In recent months, in accessing websites, we are seeing a new way of presenting cookies more and more frequently.
Next to the well-known banner with the button: “accept cookies” there is often a link such as: “find out more”, or “more options”. By clicking on one of these links, a cookie wall opens, which has been already declared non compliant by the European Data Protection Committee (EDPB), and a series of choices, relating to profiling cookies, including third parties ones, for which consent is unchecked, while the legitimate interest one is already checked.
Legitimate interest is one of the six legal bases that the European Regulation 2016/679 (GDPR) considers lawful when it comes to data processing. Consent of the interested party and legitimate interest of the data controller (or third parties) are two different legal bases.
The GDPR deals with the legal bases in art. 6; art. 6, lett. f) refers to Recitals 50 and 47. Quoting the latter: “It may be considered legitimate interest to process personal data for direct marketing purposes”. In the case of profiling cookies, even from third parties, it does not appear correct to consider legitimate interest as a legal basis, in the light of this recital and even more according to art. 22 of GDPR.
The consent, free, specific, informed, unambiguous and revocable at any time, is given by the interested party to a request from the owner for a specific treatment.
Legitimate interest is a legal basis that is identified and used by the Data Controller only after balancing the rights of the Data Controller and those of the interested parties.
Before starting any data processing on the basis of legitimate interest, the Data Controller must assess whether he has correctly considered all the risks involved, and therefore all the possible consequences on the interested parties (possibly carrying out a DPIA), but also collect and document elements enough to be able to show that the relative interests were well balanced with each other.
The chance of consenting or denying the legitimate interest on the part of the interested party seems nonsense: first of all, this practice is unlawful according EDPB, as a user with average IT knowledge will not spend time selecting from which companies or for what purposes he may be profiled, therefore this practice is in clear contrast with the principles of the GDPR and the indications of the EDPB regarding consent; last but not least, if the legal basis is the legitimate interest, for which the owner has reasonably balanced the interests, how can the interested party affix or deny his consent with respect to the legitimate interest declared by the data controller? Following this reasoning, it is as if the legal bases for the same treatment and the same purpose overlap (!), confirming the legitimate interest of the Data Controller.
We are witnessing something new from an operational point of view that is spreading, for which we hope , national DPA will act in order to declare this practice illegitimate.
Maria Grazia Romano e Floriana Tagliaferro