how ‘legitimate interest’ fails in practice

The European Knowledge Safety Board this 12 months printed a complete case digest analysing howauthentic curiosity below Article 6(1)(f) of the Common Knowledge Safety Regulation has been utilized – and incessantly misapplied – throughout 62 One-Cease-Store choices and 5 EDPB binding choices issued between December 2018 and June 2025. Authored by Dr. TJ McIntyre below the EDPB’s Assist Pool of Consultants Programme and submitted in December 2025, the 29-page report cuts via years of regulatory choices to floor patterns which have direct penalties for any organisation processing private knowledge within the European Financial Space.

The report will not be a tenet or a binding instrument. It’s an evaluation. However its findings are uncomfortably particular, and the image it paints is of controllers who systematically underestimate what the balancing check requires, who deal with authentic curiosity as a versatile fallback relatively than a fastidiously documented authorized foundation, and who routinely fail on the most simple procedural degree: conducting the evaluation earlier than the processing begins.

Three cumulative situations – all three should maintain

Article 6(1)(f) GDPR establishes a three-part check that controllers should fulfill in sequence. First, the controller or a 3rd get together should pursue a authentic curiosity. Second, processing have to be mandatory to realize that curiosity – and no much less intrusive different might exist. Third, the pursuits or elementary rights and freedoms of knowledge topics should not override the controller’s curiosity. In line with the report, this third situation – the balancing check – is the stage at which the vast majority of controllers within the dataset stumbled.

The report attracts on EDPB Tips 1/2024, adopted on 8 October 2024, as the first regulatory framework. These tips make clear an essential conceptual distinction that many controllers seem to miss: the distinction between a “function” and an “curiosity.” In line with the EDPB, a function is “the precise purpose why the info are processed,” whereas an curiosity is “the broader stake or profit {that a} controller or third get together might have in participating in a selected processing exercise.” Conflating these two ideas was a recurring failure within the choices reviewed.

In follow, the distinction issues enormously. A controller might have an curiosity in selling its merchandise – and should advance that curiosity by processing private knowledge for direct advertising. However that formulation requires precision. Choice EDPBI:SE:OSS:D:2025:1738 illustrates what occurs with out it. An internet media agency, counting on recommendation from its consent administration platform supplier, said in a cookie banner that it relied on authentic curiosity to course of knowledge for profiling and exact geodata of customers. When the Swedish supervisory authority requested the corporate to specify its authentic curiosity, it couldn’t achieve this, and couldn’t reveal any balancing check had been carried out. The LSA concluded that “a controller can’t disclaim the accountability to make sure that there’s a authorized foundation for the corporate’s private knowledge processing by referring to a provider’s suggestions.” The case is a pointy warning to the programmatic promoting business, the place reliance on third-party consent administration platforms is widespread.

The IAB Europe Transparency and Consent Framework has been on the centre of associated disputes for years. Choice EDPBI:BE:OSS:D:2022:325, which involved the TCF and real-time bidding, discovered that the processing functions had been “described typically phrases, with the consequence that it was not straightforward for customers to evaluate to what extent the gathering, dissemination and processing of their private knowledge are mandatory for the meant functions.” Phrases equivalent to “measure content material efficiency” and “apply market analysis to generate viewers insights” had been discovered to lack the specificity required by the GDPR – offering, within the LSA’s evaluation, “little or no perception into the scope of the processing, the character of the non-public knowledge processed or for a way lengthy the non-public knowledge processed will probably be retained.”

What qualifies as ‘authentic’?

The GDPR doesn’t outline the phrase “authentic,” and the report traces how the Courtroom of Justice of the European Union has crammed that hole. In Case C-621/22, Koninklijke Nederlandse Garden Tennisbond, determined in 2024, the CJEU addressed whether or not a nationwide sports activities federation might promote private knowledge of members – names, addresses, phone numbers and emails – to sponsors. The court docket rejected the proposition {that a} authentic curiosity will need to have a optimistic authorized foundation to be “offered for by legislation,” and accepted {that a} purely business curiosity might qualify. However the court docket additionally held {that a} authentic curiosity have to be “lawful” within the sense of not being “opposite to the legislation.”

This second limb has sensible tooth. The report cites the instance of shadow blocking – the follow of lowering the visibility of customers’ posts with out their information. Choice EDPBI:LT:OSS:D:2024:1361 involved a web based second-hand clothes market that restricted person visibility with out disclosure. The LSA accepted that stopping abusive customers might in precept represent a authentic curiosity. However the Digital Companies Act, which got here into pressure after the underlying occasions, now explicitly prohibits shadow blocking below Article 17. The report notes that this illustrates a scenario the place the curiosity pursued “would now be ‘opposite to the legislation’ and incapable of constituting a authentic curiosity earlier than even reaching the need and balancing assessments.”

