← All articles

consultant

Legitimate interest vs consent: CNPD/EDPB tighten, ICO remains looser

Luxembourg’s Administrative Court backed the CNPD in the Amazon case: legitimate interest was not justified. While the EDPB tightens Article 6(1)(f), the UK ICO still calls it the most flexible basis.

On 27 March 2026, the Luxembourg CNPD announced that the Administrative Court upheld its analysis in the Amazon case: the claimed legitimate interest was not justified for the processing at stake. Meanwhile, the EDPB tightened the use of Article 6(1)(f) GDPR in October 2024, while the UK ICO still presents it as the “most flexible” lawful basis.

For organisations operating in Luxembourg, align policies with the stricter EU line (CNPD/EDPB), even if the UK allows more leeway. For local context, see GDPR compliance in Luxembourg and the framework of GDPR Article 6. For execution, a certified DPO mandate helps structure necessity and balancing tests.

The case

The CNPD reports the Administrative Court “almost entirely validated” its approach and “in particular, confirmed that relying on legitimate interest […] was not justified” for the processing concerned. This cements a demanding reading of Article 6(1)(f) — legitimate interest that is real and lawful, necessity, and balancing — applied to large‑scale operations. Source: CNPD, “La CNPD obtient la mise en conformité effective des traitements d’Amazon […]” (27/03/2026). Official releases: FR ; EN.

In the background, the European Data Protection Board adopted on 9 October 2024 its Guidelines 1/2024 on processing based on legitimate interest (Art. 6(1)(f) GDPR). They require an interest that is “lawful, clearly and precisely articulated, real and present,” strict necessity, and a documented balancing test, integrating CJEU case C‑621/22 (4 Oct 2024) on the scope of a “commercial” interest. Sources: EDPB news and summary PDF: news ; summary.

By contrast, the UK ICO — under UK GDPR — frames legitimate interest as the “most flexible” basis and publishes operational doctrine (step‑by‑step LIAs, use cases) and, since 2024–2025, “recognised legitimate interests” introduced in UK law. Sources: ICO guidance ; Recognised legitimate interest. Text reminder: GDPR Article 6 on EUR‑Lex.

Legal reasoning

  • CNPD and GDPR. Strict application of Article 6(1)(f): interest must be precisely identified, necessity shown (no less intrusive alternative), and the balancing must demonstrate that data subjects’ rights and freedoms do not prevail. Generic “commercial” or “optimisation” interests often fail when scale, sensitivity, user surprise or information asymmetry weigh against the controller. Source: CNPD (27/03/2026), supra.
  • EDPB 1/2024. The guidelines confirm: 1) an interest “lawful, clearly and precisely articulated, real and present”; 2) strict necessity (proportionality/subsidiarity); 3) a documented balancing sensitive to context (scale, vulnerability, reasonable expectations, transparency, right to object). They reflect CJEU C‑621/22: a “commercial” interest may be legitimate in principle, but never dispenses with necessity or the in‑concreto balance. Sources: EDPB news and PDF; CJEU C‑621/22: dossier.
  • ICO (UK). More pragmatic stance: the “most flexible” basis for expected, low‑impact uses (security, fraud prevention, service improvement, direct marketing outside PECR constraints). UK law introduces “recognised legitimate interests” partially easing the balance for certain framed purposes. Source: ICO, supra.

What changes in practice

  • B2C marketing and profiling enrichment. In LU/EU, avoid legitimate interest for large‑scale enrichment or partner sharing without granularity and user control. Prefer valid GDPR consent for unexpected uses and ensure a robust opt‑out (Art. 21). Sources: CNPD (Amazon), EDPB 1/2024.
  • Security, antifraud, resilience. Legitimate interest remains relevant if necessity is demonstrated (e.g., security logging, anomaly detection). Document necessity, minimise, inform clearly, and provide an effective right to object. Source: EDPB 1/2024.
  • Intra‑group. Internal sharing for commercial steering or cross‑sell is not “automatic” under 6(1)(f). Define purposes per entity, test necessity and balance; switch to consent or another basis where appropriate.
  • UK vs EU. Even if the ICO allows broader reliance (and “recognised legitimate interests”), processing targeting individuals in the EU/LU remains under the GDPR. Align global policies with the CNPD/EDPB bar to avoid market‑by‑market rework. See GDPR Article 6 requirements for reference.

Common pitfalls

  1. Vague, catch‑all interests. Statements like “improve the experience” without a precise purpose fail EDPB/CNPD tests.
  2. Undemonstrated necessity. “Just in case” retention or default tracking is not “necessary.”
  3. Cosmetic balancing. Tick‑box LIAs without analysis of expectations, scale, or mitigations (pseudonymisation, granularity, objection) won’t withstand scrutiny.
  4. UK playbook copied to LU/EU. Applying ICO models in Luxembourg risks GDPR non‑compliance.
  5. Ignoring data subject rights. Failing to operationalise the right to object (Art. 21) is a common issue. A certified DPO can help make these rights effective.

Official sources

  • CNPD (Luxembourg) — Amazon case press release, 27/03/2026: FR ; EN.
  • EDPB — Plenary 09/10/2024: Guidelines 1/2024 and summary: news ; PDF.
  • CJEU — Case C‑621/22 (04/10/2024): EUR‑Lex dossier ; OJ PDF.
  • EUR‑Lex — GDPR, Article 6: text.
  • ICO (UK) — “Legitimate interests” and “Recognised legitimate interest”: guidance ; page.

Reading note: for legal‑basis choices in 2026, follow the CNPD/EDPB line (high thresholds for necessity and balancing). UK flexibilities do not export to the EU and do not protect you in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →