On 8 April 2013, the EU data protection authorities of the Article 29 Working Party announced that they had adopted an opinion on purpose limitation.

The principle of purpose limitation protects data subjects by setting limits to the collection and further processing of their data. When an individual provides his or her personal data to a company or another organisation, he or she usually has certain expectations about the purposes for which the data will be used. Purpose limitation protects data subjects by setting limits on how data controllers are able to use their data while also offering some degree of flexibility for data controllers. The concept of purpose limitation has two main building blocks: personal data must be collected for 'specified, explicit and legitimate' purposes (purpose specification) and not be 'further processed in a way incompatible' with those purposes (compatible use).

The Working Party stipulated that in particular the following key factors need to be taken into account:

  • the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
  • the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
  • the nature of the personal data and the impact of the further processing on the data subjects;
  • the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.

The Working Party concluded that processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited. Companies who process personal data of EU residents (and who are deemed to be data controllers) should therefore be aware that they cannot, according to the Working Party, legitimise incompatible data processing by simply relying on a new legal ground, such as, for example, in the context of a new privacy policy or another government task.

The guidance went further and analysed the consequences under the proposed draft Data Protection Regulation. One of the provisions the Working Party considered was Article 6(4), which provides a broad exception from the requirement of compatibility. The Working Party concluded that this provision would severely restrict its applicability and risk eroding the key principle of purpose limitation; it therefore recommended that the proposed paragraph 4 should be deleted. A number of other recommendations were proposed.

Although the Working Party's recommendations are not binding, it remains to be seen whether they will be adopted by legislators and policy makers.

The press release can be found here and the full Opinion 03/2013 on purpose limitation can be found here.