The identical resolution was subsequently upheld by the Lithuanian Regional Administrative Courtroom, which held that “the essence of shadow blocking, i.e. the deliberate non-disclosure of data to the person, goes opposite to the ideas of GDPR, specifically the precept of lawfulness.”

The vary of pursuits that supervisory authorities have accepted as authentic in precept is broad. GDPR Recitals 47 to 50 present a non-exhaustive record together with fraud prevention, direct advertising, intra-group knowledge transfers, and community safety. Extra not too long ago, EDPB Opinion 28/2024 on AI fashions, adopted on 17 December 2024, said that controllers might have a authentic curiosity in creating AI techniques to help customers, detect fraudulent content material or behaviour, or enhance menace detection in info techniques. The EDPB’s AI opinion was important for the advertising know-how business as a result of it addressed, for the primary time in formal steering, how the three-part authentic curiosity check applies to AI mannequin improvement – a query of rapid relevance to firms constructing focusing on, optimisation, and measurement instruments.

Legitimacy in precept, nonetheless, doesn’t mechanically translate to legitimacy actually.

The need check is the place many controllers fail

The report’s second main discovering is that even controllers who set up a authentic curiosity in precept incessantly fail the necessity check. The usual is demanding: the controller should reveal that the authentic pursuits pursued can’t fairly be achieved simply as successfully by different means much less restrictive of knowledge topics’ elementary rights.

A number of choices illustrate this in concrete phrases. The EDPB’s Pressing Binding Choice 01/2023 towards Meta Platforms Eire discovered that there are “real looking, much less intrusive options to on-line behavioural promoting, making the processing at stake not mandatory.” That call, adopted on 27 October 2023, was the end result of a prolonged enforcement sequence. The ban on Meta’s behavioural advertising on the premise of authentic curiosity and contract throughout the whole European Financial Space marked a major turning level for the programmatic promoting business.

Choice EDPBI:ES:OSS:D:2021:338 discovered {that a} lodge’s use of visitor pictures to forestall fraud was not strictly mandatory, as a result of different measures – checking surnames, room numbers, or requiring signatures – might obtain the identical function. Choice EDPBI:DEBE:OSS:D:2022:477 discovered that forcing prospects to offer a cellphone quantity for customer support was not mandatory, as a result of e-mail was an equally efficient and fewer intrusive different. In each instances, the controller’s chosen technical method decided the end result, and in each instances, a unique technical method would have glad the check.

The Worldcoin case, EDPBI:DEBY:OSS:D:2024:1594, incorporates the report’s most technically detailed necessity evaluation. The Worldcoin Basis sought to make use of iris scans as the premise for an internet-wide identification system and sought to retain biometric iris codes even after account closure, partly to forestall banned customers from re-registering below a brand new identification. The Bavarian LSA accepted the precept: on-line companies have a authentic curiosity in “defending the integrity of their on-line areas.” However the implementation failed the need check as a result of Worldcoin’s method positioned “each person below common suspicion of being blocked with out the precise existence of such a block.” The LSA recognized a much less intrusive different: contacting linked companies to confirm whether or not a block existed for a specific person, relatively than retaining the iris codes of all customers who closed their accounts. The choice attracted important consideration in Spain, the place the AEPD issued a formal preventive warning to Instruments for Humanity GmbH in February 2026 as the corporate ready to relaunch iris-scanning actions in Barcelona.

The Worldcoin resolution is notable for one more purpose. The LSA mentioned at size the idea of a “proper to lie” – the proposition that biometric identification techniques deprive knowledge topics of the flexibility to hide info in response to unjustified or unlawful calls for. The LSA cited the instance of German labour legislation, below which workers have the proper to lie in response to questions on being pregnant, sickness, commerce union membership, or spiritual affiliation which are unrelated to work. Biometric knowledge, the LSA concluded, removes this selection solely and thereby impacts informational self-determination below Articles 1 and a pair of(1) of the Fundamental Regulation of the Federal Republic of Germany.

The balancing check and cheap expectations

The third situation – the balancing check – requires controllers to evaluate whether or not knowledge topics’ pursuits, rights, and freedoms override the controller’s authentic curiosity. In line with EDPB Tips 1/2024, the check should think about: the info topics’ pursuits, elementary rights and freedoms; the impression of the processing; the cheap expectations of knowledge topics; and the results of the ultimate balancing, together with any mitigating measures.

