The Article 29 Data Protection Working Party (“WP”) recently published Opinion 03/2013 on the principle of purpose limitation (“WP 203”). This principle effectively means that personal data should be processed for specific, explicit and legitimate purposes and should not be processed for further purposes which are incompatible with those original purposes. In addition to providing useful guidance on the application of this principle, WP 203 contains comments on how it is addressed in the draft Data Protection Regulation and on purpose limitation issues in connection with ‘big data’ and ‘open data’ initiatives.
According to the WP, a lack of harmonised interpretation of the principle of purpose limitation has resulted in divergent applications of this principle by Member States. On this basis, the guidance set out in WP 203, if followed by national data protection authorities, should bring greater consistency, which will be particularly welcomed by data controllers whose activities render them subject to data protection laws in multiple Member States.
In this opinion, the WP identifies and discusses two main ‘building blocks’ of the principle of purpose limitation: personal data must be collected for ‘specified, explicit and legitimate purposes’ (purpose specification) and personal data must not be ‘further processed in a way incompatible’ with those purposes (compatible use). Each constituent element of these ‘building blocks’ is analysed
Perhaps the most important guidance regarding the application of this principle is given in relation to the manner in which compatibility is to be assessed. According to the WP, the assessment should be carried out on a substantive basis, taking into account all relevant circumstances, rather than on a narrower, more literal basis. Such an assessment should take into account four key factors:
- The relationship between the purposes for which the personal data have been collected and the purposes of further processing.
- The context in which the personal data have been collected and the reasonable expectations of the data subjects as to their future use.
- The nature of the personal data and the impact of the further processing on the data subjects.
- The safeguards adopted by the data controller to ensure fair processing and to prevent any undue impact on the data subjects.
Various examples are provided in which the WP emphasises that these factors, which are not exhaustive of the matters to be considered, are interrelated, such that deficiencies in relation to one factor may be compensated by strengths in relation to another. For example, particularly strong safeguards may compensate for a relatively loose relationship between the original purposes for which personal data were collected and the purposes of further processing.
The WP also comments on provisions of the draft Data Protection Regulation which are relevant to the purpose limitation principle and recommends that certain provisions should be amended or deleted to prevent the erosion of this principle. The WP is of the view that Article 6(4) of the draft Data Protection Regulation, in particular, should be deleted (this provision allows the further processing of personal data for purposes which are incompatible with the original purpose of the processing if the data controller can justify the processing on one of a number of grounds, including consent of data subject, processing necessary for the performance of a contract or processing necessary for legitimate interests). This recommended change was not incorporated in the revised draft of the Regulation which was released by the Council of the European Union on 31 May 2013.
Having regard to the application of the principle of purpose limitation to ‘big data’ and ‘open data’, the WP notes that ‘complete’ anonymisation is becoming more difficult to ensure, due to advances in technology which may facilitate re-identification of individuals from supposedly anonymised data. On this basis, where a data controller intends to provide personal data for ‘big data’ or ‘open data’ purposes, careful consideration needs to be given to whether steps intended to anonymise or aggregate data, so that it will cease to be ‘personal data’, will be effective. If not, then the data controller will, amongst other things, need to carry out a compatibility assessment. The WP acknowledges the need for further guidance regarding anonymisation techniques and states that it intends to release an opinion in relation to this issue later this year.