Balancing interests in EdTech: When is the lawful basis of “legitimate interests” justified?

By Ayca Atabey

As of September 2, 2021, all organisations that provide online services that are likely to be accessed by children must comply with the Age-Appropriate Design Code (the Code). One of the key points the Code provides concerns choosing an appropriate lawful basis for data processing activities.

Organisations must have a valid lawful basis to process personal data. Establishing the lawfulness of the processing is a starting point before assessing whether other rules under the UK General Data Protection Regulation (UK GDPR) apply. This means organisations can’t start processing personal data without having an appropriate lawful basis.

Choosing a lawful basis should not be seen as a checklist. To comply with the UK-GDPR and the Code, companies should truly understand what the necessary balancing of interests exercise entails in practice, what’s at stake, how the balancing exercise can be done in a way that ensures children’s best interests are made the priority.

Article 6(1) of the UK GDPR sets out six lawful bases. “Legitimate interests” is one of them, and is considered the most flexible lawful basis, which is widely used yet seems to be little understood in the EdTech ecosystem.

What is the ‘legitimate interests’ basis?

Article 6(1)(f) of the UK GDPR provides a lawful basis for processing where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This doesn’t apply to processing carried out by public authorities (like schools) to perform their official tasks.

Some common examples for choosing “legitimate interests” are processing personal data for wider business purposes like product/service improvement, advertising, and fraud prevention.

When to rely on “legitimate interests”?

The Information Commissioner’s Office gives a three-part test to rely on “legitimate interests”. This test requires to:

“identify a legitimate interest; show that the processing is necessary to achieve it; and balance it against the individual’s interests, rights, and freedoms”.

This means that, after identifying their own legitimate interests (e.g., business purposes like service improvement), EdTech companies may justify their choice of legal basis ONLY if the processing is necessary for their or a third party’s legitimate interests unless there is a good reason to protect children’s rights and freedoms.

What does choosing “legitimate interests” imply in practice?

According to Article 6(1)(f) of the UK GDPR, if an organisation wants to rely on a “legitimate interests” legal basis, then it must do a balancing exercise. This is because a fair balance must be struck between the legitimate interests of organisations and the interests and rights of children. If children’s rights and interests outweigh those of organisations, the organisations can’t rely on legitimate interests. Currently, this balancing assessment is left to the organisations themselves.

Organisations must make sure that they put careful consideration when choosing the “legitimate interests” basis to process children’s data. They must justify this choice with relevant documentation showing the assessment of whether a child’s interests override those of organisations.

Do children’s interests override legitimate interests?

The Code notes that the commercial interests of an organisation are unlikely to outweigh a child’s right to privacy. So, for example, using the “legitimate interests” lawful basis to process data for behavioural advertising is unlikely to outweigh children’s rights and freedoms.

 “Legitimate interests” may be an appropriate legal basis for any measures or safeguards taken to protect children’s health or safety. This approach is closely linked with the Code “the best interests of the child” standard, which puts the best interests of the child as a priority and explains:

“The placing of the best interests of the child as a ‘primary consideration’ recognises that the best interests of the child have to be balanced against other interests.”

Determining the child’s best interests is a balancing act between different rights and freedoms, which requires a good understanding of children’s rights by organisations providing online services. Reliance on “legitimate interests” is no different. It requires a good understanding of children’s rights and freedoms so that the balancing exercise (between children’s and organisations’ interests) can take place. Only after this balancing exercise, EdTech companies might justify why their choice of “legitimate interests” should be valid. The ICO published guidance on how to carry out the balancing test using a Legitimate Interest Assessment.

This means that organisations must take responsibility for identifying the risks of the processing and consider what impact their processing can have on children. The Code notes that the Data Protection Impact Assessment (DPIA) is a helpful tool to assess this balance. Therefore, completing a DPIA is mandatory for all organisations falling under the scope of the Code.

What responsibilities come with “legitimate interests”?

The Code notes that if an organisation chooses to rely on legitimate interests, it is responsible for protecting children from risks that they may not fully understand or foresee. The Code’s approach mirrors Recital 38, which provides:

“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing.”

This is why when relying on “legitimate interests”, EdTech companies must ensure that children’s interests are adequately protected, and appropriate safeguards are in place. So, EdTech companies should give extra weight to children’s rights and interests, and they need a more compelling interest to justify any potential impact on children.

This is why when relying on “legitimate interests”, EdTech companies must ensure that children’s interests are adequately protected, and appropriate safeguards are in place. So, EdTech companies should give extra weight to children’s rights and interests, and they need a more compelling interest to justify any potential impact on children.

Although organisations widely use the “legitimate interests” basis, there is a lack of a justification or any further details about this choice in their privacy policies or anywhere else. The Digital Futures Commission’s new report, Governance of data for children’s learning in UK state schools unravels the most pressing legal and practical issues in the EdTech ecosystem and makes ten recommendations, one of which concerns “legitimate interests”.

The report refers to the lack of an obligation to publish the legitimate interests assessment in the current data protection laws and recommends that EdTech companies should be required to publish their assessments when relying upon “legitimate interests” as a part of recommended EdTech procurement rules for schools. The report further underlines that EdTech companies are likely to process children’s data under the basis of legitimate interests in practice and explains:

“This poses problems because, in the absence of Learning EdTech procurement rules, and in a system with little oversight, ‘legitimate interests’ is the preferred basis for commercial companies and offers the least protection for children.”

In February 2020, the Information Commissioner’s Office audited the Department for Education and noted a lack of an understanding of the requirements and the implications when “legitimate interest” is used in practice by organisations. Children’s data protection rights advocate Jen Persson notes that this limited understanding of the “legitimate interests” ground is also true for schools.

The balancing test can also be helpful for showing compliance with the principle of fairness, and protection of all data subjects, especially vulnerable people. We believe that further understanding and exploration of the legal and practical implications and benefits of having this test is needed before making any change to the “legitimate interests” basis that might exacerbate the power asymmetry that already exists between data subjects and controllers. Therefore, we call for careful consideration of suggestions relating to the test to balance interests that DCMS published in its public consultation on reforms to the UK’s data protection.

The “legitimate interests” basis is considered the most flexible lawful basis for processing. However, the Information Commissioner’s Office notes, its flexibility does not mean that it will always be the most appropriate ground for processing personal data.

Organisations are required to balance their interests against those of the children. This balancing exercise is important for practical implications of the children’s best interests standard under the Code. Although the Code sheds some light on how to apply the “children’s best interests” standard in practice, more is needed to help online services and schools understand the practical implications of relying on “legitimate interests”. We invite regulators to provide more practical guidance with specific case studies from the EdTech industry.

The Digital Futures Commission’s report Governance of Data for Children’s Learning in UK State Schools is the first step, calling for stakeholders to act on the regulatory and implementation gaps in data protection in education contexts. In our journey of exploring what a child rights-respecting future for EdTech looks like, we put the child’s best interests as “the paramount consideration”. We invite EdTech providers to ensure they develop an accurate understanding of children’s rights so that they can adequately protect children’s best interests when relying on “legitimate interests”.

This blog is part of the education data series. You can view the rest of the blog series here.