Affordable expectations emerged as probably the most generally cited failure mode within the balancing check throughout the choices reviewed. Failure to fulfill transparency necessities below Articles 13 and 14 GDPR incessantly resulted in a discovering that knowledge topics couldn’t fairly have anticipated the processing in query.

Choice EDPBI:FR:OSS:D:2024:1257 concerned a series of cell phone shops that bought shopper contact particulars from knowledge brokers to make promotional calls and ship SMS messages. The French supervisory authority discovered that the info brokers had not indicated to knowledge topics on the time of assortment with whom their knowledge might be shared. Consequently, “knowledge topics couldn’t fairly anticipate to obtain business prospecting presents from this firm,” and legit curiosity failed as a authorized foundation.

The choice has a direct parallel to a typical follow in digital promoting: the acquisition of viewers knowledge from third-party knowledge brokers for focusing on functions. The query of whether or not knowledge topics can fairly anticipate their knowledge for use for promoting by firms with whom they don’t have any relationship is exactly the type of challenge that supervisory authorities are making use of the balancing check to look at. The Belgian Market Court’s confirmation in Could 2025 that IAB Europe violated a number of GDPR provisions within the operation of the TCF – together with failures round authorized foundation and transparency – is a part of the identical regulatory present.

One resolution cuts towards the final development. In EDPBI:SE:OSS:D:2022:506, an organization forwarding order particulars to a third-party fraud prevention service didn’t disclose the precise supplier in its privateness discover, referring solely to unspecified “exterior sources.” The Swedish LSA discovered this inadequate below Article 13(1)(e) GDPR. But it accepted that credit-based buying was a context through which knowledge topics might fairly anticipate such processing to happen, describing the transparency failure as a “minor deficiency.” This illustrates a degree made in EDPB Tips 1/2024 that “cheap expectations don’t essentially rely on the data offered to knowledge topics” – a qualification that the report notes has been utilized inconsistently throughout Member States.

Choice EDPBI:CZ:OSS:D:2022:1278 concerned an antivirus software program supplier that shared pseudonymised info on roughly 100 million customers, together with internet searching histories, with one other firm in its company group for statistical evaluation and onward sale. The Czech LSA discovered that customers couldn’t have anticipated this. Customers purchase antivirus software program to guard their knowledge and privateness. The controller marketed its merchandise on these grounds. Public outcry after the info sharing emerged was itself handled as proof that customers had been shocked. The case highlights the extent to which the cheap expectations check is anchored within the controller-data topic relationship and the representations the controller has made to customers – a consideration with clear implications for any knowledge firm advertising itself on privateness grounds.

Recurring themes: retroactive reliance and ePrivacy overlap

Two structural points recur throughout the dataset. The primary is the query of whether or not controllers can retroactively change their authorized foundation to authentic curiosity when a supervisory authority rejects the unique foundation. The dominant place within the choices is that they can not. Choice EDPBI:ES:OSS:D:2021:338 states the reasoning clearly: with out details about the balancing check, “the info topic is disadvantaged of his or her proper to know what these authentic pursuits alleged by the controller or of a 3rd get together would justify the processing with out his/her consent being taken under consideration.”

There may be an outlier. Choice EDPBI:EE:OSS:D:2025:1791 concerned a ride-hailing firm that had relied on Article 6(1)(b) GDPR – efficiency of a contract – to file driver scores of passengers. The Estonian DPA permitted the corporate to alter its authorized foundation to authentic curiosity retroactively, on the premise that the prior phrases had referred in a common option to authentic curiosity for security and safety functions, and since the controller reworked its practices extensively, with LSA enter, to handle the deficiencies. The revised system launched an in depth rationalization of the score course of, a proper to problem scores, in-app options informing passengers of score penalties, restrictions on which workers might view scores, and human assessment of automated account suspensions. The Estonian DPA concluded that these measures had been adequate to justify the retroactive foundation change.

The second structural challenge is the overlap between the GDPR and the ePrivacy Directive. The ePrivacy Directive typically requires knowledgeable consent for cookie use, excluding authentic curiosity as a authorized foundation for cookie placement. But the GDPR’s one-stop-shop mechanism doesn’t prolong to ePrivacy enforcement, which is dealt with by totally different nationwide regulators in lots of Member States. Choice EDPBI:SE:OSS:D:2025:1738 illustrates the ensuing complexity: the Swedish LSA discovered it couldn’t assess the legality of cookie storage as a result of that was reserved to the telecommunications regulator, however took the view that the ePrivacy consent requirement needs to be factored into the following GDPR balancing check. The TCF’s ongoing compliance pressures – together with a doubling of vendor enforcement procedures to 587 in 2025 – replicate exactly this complexity, because the framework sits on the intersection of each regimes.

