Organisations must prove legitimate interest when processing user data: Irish DPC

We missed this earlier: The Irish Data Protection Commission (DPC) reprimanded and ordered Airbnb Ireland UC on July 20, 2023 to revise its internal policies and procedures in responding to a data protection rights request, for violating sections of the GDPR. Notedly, this case takes a closer look at ‘legitimate interest’ and the circumstances in which an entity can use it to justify processing of personal data.

What is legitimate interest? Introduced in the General Data Protection Regulation (GDPR), legitimate interest is one of the lawful bases for processing personal data. It allows organizations to collect and process personal data without the explicit consent of the user under certain conditions. However, organizations must prove that they have a valid and lawful reason for processing data under legitimate purpose and that the reason outweighs user’s rights and interests.

Why it matters: Like ‘legitimate interest’ under GDPR, India’s Digital Personal Data Protection (DPDP) Act, 2023 also has a clause on ‘certain legitimate uses.’ This clause too exempts entities from seeking user consent. While the Indian version lays down eight specific situations in which this clause may be used, the decision made by the Irish DPC highlights how entities need to  prove that they have satisfied the conditions to warrant the use of such concepts that is still important in understanding the importance for organisations to justify the use of such a concept that infringes on people’s right to privacy and protection of personal data.

A user’s long legal battle in exercising basic rights

Although the DPC heard the matter on December 22, 2022, the complainant from Berlin, Germany had mailed to Airbnb two erasure requests in 2015. After the company failed to respond to these requests, the user emailed them again in 2018 with an access request. Specifically, he demanded the following:

• That his account should be deleted to avoid any misunderstandings
• An explanation for not deleting the account already
• His personal information stored by Airbnb
• The source of this data
• The legal basis on which the company obtained this data
• The entities with whom this data was shared

Elaborating on the latter, he also expressed an objection to transfer of his data to third parties. In response, Airbnb asked the user verify his identity by providing a photocopy of his ID. However, the user refused to share the ID by saying, “Neither for the initial registration, nor for bookings or the deletion of the account is or was the sending of a copy of an ID required.” The company ultimately sent an email with the requested information. Again, the user alleged that the data was incomplete and lacked clarity as it was in English. Airbnb then verified the user through a telephone call. When asked about the initial request for the user’s ID, Airbnb said they had asked for the same under “legitimate interest.”

No legitimate interest for requesting a copy of the ID: When the matter finally reached the Irish DPC (overseeing the region where Airbnb has its headquarters) it considered two questions on the question of legitimate interest:

1. “Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s ID, and upon their refusal to provide same, whether Airbnb had a lawful basis to thereafter request a telephone call in order to verify the Complainant’s identity in circumstances where he had submitted a request for access and erasure pursuant to Articles 15 and 17 GDPR?
2. Whether Airbnb’s obligation to provide information on action taken in response to the access and erasure requests without undue delay pursuant to Article 12(3) GDPR was suspended until after the verification of the Complainant’s identity by phone call?”

The answer was no. The DPC said, “While the DPC considers that a legitimate interest does exist in Airbnb ensuring it does not disclose or delete personal data in an illegitimate or inappropriate circumstance, in the instance of this case Airbnb has not demonstrated to this inquiry that the request for a copy of the Complainant’s ID was either necessary or proportionate for the completion of the access and erasure requests as Airbnb was able to verify the Complainant’s identity through other means. The DPC is of the view that other methods were available to Airbnb at the time that would have negated the need for Airbnb to request a copy of ID. Airbnb has failed to provide evidence in this Inquiry to demonstrate that Airbnb first attempted to utilise other tools it already possessed, such as the completion of a telephone call,” said the DPC.

Article continues below ⬇, you might also want to read:

Advertisement. Scroll to continue reading.

• Sweden Slaps Spotify With $5.3 Million Fine Over GDPR Violations 
• New data protection bill may ease data localization norms: Report 
• Here’s when entities don’t need to ask for consent as per India’s Digital Personal Data Protection Bill 

Other infringement of basic rights under the GDPR noted by the DPC

Incomplete access to information: Airbnb infringed Article 15(1) of the GDPR the first time it processed the user’s access request by failing to provide access to “all of his personal data that was being processed by Airbnb on the date of receipt of his access request.” This included information on sources of the data, legal basis of the processing, etc. – all of which was shared only after the DPC’s intervention.

Inaccessible information of the processing of data: Airbnb infringed Article 12(1) of the GDPR when processing the access request because it failed to provide an access file that was “of a concise, transparent, intelligent and easily accessible form.” The user received the cover email in English rather than in German and containing abbreviated words and unsorted data that the user could not understand.

Delay in responding to user requests: Airbnb failed to provide information to the user on the actions it took after receiving the user’s access and erasure requests within one month of receipt of the requests.

“Given that Airbnb took no action for the first ten days after receipt of the requests and where it then began an unnecessary pursuit of obtaining a copy of ID from the Complainant which contributed to a further delay in actioning the requests, the DPC finds that Airbnb failed to comply in this case with the requirements of Article 12(3) of the GDPR,” said the DPC.

Violation of the data minimization principle: Airbnb’s request for an identity document to verify user identity infringed the principle of data minimization under Article 5(1)(c) of the GDPR. The DPC reasoned that the company had other “less data-driven solutions” to verify the user’s identity.

Airbnb reprimanded but not fined

While the DPC reprimanded the company and ordered it to revise its internal policies, procedures in responding to a data protection rights request, it also did not impose a fine on Airbnb as it did not consider the move “effective, proportionate and dissuasive.” Even so, this case highlights the need for entities to adhere to the specific purpose originally stated for the processing of personal data and justify the use-cases like legitimate interest.

Advertisement. Scroll to continue reading.