The definition of “legitimate interest” as a justification for data collection by IoT operators and providers is shifting thanks to a joint opinion issued by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). The joint opinion, a response to European Commission attempts to loosen the definition, looks instead to tighten the existing definition, a move that may end up restricting current data collection by IoT operators in the European Union.

The EDPB and the EDPS are tasked with protecting and applying the GDPR and ePrivacy directives within the EU. Their joint opinion on legitimate interest was drafted as a response to the European Commission’s attempts to loosen the definition of legitimate interest in order to kick-start the EU’s lagging AI industry. The EDPB’s response, however, has been not just to restate legitimate interest, but to transform what has been up to now an ambiguous and opaque clause into a new set of definitions and restrictions. That strategic ambiguity has allowed IoT operators to gather a range of user telemetry data for operational use. They may now find that far more challenging thanks to the new definitions.

Courts and regulators particularly in jurisdictions with historically strict privacy cultures, notably Germany and Austria, are likely to seize upon the new opinion to restrict the use of legitimate interest for IoT data collection.

Because international IoT operators cannot feasibly maintain fractured data architectures across the Single Market, such action will have an EU-wide impact. Firms will be forced to engineer their global platforms to satisfy the most activist courts and regulators, effectively making the strictest interpretation the default European standard.

Responding to the Digital Omnibus Bill

The EDPB’s intervention is a result of the European Commission’s Digital Omnibus Bill, which has aimed to rewrite sections of the GDPR and the ePrivacy Directive to allow firms greater liberty to collect user data and employ it for AI model building. The Commission’s goal is to reduce compliance friction, combat “consent fatigue”, and explicitly codify legitimate interest as a valid basis for training, testing, and validating AI models.

In response, the EDPB has not only reaffirmed the original definition of legitimate interest but has gone further by adding stricter definitions and tests. This containment strategy manifests in two areas.

Balancing Test and the AI data trap

First is the balancing test trap. The EDPB has reinforced that commercial innovation or product optimisation alone carries exceptionally weak weight in the three-step legitimate interest balancing test. To survive regulatory scrutiny, a data controller must prove that their commercial interest explicitly aligns with the “reasonable expectations” of the user. For an ambient IoT device, such as a smart thermostat or a connected vehicle, collecting background telemetry without active user engagement, establishing this expectation is a high hurdle.

Second are conditional exemptions. Olive branches extended to the Commission by the EDPB come with architectural strings attached. For example, the EDPB permits the use of legitimate interest for edge-based biometric verification (such as on-device facial recognition) or the residual processing of special category data. However, these exemptions are only valid if the data remains under the exclusive, local control of the individual. The moment biometric templates or sensitive telemetry leak from the edge to the cloud, the exemption collapses.

This architectural strictness introduces what can be described as a “future AI training” data collection trap. An IoT vendor appears to no longer be able to collect telemetry data under a generic standard legitimate interest basis, such as “device diagnostic optimisation”, and then silently repurpose that historical data pool to train a generative or predictive AI model at a later date.

The sway of the broadest standard

The moment a vendor decides to use existing data for AI training, that action constitutes a “secondary processing purpose”. Under the EDPB’s 2025/2026 AI framework, this secondary purpose triggers an independent balancing test. Because AI training is inherently complex, opaque, and virtually impossible for a standard consumer to anticipate, it fundamentally violates the “reasonable expectations” metric of the original collection.

This creates the inevitability of the broadest standard. If an IoT firm builds a data architecture where raw device telemetry, user habits, and voice or video inputs are piped into a centralised repository with the intent to eventually feed an AI pipeline, the highest standard of protection must be baked into the collection phase from day one.

The EDPB requires an absolute, un-burdensome Article 21 right to object for AI training, which includes respecting automated machine-readable signals like Global Privacy Controls (GPC). Because firms cannot easily separate “standard diagnostic data” from “future AI training data” at the point of ingestion, the EDPB’s stringent AI transparency and opt-out mandates effectively cascade backwards, governing the entire initial ingestion architecture of the smart device ecosystem.