Client finance and sector-specific patterns

Client finance occupied a disproportionate share of the OSS choices, with recurring patterns round credit score checks, reporting to default registries, public identification of debtors, and debt assortment ways.

A number of choices involving the net retailer Zalando established that retailers have a authentic curiosity in conducting credit score checks earlier than concluding a transaction on bill. However the choices imposed strict situations. In line with EDPBI:DEBE:OSS:D:2024:1280, a credit score verify was acceptable solely after a buyer had “positioned items within the basket, entered his supply and bill handle, chosen within the checkout course of ‘Buy on bill’ and confirmed this enter by clicking on the ‘additional’ button.” Safeguards towards unintentional collection of a credit score cost choice had been obligatory. Choice EDPBI:DEBE:OSS:D:2024:1279 handled a requirement to enter a social safety quantity previous to finishing a credit score transaction as an applicable safeguard.

Reporting to credit score default registries was addressed in a number of choices that emphasised the necessity for case-by-case evaluation. A blanket coverage of referring all unpaid money owed to a credit score default registry was discovered incompatible with Article 6(1)(f) GDPR. Public identification of debtors on-line produced divergent outcomes. Choice EDPBI:CZ:OSS:D:2019:56, involving an organization that printed debtors’ partial names and quantities owed on its web site and Fb profile, rejected the follow on necessity and proportionality grounds. “In nations the place the rule of legislation applies,” the Czech LSA said, debt assortment “have to be carried out in a approach foreseen by legislation and never by public denunciation of the debtors.” In contrast, the Estonian and Polish authorities reached totally different conclusions on comparable information in EDPBI:EE:OSS:D:2023:885, reflecting underlying variations in nationwide legislation and follow.

Antivirus knowledge, rental scooters, and flight monitoring

The choices span a remarkably wide selection of factual contexts past shopper finance. Within the rental automobile sector, the French supervisory authority addressed a automotive rental firm amassing geolocation knowledge at 500-metre intervals each time the engine was turned on or off, or each time a door was opened. This knowledge was transmitted in actual time and saved for the whole period of the business relationship plus three years. The LSA discovered this extreme. A separate resolution regarding an digital scooter rental firm that collected location knowledge from every scooter each 30 seconds, saved for twenty-four months, reached the identical conclusion.

The scooter choices additionally produced one of many extra uncommon findings within the dataset. Choice EDPBI:EE:OSS:D:2023:785 involved a scooter that logged the load of riders on every journey, sending an alert if the detected weight exceeded 1.4 occasions the median weight recorded for that person on earlier journeys. The controller relied on the authentic curiosity of selling rider security by deterring tandem use. The Estonian LSA accepted this, discovering that weight monitoring was much less invasive than options equivalent to video surveillance, and noting that the alert was a warning solely – it didn’t cease the scooter or limit the person.

In aviation, resolution EDPBI:SE:OSS:D:2025:1825 addressed Flightradar, which tracks plane worldwide in actual time and traditionally. The Swedish LSA accepted that Flightradar might depend on third-party authentic pursuits in monitoring international air site visitors, partly as a result of aviation business analysis, media reporting, and nationwide authority use of the info gave the service a quasi-public dimension. However the LSA declined to increase this to the truth that police have used the info for felony investigations, citing Case C-252/21, Meta Platforms v Bundeskartellamt for the proposition that “a controller that primarily pursues an financial curiosity can’t, as a common rule, depend on a authentic curiosity in processing private knowledge for the needs of stopping, detecting or prosecuting felony offences, when that is unrelated to its business actions.”

What the digest means for advertising and promoting professionals

For advertising professionals working throughout the EEA, the digest has a number of direct implications. The constant discovering that obscure statements of authentic curiosity – together with language attribute of ordinary vendor contracts and cookie banners – fail the specificity requirement implies that any organisation counting on authentic curiosity for advertising-related processing ought to audit its authentic pursuits assessments towards the specificity customary established by EDPB Tips 1/2024.

The choices on behavioural promoting and knowledge dealer buying verify that this class of processing faces a excessive bar below the need and balancing assessments. The EDPB’s 2024-2025 work programme had recognized authentic curiosity as a selected subject for additional steering, and the case digest now gives probably the most detailed empirical image but of how supervisory authorities have utilized the idea in follow.

