Greetings from The Netherlands!
Last Wednesday, the Council of State, the top administrative court that oversees all fines issued by the Dutch data protection authority, Autoriteit Persoonsgegevens, published its ruling in the VoetbalTV case. After two and a half years of intense debate about the AP's 2019 guidance that mere commercial interests could never serve as legitimate interests, it was expected the Council of State would end this debate.
In 2020, the AP fined VoetbalTV, a joint venture between the Royal Dutch Soccer Association and Dutch media giant Talpa Network, 575,000 euros for failure to show a legitimate interest to justify its business case about installing streaming TV cameras around amateur soccer fields. Afraid that such cameras would cause harm to kids playing soccer, the AP started an investigation into the business practices and concluded that VoetbalTV only pursued mere commercial purposes. This contributed to the bankruptcy of VoetbalTV as its sponsors withdrew due to the AP's decision.
In 2021, a district court ruled the AP failed to properly apply the legitimate interest test and found in favor of VoetbalTV. The AP appealed this decision before the Council of State.
The Council recalled the three-step test the Court of Justice of the European Union applies to Article 6(1)(f) of the EU General Data Protection Regulation — legitimacy, necessity and balancing of interests. And, it is "up to the controller to state what the interest in the processing is, why that processing is necessary and that he must act accordingly. It is up to the AP to assess what the controller actually does, to see whether the stated interests correspond to this and whether they are actually represented by the processing and whether these are justified, [..] all of which are part of step 1."
The Council then concluded the AP had not taken all relevant interests into account, such as the interests of the players, trainers, and people watching the games — interests that are obviously not "mere commercial." And because the AP, in its investigation, had not looked into the necessity and the balancing of interests, it could not have reasonably concluded that VoetbalTV had no legitimate interest. Therefore, the AP's decision violated the "general principles of good government," which are the cornerstone of Dutch administrative law, so the Council annulled the AP's decision.
Although the Council of State's judgment meant a major win for VoetbalTV, which does not have to pay the fine, it left many privacy professionals in shock by not reviewing the AP's guidance that mere commercial interests can never qualify as legitimate interests.
Neither did the Council consider asking preliminary questions about the concept of legitimate interest to the Court of Justice of the European Union. The Council explained that in accordance with the Cilfit criteria, this was not necessary to rule on the case, as an answer by the Court, whatever it would be, would not change the outcome of the VoetbalTV case. This means the AP's legitimate interest guidance is not off the table.
The ball is now in the court of the AP and the European Data Protection Board as we await the EDPB's opinion on legitimate interest. A leaked letter by AP chairman Aleid Wolfsen in response to a letter from the European Commission on the matter gives some insight into why the AP has taken this position (the AP's letter has now been taken offline).
It boils down to the question of to what extent the requirement "provided for by law" in Article 52 of the Charter of Fundamental Rights of the EU should be applied to the private sector. According to the AP, there should be no exception for the private sector as data protection laws would be treated differently from other fundamental rights. Therefore, an interest can only be legitimate if recognized by law. Basically, the AP takes the view that the principle that in a free society, private sector actors may do anything except what is prohibited by law should not apply to data protection law. This issue is much bigger than the GDPR and should require a thorough review by the Court of Justice of the European Union.
