The Practical Role of Legitimate Interest under the GDPR

AI, Operational Constraints, and the Limits of Regulatory Simplification

Among the six legal bases for processing personal data under Article 6 GDPR, legitimate interest was not originally designed to support large-scale or continuous data processing as a primary mechanism. Its role was limited and functional: to cover processing activities that cannot realistically rely on consent, do not fall under a legal obligation or the exercise of public authority, yet occur as part of ordinary organisational operations.

Such activities are common in large organisations. They include internal administration, cybersecurity measures, fraud prevention, system maintenance, and basic operational analytics. The GDPR deliberately retained legitimate interest for these situations. Article 6(1)(f) does not provide a general authorisation. It conditions its use on whether the processing is necessary for the purposes of a specific legitimate interest pursued by the controller or a third party.

For a considerable period, this allocation remained stable. What has changed is not the legal text, but the operating environment in which data processing takes place. The expansion of generative AI model training, large-scale data reuse, and cross-platform data flows has altered the structure of processing activities.

In environments characterised by high data volumes, fragmented sources, and indirect collection, consent as a primary legal basis has become increasingly difficult to apply in practice. Controllers often cannot identify data subjects individually at the point of collection, establish contact, or obtain specific and timely consent that reflects an actual understanding of the processing purpose, scope, and implications.

Even where consent is formally obtained, it frequently takes the form of standardised or retroactive declarations. In such cases, consent risks functioning as a procedural step rather than an effective mechanism of rights protection. This is not merely an implementation issue. It reflects a structural limitation of consent as a regulatory tool in certain processing contexts.

Within the existing legal framework, controllers therefore rely more frequently on other legal bases that remain operational. Legitimate interest has, in certain contexts, come to function as the primary legal basis supporting ongoing data processing. This outcome does not indicate a change in legislative intent. It reflects the limited set of workable options available under current conditions.

The limiting clause of Article 6(1)(f) has not been removed. The requirement that legitimate interests must not be overridden by the interests or fundamental rights and freedoms of the data subject remains fully applicable. What has changed is the degree of pressure placed on this balancing mechanism when legitimate interest is used to support large-scale, continuous, and technically complex processing activities.

The resulting question is concrete: when legitimate interest is used in this way, do the safeguards originally designed to constrain it under the GDPR continue to operate effectively?

The Limiting Structure of Article 6(1)(f)

From its wording alone, Article 6(1)(f) GDPR is not an open-ended authorisation. It establishes two cumulative conditions. Processing must be necessary, and the interest pursued must not override the interests or fundamental rights and freedoms of the data subject.

The English text expresses this through the pairing of “necessary” and “overridden”. The German text adopts the same structure through erforderlich and sofern nicht … überwiegen. This design makes clear that legitimate interest is not a default status. It is a conclusion that must be reached anew for each specific processing operation.

Regulatory and judicial practice at EU level has therefore developed a relatively consistent assessment sequence. First, the interest pursued must be concrete and lawful; abstract references to commercial benefit, efficiency, or technological progress are insufficient. Second, the processing must be genuinely necessary, meaning that no less intrusive but equally effective alternative is reasonably available. Third, a balancing assessment must be conducted, examining whether the processing aligns with the reasonable expectations of the data subject and what actual impact it has on their rights and freedoms.

The European Data Protection Board has explicitly identified the reasonable expectations of the data subject as a core factor in this assessment. These elements are not academic categories. They are practical decision tools used to determine whether a processing operation may continue. If any one of these elements fails, reliance on legitimate interest cannot be sustained.

Divergent National Baselines

Effective Exercisability of Rights

Germany’s approach to legitimate interest is anchored in constitutional doctrine and supervisory practice rather than abstract balancing alone. The Federal Constitutional Court’s 1983 Census Decision articulated the concept of informational self-determination, linking personal data processing to the individual’s ability to foresee how data would be used, and thereby to the free development of personality.

This constitutional framing produces a concrete regulatory consequence. In German practice, the primary question is whether data subject rights remain practically exercisable. Where information, objection, or restriction rights cannot be meaningfully exercised due to system design, scale, or technical architecture, reliance on Article 6(1)(f) is called into question.

This approach is reflected in supervisory practice. German authorities apply a strict interpretation of necessity and reasonable expectations in cases involving large-scale tracking, cross-site integration, third-party data sharing, or technically complex processing. When traditional rights mechanisms cannot operate effectively, controllers are expected to introduce functionally equivalent or compensatory safeguards. Claims of technical infeasibility are not accepted as a sufficient endpoint.

Recent German case law on AI training does not depart from this logic. Courts have accepted reliance on legitimate interest only where controllers demonstrate concrete notice mechanisms, effective objection options, and verifiable risk controls. The standard is not lowered; it is operationalised.

Governability and Administrative Control

France starts from a different institutional baseline. The French data protection framework developed around administrative governance rather than constitutional adjudication. The establishment of CNIL following the SAFARI controversy in the 1970s reflects a regulatory choice: to manage and control data processing through institutional design rather than to prohibit data integration as such.

In current practice, this translates into a more operational reading of legitimate interest. French authorities explicitly recognise that consent may be impracticable in certain large-scale or indirect processing scenarios, including AI system development. Legitimate interest is therefore treated as an available legal basis, provided that it is accompanied by structured safeguards.

CNIL’s guidance focuses on documentation and process. Legitimate interest assessments, analysis of data sources and context, risk mitigation measures, and data protection impact assessments where appropriate form the core of this approach. The emphasis is not on rejecting legitimate interest at the outset, but on ensuring that processing remains governable, auditable, and subject to ongoing supervision.

The central question in the French approach is whether a processing activity can be placed within a framework that allows regulatory control and correction over time.

Implications for EU-Level Simplification

Recent discussions on regulatory simplification at EU level cannot avoid legitimate interest. The compliance burden experienced by organisations rarely arises from the existence of Article 6(1)(f) itself. It arises from uncertainty in application: which scenarios qualify, what level of safeguards is required, and whether supervisory authorities across Member States will reach consistent conclusions.

Germany and France illustrate why this issue cannot be resolved through technical drafting alone. Germany prioritises the effective exercisability of rights. France prioritises the governability of complex processing systems. These positions are not mutually exclusive, but they lead to different regulatory instincts.

As a result, EU-level initiatives addressing GDPR simplification face a structural coordination problem. The task is not to decide whether legitimate interest should exist. It already does, and it is already in use. The real question is how far it can extend without rendering data subject rights ineffective, and what institutional costs must accompany its use in large-scale and high-technology environments.

Legitimate interest is not a marginal clause. It is a functional instrument already embedded in EU data protection practice. What requires attention is not its survival, but the conditions under which it is used, and the consequences that follow from its use across different historical and institutional contexts.