On 2 April 2013, the Article 29 Working Party, a European advisory body for data protection law, published Opinion 03/2013 on purpose limitation (the “Opinion”). According to the Data Protection Directive (95/46/EC), the principle of ‘purpose limitation’ requires that the purposes for which personal data can be processed are limited to the purposes for which it was collected.
The Opinion seeks to ‘assess the principle of purpose limitation with the aim to offer guidance on its practical application’. However, it also suggests amendments to the proposals for reforming EU data protection law and addresses issues relating to purpose limitation in the context of Big Data and Open Data.
Big Data is a non-specific term which refers to massive databases, usually held by the likes of corporations, governments, and academic institutions. The number and size of these databases has been increasing at an exponential rate, and the data is usually analysed using computer algorithms. Big Data presents numerous risks from a regulatory standpoint, not only in relation to security (given the size and value of the database) but also with regard to issues such as transparency and accuracy. Furthermore, the algorithms used to analyse data may return results which are inaccurate, discriminatory or otherwise illegitimate (the Opinion gives the example of a computer drawing an incorrect inference and using that for marketing purposes).
The Opinion’s suggested safeguards for Big Data vary depending on the purpose and nature of the data processing. Where data is processed for the identification of trends and correlations the data processor’s primary concern should be the confidentiality and security of data, and ensuring that the data is sufficiently anonymised if used for other purposes.
If the database relates to individuals (for example in the case of a retailer wishing to analyse or predict customer preferences or habits to market to those persons) the data subject should have provided consent by way of an ‘opt-in’. Furthermore, that consent would have to be informed and unambiguous, and there should be the ability to request access to one’s own data and to the criteria by which decisions using that database profile are made.
Open Data is a term used to describe databases freely available to the general public. Often these are hosted by public bodies, institutions and non-profit organisations. In some cases such databases will include personal data and, unless fully anonymised, data protection law will continue to apply to any processing. In such cases it can be difficult to apply the principle of purpose limitation to a freely available database.
The Opinion suggests that publishers of Open Data:
- take care when publishing data;
- carry out in-depth data protection impact assessments before publication;
- ensure there is the required legal basis for publication;
- avoid open licences of any personal data unless compliance with data protection requirements can be ensured; and
- (if the data is to be licensed) strictly enforce any licences.
In January 2012, the European Commission published a proposal for a new data protection Regulation (the “Proposed Regulation”) to replace the current regime established under the Data Protection Directive. The Proposed Regulation contains many significant changes to the way data protection is regulated in the EU and, when enacted, will have direct effect across the EU. The Proposed Regulation is due to be adopted in 2014 and become effective in 2016.
The current draft of Article 5 of the Proposed Regulation sets out the principles relating to personal data processing. These principles include a purpose limitation requirement that personal data ‘must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’.
In the Opinion the Working Party proposes the addition of a new sub-paragraph to Article 5 which sets out the following relevant factors to be considered when deciding whether or not further processing is compatible with the personal data’s original collection:
- the relationship between the purpose of collection and the further processing;
- the context of collection;
- the nature of the personal data; and
- the controller’s safeguards to ensure fair processing.
The Working Party also proposes amendments to Article 6 (regarding the lawfulness of processing) to ensure it remains compatible with the proposed changes to Article 5.
Although the Opinion is not legally binding, the Working Party is influential and its views are persuasive. It will therefore be interesting to see the extent to which the Working Party’s recommendations for reform in the Opinion are reflected in the ongoing debate on the Proposed Regulation.