Conflict between science and commerce uses

When it comes to embedded AI, machine learning, and edge processing, the EDPB supports using legitimate interest for AI training, but it rejects any blank cheque for commercial development. If an operator relies on legitimate interest to train device-level or cloud-based ML models, the EDPB demands “enhanced transparency”. This requires providing individuals with highly granular information about how their data trains the system alongside an easily accessible right to object early in the data lifecycle.

This tension extends to the distinction between R&D and commercial product optimisation. For operators of connected devices, distinguishing between “scientific research” and “commercial product improvement” is a grey area. In its accompanying Guidelines 1/2026 on Scientific Research, the EDPB has established six “key-indicative factors” defining valid scientific research—including a systematic methodology, verifiability, and a tangible contribution to societal wellbeing. While the EDPB has confirmed that commercial entities can use legitimate interest for research, they explicitly state that “mere corporate innovation” must be relegated to the recitals of law, meaning that it cannot claim the legitimate interest status and privileges of scientific research. If a smart app processes data simply for “product improvement”, its balancing test will face significantly tighter scrutiny than actual scientific telemetry.

Connected Health & Wearables

In the realm of connected health and smart wearables, the regulatory landscape is equally precarious due to the volume of special category biometric data collected. However, the EDPB has adjusted its stance on healthcare-related consent, clarifying that a data subject’s status as a healthcare recipient does not automatically invalidate consent due to a perceived “power imbalance”. An imbalance that breaks consent validity only exists if the user’s capacity is severely impaired by a physical or mental medical condition. This provides health app operators with a cleaner, dual-track path between consent and legitimate interest for aggregate analytics.

Smart Cities & ePrivacy Directive

For smart cities, public spaces, and connected transport, the conflict centres on the ePrivacy Directive. Smart city devices rely heavily on tracking signals and local device interaction. The Digital Omnibus attempted to integrate automated signal handling into the GDPR to simplify compliance. The EDPB has warned against this, insisting that tracking mechanics, like device fingerprinting or accessing local storage, must remain strictly governed by the ePrivacy Directive. For operators, the EDPB explicitly supports rules requiring online and local interfaces to respect automated, machine-readable signals, forcing smart city infrastructure to seamlessly process global opt-outs.

Digital Education faces highest hurdle

Digital education apps face the highest regulatory hurdle, as they process data belonging to minors. The EDPB has firmly rejected legislative language that would ease data protection burdens if processing is “unlikely to create significant risks”. For educational apps mapping student behaviour, a comprehensive Data Protection Impact Assessment (DPIA) remains strictly mandatory. Furthermore, while vendors can reject overly burdensome Data Subject Access Requests (DSARs), the EDPB clarified that a request cannot be denied simply because a parent uses it for a purpose other than data protection; it must be a proven, documented bad-faith attempt to cause harm.

The force of the maximalist jurisdiction

Within the EU, the GDPR is enforced by national, and in some cases by regional, courts. This means that IoT firms’ utilisation of the legitimate interest clause in data collection is subject to jurisdiction splitting and the maximalist standard. Despite the Digital Omnibus’s goal of harmonisation, the GDPR remains an EU Regulation enforced by independent national supervisory authorities whose regulatory cultures vary wildly.

The German Federal Commissioner for Data Protection (BfDI), alongside state data protection supervisory authorities ( the Landesdatenschutzbehörden), and the Austrian DSB, view legitimate interest with considerable scepticism. They routinely favour Consent (Article 6(1)(a)) as the only legal basis for consumer tech processing. Conversely, jurisdictions like Ireland (DPC) or Luxembourg (CNPD), which host major tech hubs, traditionally favour a more flexible interpretation of commercial legitimate interest.

For an international IoT firm selling smart home hubs, connected vehicles, or medical wearables across the Single Market, it is commercially and technically impossible to maintain fractured data processing architectures per member state.

Because the EDPB’s One-Stop-Shop mechanism allows concerned supervisory authorities like Germany to formally object to lenient draft decisions, international firms must design for the strictest jurisdiction. If an IoT firm’s legitimate interest model cannot survive a regulatory audit by the German or Austrian authorities under the EDPB’s tightened 2026 criteria, relying on it across the EU might well constitute an unacceptable business risk.