Balancing Scenarios
Having defined the mechanics of (GDPR) balancing in Chapter 5, this chapter explores three concrete balancing scenarios. The three scenarios are selected based on their prevalence in the information society services (ISS) context, and on the different types of entities they generally represent: (a) commercial interests, mainly relating to the ISS provider; (b) information freedoms, mainly relating to third parties such as users of the ISS provider; and (c) research and security interests, mainly representing a shared or common interest. It appears from a combined reading of the GDPR, policy documents, and CJEU case law that as a general rule, commercial interests cannot trump data subjects’ interests when exercising their right to erasure or to object. When these rights affect the information freedoms of third parties, the GDPR requires powerful ISS providers to take up their responsibility, but only insofar as they actually control the respective information processing operations. In order for research interests to be able to override data subject rights, it will generally have to be carried out in the public interest and severely hampered by anonymization. With regard to security interests, finally, the processing will have to be strictly necessary, effective, and proportionate. Overall, this chapter clearly demonstrates how fair balancing is an inherently open-ended legal exercise. The GDPR tries to provide some structure, inter alia by setting clear defaults in favour of different rights, freedoms or interests that might be particularly at risk in certain situations.