On April 2, 2013, the Article 29 Working Party ("WP29")1 published an opinion that clarifies further the purpose limitation principle contained in Article 6 (1)b of the EU Data Protection Directive 95/46/EC.
The opinion focuses on the scope and limitations of this principle as well as its application in the context of big data and open data. WP29 also puts forth some recommendations to the proposed Data Protection Regulation.
1. Purpose limitation principle
The purpose limitation principle has two main building blocks:?
- Personal data must be collected for a specified, explicit, and legitimate purpose (?Purpose Specification?);
- Personal data collected for one or more purposes may not be further processed in a way that is incompatible with those initial purposes ("Compatible Use").
2. Purpose specification
WP 29 considers that longer and more detailed specifications are not always necessary or helpful. In WP29?s opinion, very detailed descriptions may even be counter-productive at times.
In light of this, WP29 recommends that a ?layered notice? approach be taken.? This means that key information is provided to data subjects in a very concise and user-friendly manner, while a second layer of additional information is provided for the benefit of those who require further clarification (perhaps via a link to a separate website).
3. Compatibility assessment
Further processing for a different purpose does not necessarily mean that this purpose is incompatible with the initial purpose.? According to WP29, compatibility needs to be assessed on a case-by-case basis.
WP29 identifies four (non-exhaustive) key factors that need to be considered for the compatibility assessment before there is any further use of personal data:
- The relationship between the initial purposes for which the data have been collected and the purposes of the further processing;
- The specific context in which the data have been collected and the reasonable expectations of the data subjects involved concerning the further use of their personal data;
- The nature of the data and the impact of the further processing on the data subjects involved;
- The safeguards adopted by the data controller to ensure fair processing and to prevent any undue impact on the data subjects.
The opinion provides 22 practical examples illustrating the concept and methodology of the compatibility assessment. These examples include assessment in the private and public sector, assessment of? sensitive and non-sensitive data, and a variety of processing in different contexts, such as from social networking websites and according to the Data Retention Directive.
4. Big data and open data
WP29 also draws attention to the specific safeguards that should be applied with regard to big data and open data.
Big data refers to the availability and automated use of large amounts of information which are then extensively analyzed by using computer algorithms. Big data can be used to identify trends and correlations, but its processing can also directly affect individuals, for example, by way of behavioral advertisements and tracking and profiling users for direct marketing purposes.
Therefore, WP29 concludes that an opt-in consent would almost always be necessary. In addition, for the consent to be valid, organizations should disclose their decision-making criteria in relation to the data and provide the data subjects with access to their ?profiles?, as well as the algorithms used in developing their profile.
Open data refers to the data processing of public bodies that are involved in projects concerning the accessibility of information. In this respect, WP29 emphasizes the importance of anonymisation, aggregation, and data protection impact assessment to ensure necessary safeguards.
WP29 also announces that it is preparing a guidance document about open data which will address issues related to anonymisation, among other things.
5. Recommendations to the proposed Data Protection Regulation
Article 6 par. 4 of the current draft regulation lays down a very broad exception to the compatibility requirement, namely that the lack of compatibility can simply be remedied by identifying a new legal ground for the processing. This could in fact severely erode the purpose limitation principle. Therefore, WP29 recommends that the entire proposed paragraph 4 of Article 6 be removed.
WP29 also proposes that the four key factors (cfr. Par. 3 above) be integrated into Article 5 of the proposed Data Protection Regulation.
6. First remarks
This opinion is of great importance because not only does the purpose limitation principle affect all data controllers that process personal data in the EU but also the opinion provides a wealth of practical examples that put WP29?s guidelines into practice.
However, if WP29?s recommendations were adopted, it would become considerably more difficult for data controllers to process data for different purposes.
Finally, in this opinion WP29 once again2 encourages the use of so-called ?layered privacy notices?. It appears that WP29 considers these type of notices as the way forward in informing data subjects.
The opinion can be found here