedings. This greater interest would be the interest of third parties in preventing the risks associated with the Skebby service that could arise from its abusive use. The Garante concluded that Commify’s processing might have been lawful, provided that Commify had carried out an assessment taking into account the necessity and proportionality of the processing, the absence of alternatives, the balancing of opposing interests, and the most effective and least invasive methods for carrying out the processing.

Commify has cumulatively violated several provisions of the GDP

The Garante found that Commify’s has cumulatively violated GDPR provisions concerning data processing principles, provisions on data protection by design and default, and provisions imposing specific obligations on data controllers. For example, by carrying out preventive scanning of the text message content without an appropriate legal basis, Commify has violated Article 5(1)(a) (‘lawfulness, fairness and transparency’), Article 6 (Lawfulness of processing), and Article 25 (Data protection by design and by default).

  • Cumulative violation of principles of processing and provisions imposing specific obligations on data controllers

In the context of Commify’s preventive scanning of the text message content without an appropriate legal basis, the Garante concluded that Commify has violated both Article 5(1)(a) (‘lawfulness, fairness and transparency’), and Article 6 (Lawfulness of processing). The Garante has not elaborated on why it considered that the unlawful processing violated both articles. It appears that Garante’s rationale was that data processing in violation of Article 6 is inherently contrary to the principle of lawfulness from Article 5(1)(a) as well.

The Norwegian Data Protection Authority expressed a more nuanced view in a decision that we analysed in our recent blog post. It follows from the Norwegian decision that a violation of specific obligations from GDPR does not always amount to a violation of a general principle. For a principle to be violated, the breach of one or more specific obligations under GDPR must reach a certain level of gravity, which depends on the specific circumstances in the given case.

  • Cumulative violation of provisions on data protection by design and default and other provisions of GDPR

The Garante pointed out that Article 25 requires data controllers to implement the GDPR principles to achieve data protection by design and default. Since Commify has failed to do so, the Garante found that, in addition to violating Articles 5(1)(a) and 6, Commify’s preventive scanning of the text messages also resulted in the breach of Article 25 (Data protection by design and by default).

Comment

It appears that the Garante places equal importance on both the existence of legitimate interest and the assessment of legitimate interest – an absence of either results in the unlawful processing of personal data. As Garante concluded, Commify’s processing was unlawful because the requirements of the three-part test were either not present, or had not been sufficiently weighed and justified, or documented (section 4.4, paragraph 11 of the decision).