Neither too general so as to be meaningless, nor too specific so as to be overly rigid"
On 2 April 2013, the Article 29 Working Party ("WP"), an advisory body composed of representatives of the European Commission, the EU data protection supervisor and the data protection authorities of all EU Member States, issued Opinion 03/2013 on Purpose Limitation ("Opinion"). The Opinion seeks to clarify the purpose limitation principle of Article 6(1)(b) of Data Protection Directive 95/46/EC ("DPD") which, with a view to protecting data subjects from unexpected and excessive processing, sets a limit on the processing that a data controller may carry out in relation to personal data collected. The principle dictates that the purposes of the processing must be "specified, explicit and legitimate" and that any further processing cannot take place "in a way incompatible with those purposes".
There has been some divergence in the interpretation of these aspects, which the WP aims to alleviate through its Opinion. It seeks to offer guidance on the scope of the terms in addition to providing several practical examples of what might and might not be considered legitimate. The Opinion is intended to strengthen the protection for data subjects, while providing some flexibility for businesses in terms of how to assess the legitimacy of the processing as well as compatibility of further processing. The practical examples seem to suggest that many of the purposes stated in privacy policies are not specific enough and that the compatibility requirement may be an obstacle to recent trends such as the phenomenon of big data, i.e., the availability of gigantic datasets which are extensively analysed using computer algorithms. Therefore, the suggested flexibility might be difficult to attain for larger businesses.
The Opinion furthermore proposes a number of amendments to the proposed General Data Protection Regulation, introducing assessment mechanisms for further processing as well as limiting the proposal's scope of lawful processing.
Specified, explicit and legitimate purposes
The Opinion clarifies that the purposes must be communicated to the data subject at the latest at the point where the collection of the data commences.
For the purposes to be specified, they should be identified clearly enough to determine the extent of the processing. Specifically, purposes such as "improving user experiences", "marketing purposes", "IT-security purposes" or "future research" - without more detail - will not satisfy the specificity requirement. Where the data is collected for multiple purposes, an "umbrella" purpose may be used, provided that purposes for further processing are also specified enough to determine whether the purposes complies with the law and in particular in the case of so-called "layered" privacy policies where the more specific purposes are set out in another layer.
To qualify as sufficiently explicit, the purposes must be set out without vagueness or ambiguity as to their meaning or intent, with "as much information […] expressed and communicated as is necessary to ensure that everyone concerned has the same, unambiguous understanding of the purposes of the processing".
With regard to the legitimacy of the purposes, the Opinion clarifies that such legitimacy, while including the requirements of legitimacy of the processing in as set out Article 7 of the DPD, envelopes a broader notion of legitimate. Notably, it requires compliance with other legislative provisions such as employment law, contract law and consumer law.
One factor which the Opinion highlights is the need for simplicity and ease of understanding for data subjects. They need not necessarily entail long and densely worded specifications, as these may do more harm than good. The Opinion suggests the use of multi-layered notices, whereby data subjects would be given a general overview of the processing purposes in a concise and user-friendly manner with more specified information available for those who wish it via links to other pages. This would satisfy both the requirement of not having too much wording while ensuring that the essential elements could be displayed and easy for all to obtain.
While clearly willing to enhance protection for data subjects, the Opinion also highlights the need for a balanced approach to assess on a case-by-case basis the compatibility with the stated purposes. It therefore proposes some flexibility in the compatibility assessment dependant on various factors suggesting that the assessment be based on the substantive assessment of the context and other factors of the original purpose. In order to prevent an approach that is "neither to general so as to be meaningless, nor too specific so as to be overly rigid", the Opinion sets out that the assessment should be based upon:
- the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
- the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
- the nature of the personal data and the impact of the further processing on the data subjects;
- the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Example : general terms and conditions of a retail bank
One example that the Opinion offers is that the general terms and conditions of a retail bank, which state, amongst others, that the bank "will use the data to prevent fraud and abuse of the financial system, and to comply with legal obligations requiring that certain information is reported to the competent public authorities". One would assume that the inclusion of prevention of fraud and compliance with legal obligations as purposes for the further processing would suffice, in order to prevent "overly legalistic" descriptions, but the WP held such purpose to be "too general to serve as a useful specification of purpose".