The TCF v2.3 migration accomplished its obligatory deadline on 1 March 2026, with Google confirming that non-compliant publishers now face advert requests defaulting to restricted adverts. The digest’s findings on cookie processing, the ePrivacy overlap, and the dangers of delegating compliance accountability to consent administration platform suppliers are instantly related to publishers and distributors navigating the post-deadline panorama. The DMA-GDPR joint guidelines below session – with over 100 submissions printed on 13 March 2026 – add an extra layer, with the draft tips making clear that authentic curiosity can’t function the authorized foundation for cross-service knowledge mixture by gatekeepers.

The digest closes with two observations which are more likely to occupy regulators and practitioners for a while. One is the selection of legislation drawback in cross-border instances: the OSS mechanism identifies the lead supervisory authority however doesn’t prescribe which Member State’s legislation applies when nationwide requirements on issues equivalent to debt assortment differ. The opposite is the sensible hurt brought on by the break up between GDPR and ePrivacy enforcement – a division the report suggests needs to be resolved by bringing ePrivacy enforcement throughout the GDPR cooperation and consistency mechanism.

Timeline

• December 2018: Earliest choices included within the dataset are adopted.
• 9 April 2014: Article 29 Working Celebration Opinion 6/2014 on authentic curiosity printed.
• 21 February 2014: Polish Supreme Administrative Courtroom resolution on debtor knowledge publication (ref. I OSK 2463/12), influencing later cross-border OSS choices.
• 2 February 2022: Belgian DPA finds TCF non-compliant with Article 6 GDPR, imposing €250,000 tremendous on IAB Europe.
• 28 July 2022: EDPB Binding Choice 2/2022 on Meta Instagram baby customers printed.
• 27 October 2023: EDPB Urgent Binding Decision 01/2023 instructs Irish DPA to ban Meta’s behavioural promoting on foundation of authentic curiosity and contract throughout EEA.
• 8 October 2024: EDPB Tips 1/2024 on authentic curiosity below Article 6(1)(f) GDPR adopted.
• October 2024: CJEU decides Case C-621/22, Koninklijke Nederlandse Garden Tennisbond, accepting purely business pursuits can qualify below Article 6(1)(f) GDPR.
• 17 December 2024: EDPB Opinion 28/2024 on AI models printed, figuring out authentic pursuits in AI improvement.
• 16 October 2025: Lower-off date for inclusion of selections within the digest.
• 3 November 2025: Google mandates TCF v2.3 migration by February 2026.
• December 2025: EDPB case digest submitted below Assist Pool of Consultants Programme.
• 13 February 2026: AEPD issues preventive warning to Tools for Humanity forward of Barcelona iris-scanning relaunch.
• 1 March 2026: TCF v2.3 mandatory deadline passes; Google confirms non-compliant publishers face restricted adverts.
• 13 March 2026: European Commission and EDPB publish over 100 submissions on draft DMA-GDPR joint tips.

Abstract

Who: The European Knowledge Safety Board (EDPB), via its Assist Pool of Consultants Programme, commissioned the report from Dr. TJ McIntyre. The choices reviewed had been issued by nationwide supervisory authorities from throughout the EEA appearing as lead supervisory authorities below the GDPR’s One-Cease-Store mechanism, and by the EDPB itself below Articles 65 and 66 GDPR.

What: A 29-page case digest analysing 62 OSS choices and 5 EDPB binding choices associated to authentic curiosity below Article 6(1)(f) GDPR, masking the three-part check, sector-specific patterns in shopper finance, anti-fraud, automobile monitoring, and aviation knowledge, and two novel structural points: retroactive reliance on authentic curiosity and the overlap with the ePrivacy Directive.

When: The choices lined had been adopted between December 2018 and June 2025. The closing date for inclusion was 16 October 2025. The report was submitted in December 2025 and printed immediately, 29 March 2026.

The place: The choices span the European Financial Space, with lead supervisory authorities from Estonia, Sweden, Spain, Belgium, France, Czech Republic, Malta, Lithuania, Germany, Norway, Poland, and different Member States. The structural points recognized have relevance throughout all 27 EU Member States plus the EEA.

Why: The digest was commissioned to offer supervisory authorities and practitioners with a consolidated view of how Article 6(1)(f) GDPR has been utilized in cross-border instances, figuring out widespread failure modes, novel authorized points, and tensions between the GDPR and ePrivacy Directive. For the advertising and promoting business, the digest is important as a result of many widespread knowledge processing practices – together with behavioural focusing on, knowledge dealer buying, cookie-based profiling, and fraud prevention – have been instantly addressed within the choices analysed.