Following the ruling in C-394/23 (“Mousse”), should common practices and social conventions be entirely disregarded when assessing legitimate interest under GDPR? In this article, I briefly explain why I believe such aspects can still be considered.
Legitimate interest is arguably the most widely used legal basis to process personal data for commercial purposes. As a result, its scope is particularly important for businesses.
The European Court of Justice (ECJ) has in several cases confirmed the need to apply the three-step test, known as the Legitimate Interest Assessment (LIA), to determine whether legitimate interest can be relied upon as a legal basis pursuant to GDPR.
The LIA consists of the following steps:
- Legitimacy – The interest pursued by the data controller must be legitimate.
- Necessity – The processing of personal data must be necessary for achieving that interest.
- Balancing test – The rights and freedoms of individuals must not outweigh the legitimate interest of the data controller.
ECJ’s stance on common practices and social conventions
In case C‑394/23, the association Mousse filed a complaint against the French company SNCF Connect for requiring customers to specify their title (“Monsieur” or “Madame”) when purchasing tickets via the company’s digital platform.
SNCF Connect argued that common practices and social conventions (in France) should be considered when assessing whether the processing of the customer’s title was necessary. In support of this, the company cited recital 4 of GDPR, which highlights the importance of preserving linguistic and cultural diversity. However, the ECJ rejected this argument, stating that such common practices and social conventions are not relevant in this context. The court further noted that customers do not generally expect a company to collect information about their title or inferred gender identity when purchasing a train ticket.
While the ECJ excluded common practices and social conventions as a relevant factor, it did so in relation to the necessity of the data processing. The final assessment of whether customers could reasonably expect their title and gender identity to be processed by SNCF Connect was left to the national court (see paragraphs 56–59 in the above mentioned case).
What does this mean?
In my view, the ECJ’s ruling in C-394/23 does not mean that common practices and social conventions should be entirely disregarded when determining legitimate interest under Article 6.1(f) GDPR. Rather, their relevance has been shifted to the last step in the LIA.
In other words, while common practices and social conventions cannot be considered in the necessity test (step 2 of the LIA), they can still play a role in the balancing test (step 3 of the LIA) as one of several factors in assessing data subjects’ reasonable expectations. The potential significance of such norms should not be overlooked, particularly since the European Data Protection Board’s (EDPB) draft guidelines on legitimate interest (1/2024) emphasize the importance of reasonable expectations in the balancing test. It should be noted, however, that the first and current version of these guidelines was drafted prior to this case.
