You are currently browsing EDRi's old website. Our new website is available at

If you wish to help EDRI promote digital rights, please consider making a private donation.

Flattr this


EDRi booklets

Companies abuse a loophole in data protection law

19 December, 2012

This article is also available in:
Deutsch: Firmen nutzen Lücke im Datenschutzgesetz

Personal data of internet users are often processed on a legal basis too weak to provide a real protection of the users' right to privacy. On 11 December 2012, EDRi member Bits of Freedom published a report about the flaws of the so-called "legitimate interest" ground as a basis for data processing.

This ground is the last of six grounds included in article 7 of the Data Protection Directive (95/46/EC). Data controllers are free to choose on which of these six grounds they base the processing of personal data, provided the data does not fall under a specific consent-regime (such as sensitive data or location data). Processing based on legitimate interest allows data controllers to process personal data without the consent of their users, provided that the interests of the data controller or third parties are weighed against the interests and rights of these users.

In practice, this legal ground creates a loophole in the data protection regime. Bits of Freedoms report demonstrates that the use of the "legitimate interest" ground by companies such as Facebook and Google leads to the over-collection of personal data as such companies often let their own interests prevail over the interests of their users. The balance test is not subject to any authorization and the users are not in a position to effectively challenge the test. This means that in practice, a company is free to collect a lot of personal information without the users’ consent.

As addressed in the latest EDRi-gram, the consequences of wrongful data processing can be very severe. The BoF report presents recommendations to fix this loophole in data protection law. European data protection rules are currently under debate in Brussels. These rules should generally provide better protection of the rights and interests of users. Processing based on the legitimate interest ground should be limited and the right to object against processing based on legitimate interest must be improved.

A loophole in data processing (11.12.2012)

ENDitorial: What could possibly go wrong? (5.12.2012)

(Contribution by Janneke Slöetjes - EDRi member Bits of Freedom - Netherlands)



Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo