The European Union’s Article 29 Data Protection Working Party (“WP29″), which consists of the 27 data protection authorities of the EU Member States, has published the “Opinion 03/2013 on purpose limitation” (Working Paper WP203), adopted on 2 April 2013 (the “Opinion”). The WP29 analyzes and interprets the elements of this principle, and gives numerous examples with practical guidance for valid notices, consents, and further compatible uses.
Concept of Purpose Limitation
According to Art. 6(1)(b) of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (the “Directive”), the principle of purpose limitation consists of two building blocks. Personal data must:
- be collected for specified, explicit, and legitimate purposes (purpose specification), and
- not be further processed in a way incompatible with those purposes (compatible use).
In its present Opinion, the WP29 analyzes these key principles of the Directive and provides specific guidance on its practical application. It further determines areas for improvements and sets forth recommendations for the future (also considering necessary changes to the proposed EU Data Protection Regulation to strengthen the principle).
The WP29 highlights, in particular, that purposes must be:
- “specific” (i.e., precisely and fully identified prior to, and in any event, no later than the time when the collection of personal data occurs);
- “explicit” (i.e., clearly revealed, explained, or expressed in an unambiguous way); and
- “legitimate,” which must be interpreted within the context of the processing and extends also to other areas of law.
The WP29 emphasizes that any further processing of personal data in a way incompatible with the purposes specified at collection is against the law and prohibited.
However, the Opinion sets forth that not any further processing for a different purpose is necessarily incompatible. Rather, compatibility needs to be determined on a case-by-case basis by taking into account the following key criteria:
- “the relationship between the purposes for which the personal data have been collected and the purposes of further processing“;
- “the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use“;
- “the nature of the personal data and the impact of the further processing on the data subjects“; and
- “the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects“; for instance, technical, or organizational measures (such as anonymization or pseudonymization of data) or additional benefits for the data subject.
According to the WP29, where a purpose has changed or has initially been too vague or general, such purposes must be re-specified, and—depending on the circumstances and the legal grounds for processing—it may be necessary to provide the data subject with additional notice and an opportunity to opt-in or opt-out.
Unsolicited Communications, Processing for Historical, Statistical, or Scientific Purposes
The Opinion further analyzes specific applications of the compatibility assessment, such as processing with regard to unsolicited communications (see Art. 13 of the ePrivacy Directive) or processing for historical, statistical, or scientific purposes (see Art.6(1)(b) of the Directive).
Big Data and Open Data
As an essential part of its Opinion, the WP29 calls attention to the challenges of applying the compatibility test in the context of big data and open data. The WP29 emphasizes the need for a “rigorous but balanced and flexible application of the compatibility test.”
Considering the risks posed by big data, the WP29 specifically recommends adopting certain safeguards to ensure compatibility, such as
- ensuring the functional separation of the processing and guaranteeing confidentiality and security of the data (in case of analyzing big data to detect trends and correlations), or
- obtaining informed opt-in (in case of processing that may directly affect the individual, such as profiling for targeted and location based advertisement).
The WP29 further states that allowing data subjects to have direct access to their data in a portable, user-friendly format may also help to balance the benefits of big data between large corporations and the individual and minimize unfair or discriminatory practices (for example, user friendly access to information about energy consumption may enable the data subject to take an informed decision on switching tariffs and/or monitor and change consumption habits).
In the annexes to its Opinion, the WP29 provides very useful practical examples which illustrate the principles of purpose specification and compatibility assessment.
Annex 3 inter alia provides guidance on:
- how purpose specification needs to be adapted to the context of the situation;
- where more detail is needed in case of ambiguities or for processing beyond what is customary in a given context;
purposes that are too vague or too general:
according to the WP29, the following will—without more detail—usually not suffice:
- “improving user experience,”
- “marketing purposes,”
- “IT security purposes,” or
- “future research“;
- according to the WP29, the following will—without more detail—usually not suffice:
the concept of layered notices:
- in particular in an online context, the WP29 recommends presenting key information in a concise and user-friendly manner (such as by displaying an icon) while making more detailed information—on the next layer—accessible via links; and
how to break down more general purposes into “sub-purposes”:
- the WP29 provides the example of breaking down “processing an individual’s claim for a social benefit” into sub-purposes, such as verifying the individual’s identity, carrying out various eligibility checks, or checking other benefit agencies’ records.
Annex 4 contains further practical examples—moving from simple and straightforward cases towards more complex ones—that illustrate how a substantive compatibility assessment may be carried out. The various examples include, for instance, processing of data in the context of marketing, CCTV, the transfer of results of pre-employment medical examination, the use of algorithms to predict pregnancy of customers from purchasing habits, the use of mobile phone locations to inform about traffic calming measures, the use of passenger name records, the processing of smart metering data for tax purposes or to detect fraudulent use, or the application of the Data Retention Directive.