ANPD Brazil Publishes Guide on Legitimate Interest Under LGPD

On February 2, 2024, the National Data Protection Authority (ANPD) of Brazil released a Guide on the Legal Hypotheses of Data Processing, focusing on Legitimate Interest. According to the press release, the guide aims to elucidate the application of legitimate interest for data controllers and third parties, ensuring clarity in interpretation, application, and compliance within the legal framework of the LGPD. It introduces a structured approach to the balancing test, essential for assessing legitimate interest against data subjects' rights. This initiative by the ANPD is set to enhance transparency, predictability, and legal certainty for entities processing personal data under the LGPD's provisions.

Legitimate interest under Brazil's LGPD allows for non-sensitive personal data processing when it serves the controller or third party's legitimate interests without infringing on the data subject's fundamental rights. This requires a detailed case-by-case analysis to ensure compliance with the law and protection of data subject's rights. The guidance clarifies this legal basis's application, including a balancing test to assess the legitimacy of interests against the data subject's rights, aiming to provide legal security and predictability for data processing activities.

Also, the guide offers definitions and interpretation parameters for

• nature of the personal data;
• fraud and security prevention and balance testing; 
• personal data of children and adolescents; 
• legitimate interest; 
• interest of the controller and third parties; 
• fundamental rights and freedoms; 
• legitimate expectations of the holder; and
• necessity, transparency and recording of operations.

In addition to these, it offers examples. In the case of personal data of children and adolescents, the Guide explains that such processing “based on the hypothesis of legitimate interest tends to be more appropriate in situations in which there is a prior and direct relationship between the controller and the data subjects and when the processing aims to ensure the protection of their rights and interests or to enable the provision of services that benefit them. If these conditions are not present, the controller must adopt additional caution, evaluating the existence of alternative and less invasive forms for the holders.” 

The example offered in this section is entitled ‘Data of children and adolescents and school wi-fi network’ and presents the following situations: 

A school collects personal data from students when they access the ‘wi-fi’ network available on site. The collection of personal data is carried out for the purpose of enabling access to the network and ensuring the safety of children and adolescents in the digital environment. The school read whether it would be necessary to obtain the consent of legal guardians or if it would be possible to use another legal hypothesis, such as legitimate interest.

The Guide’s analysis of this clarifies the following: 

In a preliminary analysis, there are indications that the collection of personal data mentioned in the example can be carried out based on the legitimate interest of the controller - in this case, the school itself, which has a prior and direct relationship with its students. In addition, the collection is justified for the safety of appropriate authentication in the school network, in order to prevent undue access to certain content or to identify a child who accessed a particular page at a specific time. To confirm the adequacy of the legal hypothesis of legitimate interest to the specific case described, it is necessary to assess whether the best interests and fundamental rights of the holders are prevailing, in the specific case. To do so, a balancing test should be performed, according to the guidelines presented in this Guide.

Regarding legitimate interest in the public sector, the guide says that legitimate interest has restricted use within the public sector for personal data processing. Public bodies should generally avoid using it, especially for compulsory processing or fulfilling legal duties, due to the imbalance between state power and individual rights. Instead, other legal bases aligned with public policy execution or legal obligations are recommended. However, legitimate interest can be considered in specific non-compulsory cases, ensuring a balance between the interests of the controller or third party and the rights of the data subjects.

For government data processing, using legitimate interest as a basis is generally discouraged except in specific, non-compulsory scenarios. It mandates transparent processing, upholding data subjects' fundamental rights by clearly communicating processing purposes, ensuring data access, and implementing adequate security measures for data protection.

The document outlines a three-phase balancing test for processing data based on legitimate interest under the LGPD. Phase 1 focuses on the purpose of processing, ensuring it doesn't involve sensitive data or adversely affect children and adolescents. Phase 2 assesses the necessity of processing for the intended purpose, advocating for minimal data use. Phase 3 involves balancing the controller's interests against the data subjects' rights, emphasizing minimizing potential negative impacts and adopting safeguards to respect fundamental rights. This process ensures processing aligns with the principle of necessity and respects data subjects' legitimate expectations and rights.

The LGPD's Article 11, ii, g, permits the processing of sensitive personal data for fraud prevention and security during electronic system registration and identification. Like the legitimate interest clause, this requires a balancing test to ensure it doesn't overshadow data subjects' fundamental rights and freedoms. If this test shows that fundamental rights prevail, processing under this legal basis should not proceed. Thus, the principles of conducting a balancing test for legitimate interest also apply here, highlighting the need for careful evaluation when processing sensitive data for security purposes.