If legitimate interest is actually legitimate then there is no reason to allow an opt-out. They allow it because the truth is that it wouldn’t actually fall under legitimate interests.
According to Finnish data protection ombudsman, data subject has right to object in case of legitimate or public interest. Data subject does not have right to object when it's based on contract or legal obligations.
Objection itself may or may not stop the processing of data. Usually it should, but there are some situations where it would still be allowed (e.g. "a task in the public interest that requires scientific or historical research or the compilation of statistics")
Now I don't know if there has been any decisions or not based on what kind of tracking would actually be legitimate interest (the text on the website is very ambiguous)
This site has a 3 item slider at the very top of the page promoting recent? decisions. 2 of the 3 have the same number of lines of text. The third one has an additional line of text. Every time the 3rd one comes/goes, the entire page is shifted up/down to accommodate causing the page to have a very slow bounce. tsk tsk tsk
I am not impressed. I clicked on my country and the four most recent fines are: 600(private indiv.), 150 (private indiv.), 100 (Bank), 0 (Post office).
I'm not opposed to GDPR. I just think it's ridiculous how they boasted about fines up to 20 million or 4% of annual worldwide revenue, and then we get an interpretation of "up to" that we otherwise only know from ISPs. I mean, a "fine" of 0 Euro, and 100 Euro for a bank? That is not how you make organisations respect user privacy.
At this rate we're going to have three different any% categories of this speedrun before we can hope for an announcement of a plan to tighten restrictions in an unspecified amount.
I disagree, every company on the top fines list has more money in proportion to the fine than the examples the parent comment gave, except maybe the bank. These fines are so tiny no one will ever care about user privacy or data security.
Isn't it still supposed to be opt-in? Seems strange to allow the data processor to define what is legitimate interest, and then bypass the otherwise clear requirement of opt-in and informed consent?
If you invoke Legitimate Interest, you do not need consent (assuming your Legitimate Interest is valid). There are many common misunderstandings of GDPR, and one of them is that consent is always required. It is not.
To process data under GDPR, you need a Legal Basis. Consent is one Legal Basis. Legitimate Interest is a different Legal Basis. There are four others.
Consent is opt-in. That's the defining feature of Consent as a Legal basis, since that's what "consent" means. It can also be revoked.
Legitimate Interest is opt-out, as is Public Interest.
If your Legal Basis is one of the other three, then there isn't even an opt-out requirement. Which makes sense, because those cover essential or non-optional processing: Legal requirements (e.g. retaining credit card records), processing necessary to perform a contract the Data Subject has signed, and "Vital Interests" which means "literally life-or-death situation."
Note that cookies are regulated by the ePrivacy Directive in addition to GDPR. The ePD requires consent for cookies and does not have a concept of Legitimate Interest. If a company invokes Legitimate Interests for their cookies, they are Doing It Wrong.
What you describe makes sense, but the way it's implemented everywhere seems like a complete breach of GDPR. If I understand it correctly, "legitimate interest" would be the processing of data necessary to perform the service in question, of which extent must be properly informed?
If I can turn the "legitimate interest" options off, and the service / product remains the same, then... isn't that a clear indication that the grounds for it being "legitimate" don't hold up? For example, I'd consider a service feedback functionality to be "legitimate interest". It's obvious that for it to work, there is a legitimate interest for processing the data transmitted.
Legitimate interest is very broad and very vague. It's the "wild card" Legal Basis, basically used to cover all of the cases that the law didn't explicitly address. The legal requirements are more-or-less "the company has a good reason, and the privacy impact is minimal." The validity of the good reason or minimal privacy impact are subject to regulatory review, but companies are trusted to make this decision on their own until a regulator gets involved.
A company can also decline opt-out if they have an "Overriding Legitimate Interest." This is true regardless of whether the original legal basis was Legitimate Interest or Consent. However the company must restrict processing only to that particular overriding interest.
"Fraud Detection" is the canonical example of an (Overriding) Legitimate Interest. To my knowledge, that's the only example that's actually given in the text of GDPR itself. Telemetry is generally believed to be another example, and in that case it's probably not Overriding.
Processing necessary to provide a service is kind of weird. If the service is part of a contract, then you use Performance of Contract as your Legal Basis. But if the use of the service doesn't actually form a contract, then you can't use that Legal Basis and have to use either Consent or Legitimate Interest. There are arguments for and against either.
Legitimate interest can be opt-out but it’s definitely a dark pattern presenting the same processing under both options. It should be either one or the other.
It's not just a dark pattern, it's straight-up non-compliant.
Article 7 "Conditions for Consent," paragraph 2:
> If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters[...]
Most regulators have taken this to mean that requests for consent must be distinguished even from other noticies required by GDPR. I.e. it must be a separate request from the Privacy Notice itself.
I have always wondered how a site is allowed to offer you an opt-in for anything that doesn't fall under legitimate interest. It would be driven by an illegitimate interest by assumption.
When using a legitimate interest (opt-out) as a legal basis, the interest must be both legitimate AND outweigh the data subject's rights and freedoms. This requires a balancing test between the various factors to be performed first.
Similarly, you can't just legitimize anything with consent (opt-in) – the consent must be valid, and of course can't override more specific laws. You can't consent to something illegal.
So no, failing to use legitimate interest doesn't mean it's illegitimate or that consent could always be used. It could also mean that the balancing test failed, or that laws prescribe a different legal basis. E.g. the “cookie law”prescribes consent for non-necessary cookies and similar technologies.
It becomes clearer if you look at it in terms of core business. So yes, they can collect X and Y because that's their core business and directly related to the product.
When it's for marketing, telemetry or similar purposes, it's tangential data, which need not be illegal or immoral to be an "illegitimate" interest. It becomes more of a dark pattern when they present a selectable option for "legitimate interests" - at best malicious compliance. They might think it's legitimate because it makes them money?
Similarly in the vein of malicious compliance is offering a cookie consent banner. As far as I know, they only need to do that if they're tracking you or storing TMI/PII. Worse is, it works, too, because now everyone is complaining about the law and not the companies engaging in these dark patterns.
https://tietosuoja.fi/en/what-rights-do-data-subjects-have-i...
Objection itself may or may not stop the processing of data. Usually it should, but there are some situations where it would still be allowed (e.g. "a task in the public interest that requires scientific or historical research or the compilation of statistics")
https://tietosuoja.fi/en/controller-s-legitimate-interests
Now I don't know if there has been any decisions or not based on what kind of tracking would actually be legitimate interest (the text on the website is very ambiguous)