In this EU Regulatory issues compilation from recent weeks, you will find reference to the EDPB Guidelines on Legitimate Interest, the case of the Irish Data Protection Commission on legitimate interest, publication of the 1st draft of the EU General Purpose AI Intelligence Code of Practice as well as the adoption of the ESG Ratings trilogue compromise by the Council.
EDPB Guidelines on Legitimate Interest
Legitimate interest is one of the key data processing grounds recognized by Article 6(f) of the GDPR and is used by many businesses to process data. As stated by the GDPR, it must be assessed to ensure that the data controller's legitimate interests do not override the data subject's rights—a process known as the "balancing test."
The European Data Protection Board has recently issued draft Guidelines to better assess legitimate interest usage and the balancing test, providing clarity for businesses that rely on legitimate interest as a data processing ground. These guidelines were open for consultation until 20 November 2024 and will be finalized by the EDPB in the coming months. They are expected to serve as a key reference for data protection authorities and judges in interpreting the GDPR. FEBIS provided a comments paper which insisted on the need to ensure that all legal bases are equal, that legitimate interest can be used for commercial purposes, but also on the need to carefully do the balancing test exercise and on the ability to take third-parties legitimate interests into account, especially when using legitimate interest for fraud prevention and anti-money laundering fight.
The FEBIS contribution together with all others from interested parties can be seen on the EDPB website.
***
Irish Data Protection Authority comments on legitimate interest
Legitimate interest has also been at the forefront of several recent cases, including one from the Irish Data Protection Commission (DPC) against LinkedIn. In a recent talk in Brussels, the DPC discussed their interpretation of legitimate interest. The DPC found that LinkedIn had not validly relied on consent for third-party data processing, contractual necessity for first-party data, or legitimate interests for processing either type of data for analytics. The DPC evaluated these findings using the three-part test established by the Court of Justice of the European Union, which was detailed in a recent decision last month involving the Royal Dutch Tennis Association and VoetbalTV. This test examines whether the legitimate interest is being pursued, whether data processing is necessary, and whether the organization's legitimate interests outweigh the user's fundamental rights and freedoms. At the Brussels event, the DPC emphasized that for legitimate interest to be properly applied, organizations must conduct a thorough assessment that carefully examines their choices to ensure their interests don't override individual rights and freedoms.
***
First draft of the EU General Purpose Artificial Intelligence Code of Practice published
On 14 November 2024, the European Commission has published the first draft of the General-Purpose Artificial Intelligence (AI) Code of Practice. The draft was prepared by independent experts who were appointed by the AI Office as chairs and vice-chairs of the four working groups of the General-Purpose AI Code of Practice. As part of the Code of Practice Plenary, stakeholders, representatives from EU Member States, as well as European and international observers are invited to provide comments via a dedicated platform by 28 November to help shape the next versions of the Code of Practice
The rules governing general-purpose AI models under the AI Act will come into application in August 2025. The Code of Practice aims to facilitate the proper implementation of these rules and will play a crucial role in guiding the future development and deployment of trustworthy and safe general-purpose AI models in the EU.
Key aspects of the Code include details on transparency and enforcement of copyright-related rules for providers of general-purpose AI model, as well as a taxonomy of systemic risks, risk assessment methodologies, and mitigation measures for providers of advanced general-purpose AI models which may pose systemic risks.
The document will also be further discussed in the four working groups taking place from 18 November to 21 November and on 22 November during the Code of Practice Plenary. The final document is expected to be published and presented at a closing Plenary in May 2025. You can find the first draft here.
***
The Council adopts the ESG Ratings trilogue compromise
On 19 November 2024, the EU Council adopted the agreement in trialogue on the regulation on environmental, social and governance (ESG) ratings.
ESG ratings provide an opinion on the sustainability profile of a company or financial instrument by assessing its impact on society and the environment and its exposure to risks associated with sustainability issues. They have an increasingly important impact on the functioning of capital markets and on investor confidence in sustainable investment products.
The new rules aim to make rating activities in the EU more consistent, transparent and comparable in order to strengthen investor confidence in sustainable financial products. They are intended to strengthen the reliability and comparability of ESG ratings by improving the transparency and integrity of the activities carried out by ESG rating providers and preventing potential conflicts of interest.
In particular, ESG rating providers established in the Union will have to be authorised by the European Securities and Markets Authority (ESMA), be subject to its supervision and comply with transparency requirements, in particular with regard to the methodology used and the sources of information. ESG rating providers established outside the EU that wish to operate in the EU will have to obtain endorsement of their ESG ratings by an ESG rating provider authorised in the EU, recognition based on a quantitative criterion, or be included in the EU register of ESG rating providers on the basis of an equivalence decision.
The regulation also introduces the principle of separation of business activities in order to prevent conflicts of interest.
After this , the regulation will soon be published in the Official Journal of the EU, enter into force 20 days later and apply 18 months after the date of entry into force.
ESG Ratings regulation is important for our sector because it applies to all ESG products, no matter if they are called ratings, scores, opinions or anything else, but notably the raw data on ESG that is used to build other products such as credit reports is not included in the scope of the regulation. For ESG providers who want to provide ESG products, transparency and pre-authorization with ESMA will be needed together with some clear appropriate measures to prevent conflict of interests which have to be put in place as defined by article 15 of the regulation. ESMA will become the supervisor of ESG ratings providers and is expected to be issuing guidelines and implementing technical standards in the coming year.
Sources:
https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf
https://data.consilium.europa.eu/doc/document/PE-43-2024-INIT/it/pdf
Write a comment