Search
Close this search box

Newport Thomson

  • Home
  • Canada
  • The Trouble with “Legitimate Interest”
July 14, 2026Privacy

The Trouble with “Legitimate Interest”

GDPR has a rule almost exactly like the one in Bill C-36. It’s called “legitimate interest” and it’s found in Article 6(1)(f) of GDPR. It lets a company use someone’s personal info without asking permission, as long as the company’s reason for using it is strong enough to outweigh the harm it could cause the person.

Sounds reasonable. Here’s the problem: for years, companies treated it like a “get out of consent free” card. If a company didn’t want to bother asking permission, they just said “legitimate interest” and moved on. European regulators have spent the last two years cracking down hard on that habit, as that was not the intent of the legitimate interest clause.

What the regulators actually did

In October 2024, Europe’s top privacy regulator, the EDPB (European Data Protection Board), published new guidelines that tightened the screws on legitimate interest. The message was blunt: this is not supposed to be a “last resort” excuse you reach for when you don’t want to deal with consent. Companies have to actually prove three things, every time: 1) there’s a real business reason, 2) using the data is truly necessary (not just convenient), and 3) that reason outweighs the harm to the person. The guidelines stress that businesses must ensure transparency and uphold data subject rights when relying on this basis, and this legal basis is not meant to be a “last resort” when other bases don’t apply – it must be applied deliberately, not automatically chosen or treated as a default. WILLIAM FRY

Then in December 2025, the EDPB commissioned an independent expert to dig through every major legitimate interest case decided across Europe since 2018. The findings were rough. The report, analyzing 62 cross-border decisions and five binding EDPB decisions, found that companies routinely misjudge what the balancing test requires. It found a pattern of controllers treating legitimate interest as a flexible fallback rather than a carefully documented legal basis, who consistently fail at the most basic step of the test. PPC Land

The biggest example: in 2023, EDPB used emergency powers to order Meta to stop running behavioural advertising across the entire EU, because the company had been relying on legitimate interest (and contract) as its legal basis. Regulators found there were realistic, less intrusive alternatives to online behavioural advertising, which meant the processing wasn’t actually necessary. That one ruling reshaped the whole online ad industry in Europe. PPC Land

Smaller, more relatable examples from the case files: a hotel that photographed every guest “for fraud prevention” was told that wasn’t necessary, because checking a name or requiring a signature would do the same job with less intrusion. A company that forced customers to hand over a phone number just to get customer service was told email worked just as well and was less invasive. The pattern regulators keep flagging: companies reach for the biggest, most convenient pile of data instead of the smallest pile that actually does the job. PPC Land

How this lines up with Bill C-36

Bill C-36’s legitimate interest clause (subsection 18(3)) borrows the same basic shape as GDPR’s Article 6(1)(f): a business reason has to outweigh the harm to the person, and a reasonable person has to expect it. Canadian law firms tracking the bill have noted this directly. MLT Aikins describes the new consent exception for legitimate interests as similar to the EU’s GDPR, allowing organizations to collect, use or disclose personal information without consent where they have a legitimate interest, provided that interest outweighs potential adverse effects on the individual. MLT Aikins

There are two differences worth flagging for clients:

C-36 adds a guardrail GDPR doesn’t have in the statute itself. Bill C-36 explicitly says the personal information cannot be collected, used, or disclosed for the purpose of influencing the individual’s behaviour or decisions. That’s Canada trying to head off exactly the “adtech targeting disguised as legitimate interest” problem that got Meta in trouble in Europe. GDPR’s Article 6(1)(f) doesn’t have that exact language baked in; Europe had to build that protection through case-by-case enforcement instead. Parliament of Canada

C-36 front-loads the paperwork. Before relying on the legitimate interest exception, an organization must identify and describe the interest and carry out a privacy impact assessment identifying and mitigating reasonably foreseeable adverse effects, and this assessment must be available to the Commission on request. GDPR doesn’t require a mandatory upfront privacy impact assessment specifically for legitimate interest reliance; European companies are expected to document a “legitimate interests assessment” but it’s not a statutory mandatory PIA trigger the way C-36 writes it. Fasken

What this means for Newport Thomson clients

The European experience is basically a five-year preview of what’s coming for C-36 clients: regulators start permissive, then tighten hard once they see the exception get stretched. The Meta case shows the outer edge of what happens when “necessary” gets read loosely: an entire business model built on legitimate interest got shut down EU-wide. The hotel and phone-number cases show the smaller, everyday version: any client who defaults to legitimate interest because it’s easier than getting consent needs a real necessity test on file, not just a memo saying “we think this is fine.”

If Canada’s new Commission looks to European enforcement patterns for guidance (which regulators often do when a concept is imported), clients over-relying on legitimate interest without documented, specific necessity analysis are the most exposed.

Sources

  1. EDPB Guidelines 1/2024 on Article 6(1)(f) GDPR – Tier 2 (EU regulator) – https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf
    Why this source: The actual regulatory guidance from Europe’s top privacy body, defining the modern legitimate interest test.
  2. EDPB One-Stop-Shop Case Digest on Legitimate Interest – Tier 2 (EU regulator, commissioned expert report) – https://www.edpb.europa.eu/our-work-tools/our-documents/support-pool-experts-projects/one-stop-shop-case-digest-legal-basis_en
    Why this source: The December 2025 report analyzing 62 enforcement decisions; the primary evidence for the “overuse” pattern.
  3. Bill C-36, First Reading text – Tier 1 (the bill itself) – https://www.parl.ca/DocumentViewer/en/45-1/bill/C-36/first-reading
    Why this source: The actual statutory language of subsection 18(3), the clause the user is asking about.
  4. ppc.land, “EDPB’s damning digest: how ‘legitimate interest’ fails in practice” – Tier 5 (trade press summarizing Tier 2 source) – https://ppc.land/edpbs-damning-digest-how-legitimate-interest-fails-in-practice/
    Why this source: Clear, current summary of the December 2025 case digest findings, including the Meta and hotel/phone-number examples, with dates and case references.
  5. Fasken, “Bill C-36: A Third Attempt at Federal Private-Sector Privacy Reform” – Tier 4 (established Canadian law firm) – https://www.fasken.com/en/knowledge/2026/06/bill-c-36
    Why this source: Confirms C-36 draws on GDPR concepts and details the mandatory privacy impact assessment requirement tied to legitimate interest reliance.

Leave a Reply