Public Consultation on Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR

Contribution of the Association of Finnish Cities and Municipalities to the EDPB’s public consultation on the draft Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR.

1. Application of legitimate interest as basis for 
processing

Article 6(1) second intent GDPR provides that legal basis under Article 6(1)(f) shall not apply to processing carried out by public authorities in the performance of their tasks. Recital 47 of the GDPR clarifies that it is for the legislator to provide by law for the legal basis for public authorities to process personal data.

The draft guidelines published by the EPDB states, however, that these provisions do not prevent public authorities from relying, in exceptional cases, on Article 6(1)(f) GDPR when the processing is not linked to or does not relate to the performance of their specific tasks or the exercise of their prerogatives as public authorities, but concerns, where permitted by the national legal system, other activities that are lawfully carried out. (p. 28)

It is also stated in the draft guidelines that interests of the wider community, as these interests are mainly subject to the justifications provided for in Article 6(1)(e) or (c), if controllers are tasked or required by law to preserve or pursue such interests, are not to be confused with interests of third parties mentioned in the Article 6(1)(f) GDPR. According to the draft guidelines, where a controller carries out further activities which do not fall within such specific legal obligations set out in laws and regulations, it needs to demonstrate, that this is done in pursuit of the controller’s own legitimate interests or those of specific third parties. In any event, a legitimate interest may not be invoked with the aim or effect of circumventing legal requirements. (p. 11)

The scope and applicability of Article 6(1)(f) GDPR in relation to processing carried out by public authorities is important. Finnish cities and municipalities form, as organisations, complex authority-led groups consisting of authorities as partly separate controllers but with common tasks provided for by law, of enterprises and companies operating owned by the authority and operating on and off the market and of different forms of bodies for cooperation between authorities. Questions relating to legitimate interests are of uttermost importance for the development of services within these structures.

The Association of Finnish Cities and Municipalities (AFCM) therefore strongly encourages the development of the draft guidelines in the lines of processing of personal data by public authorities. We wish for, for instance, concrete examples of situations in which public authorities could rely on Article 6(1)(f) as a legal basis for processing - even if those cases are exceptional and limited.

2. Functions of municipalities

Cities and municipalities organise many services and process personal data within the context of their duties. In Finland, most of these tasks are provided for by law, but in addition to these statutory tasks, cities and municipalities may provide services voluntarily. The freedom to provide services not provided for by law is based on section 7 of the Local Government Act (410/2015), according to which:

Municipalities shall perform functions that they choose for themselves by virtue of their self-governing status and shall arrange the functions provided for them separately by law. The law also specifies when functions have to be arranged in cooperation with other municipalities (statutory joint responsibility).

Municipalities may, on the basis of an agreement, also perform public functions other than those which pertain to their self-governing status.

From the perspective of Finnish local authorities, it is still unclear whether Article 6(1)(f) GDPR is applicable in the context of voluntary tasks of cities and municipalities. There is also uncertainty regarding the relationship between Article 6(1)(f) and Article 6(1)(e) GDPR in relation to said tasks.

In the WP29 Opinion 06/2014 it is stated that Article 7(e) of Directive 95/46/EC has similarities with Article 7(f), and in some contexts, especially for public authorities, Article 7(e) may replace Article 7(f) (p. 22). It is also stated in the Opinion 06/2014 that if the provision of legitimate interests in (at the time draft) Article 6(1)(f) GDPR is enacted and will be interpreted broadly, so as to altogether exclude public authorities from using legitimate interest as a legal ground, then the ‘public interest’ and ‘official authority’ grounds of Article 7(e) would need to be interpreted in a way as to allow public authorities some degree of flexibility, at least to ensure their proper management and functioning (p. 23). In addition, it is stated in the Opinion 06/2014 that narrow interpretation would mean that processing for proper management and functioning of these public authorities would fall outside the scope of 'processing carried out by public authorities in the performance of their tasks'. As a result, processing for proper management and functioning of these public authorities could still be possible under the legitimate interest ground. (p. 23)

In the reading of AFCM, the current draft guidelines seem to advocate a rather narrow interpretation of as well Article 6(1)(e) and (f). This narrowness, in combination with the broad range of tasks legally carried out by the Finnish local authorities, the complex model of organisation encompassing enterprise-like structures and the need for access to personal data also outside the tasks provided for by law, such as for interests of planning, developing and monitoring the functions withing the “authority-led enterprise” poses a critical challenge.

For example, cities and municipalities process personal data to organise, allocate and develop their services. The development of services is generally considered to fall within the scope of the controller's legitimate interest. In legal literature (see Tomi Voutilainen: Regulation of Digital Services 2023, p. 91), it has been considered that the development of a service used by a public authority by making use of the personal data processed in the service would fall within the scope of the Article 6(1)(e) GDPR, if the processing relates to the performance of its specific tasks provided for by law. However, this interpretation can also be contested at as well national as EU-level. 

3. Municipalities as groups of enterprises

Secondly, the AFCM considers it unclear whether the legal basis of legitimate interest could be applied not only when transmitting personal data within the group of undertaking for internal administrative purposes but also when transmitting personal data for such purposes within the municipal enterprise group. A municipal enterprise group refers to an economic unit formed by a municipality (head corporation) and one or more legally independent corporations, in which the municipality either alone or with other corporations belonging to the municipal enterprise group has the majority of votes in one or more of the corporations. Further, as the authority itself may consist of several controllers, the legal basis of legitimate interest should be examined also from the point of view of processing and sharing personal data between controllers under the same authority.

Also, whereas the draft guidelines deal quite extensively with the topic of direct marketing, guidance would also be useful for situations where it is a question of sending or targeting other types of communications than commercial marketing to individuals. For example, in the EDPB guidelines 8/2020 the focus is mainly on private sector organisations, and these guidelines refer to Article 6(1)(a) and (f) as applicable legal bases for processing. Similar guidance to the public authorities is needed, and the AFCM was pleased to see a mention of the Guidelines on the use of social media by public bodies in the EDPB Work Programme 2023/2024. The AFCM hopes that these guidelines will be soon published, as public authorities also increasingly use or plan to use social media, for example, to distribute general administrative information.

As authorities as controllers must ensure that the processing of personal data within the scope of their tasks is undertaken in a lawful manner, uncertainties to this extent often equals refraining from also necessary processing of personal data. As administrative sanctions are on the table also for public authorities in Finland, AFCM considers it urgent to clarify some of the most unclear legal issues relating to the use of legitimate interest by public authorities. AFCM welcomes the draft guidelines, but strongly encourages their further development especially taking into account the position of public authorities.
 

ASSOCIATION OF FINNISH CITIES AND MUNICIPALITIES
 

Ida Sulin                                              
Senior Lawyer                                                          

Oona Ojajärvi
Lawyer