The Article 29 Working Party (the “Working Party”), the independent advisory body set up to make recommendations on all matters relating to the processing of personal data within the EU, has recently published an Opinion on the Principle of Purpose Limitation (the “Opinion”). The full Opinion is available here.
Purpose limitation protects data subjects by setting limits on how data controllers are able to use their data while also offering some degree of flexibility for data controllers.
The primary aim of the Opinion is to provide practical guidance on the application of the principle under the current legal framework. In it the Working Party analyse the elements of the principle, clarify its limits, and provide guidance on its application. Policy recommendations for the future such as changes to the proposed EU Data Protection Regulation are also included.
The principle of purpose limitation is set out in Art. 6(1)(b) of the EU Data Protection Directive (95/46/EC). It serves to protect data subjects by placing limits on how data controllers can use personal data and on any further processing of personal data already held. There are two central concepts or “building blocks” to this principle, namely, “purpose specification” and “compatible use”, each of which are considered below.
This concept dictates that the purposes for which data is collected must be “specified, explicit and legitimate”. These terms have been interpreted differently in various member states which in turn can lead to confusion for data controllers operating in multiple jurisdictions. In an attempt to solve this, definitions for each of these terms are provided in the Opinion. It is stressed that the purposes for which data is collected must be precisely and fully identified prior to, and in any event no later than, the time when the collection of personal data occurs. In addition data may only be used for the purpose or purposes for which it was originally collected.
“Specific”- According to the Working Party this means that when the purpose is communicated to data subjects it must be “detailed enough to determine what kind of processing is and is not included within the specific purpose” and that data controllers “must not collect personal data which are not necessary, adequate, or relevant for the purpose or purposes which are intended to be served.”
“Explicit” - The Working party are of the opinion that this term implies that the purposes must be unambiguous and “clearly revealed, explained or expressed in some intelligible form.” The explanation given “should leave no doubt or difficulty in understanding.”
“Legitimate” - The Working Party state that this is a broad requirement and means that the purposes must be “in accordance with the law generally”. Put simply, it implies that the data controller is required to justify any processing of personal data. As well as providing definitions, the Opinion also gives a number of helpful examples of purpose specification in practice. Interestingly, the Opinion states that vague purpose statements such as “marketing experiences” or “improving customer experiences” will not suffice.
The message underlying the second central concept to purpose limitation is that personal data must not be “further processed in a way incompatible with” those purposes it was collected for in the first place, it is stressed that this is “against the law and prohibited”. “Further processing” in this context covers any processing of data that occurs after its initial collection. Where the purpose has changed or has initially been too vague or general, such purposes must be re-specified and it may be necessary to provide the data subject with additional notice and an opportunity to opt-in or opt-out.
In the Working Party’s view however, further processing for a different purpose is not automatically incompatible with the original purpose, rather, it is strongly recommended that compatibility be determined on a case by case basis. To accommodate this, the Opinion states that data controllers should undertake a “substantive compatibility assessment” and lays down the following four criteria to be taken into account;
- The relationship between the purpose for which the data has originally been collected and the purposes of further processing.
- The specific context in which the data has been collected and the reasonable expectations of the data subjects as to its further use. The Working Party make clear that the more specific and restrictive the context of collection, and the more unexpected or surprising the further use is, the more likely it is that it would be considered incompatible.
- The nature of the data and the impact of further processing on data subjects. The more sensitive the information involved, the narrower the scope for compatible use would be.
- The safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Annex four of the Opinion includes over 20 examples illustrating how the compatibility assessment can be carried out in practice. These examples address further processing in the context of CCTV, automatic price discrimination, marketing, predicting purchasing habits by using algorithms and location tracking via mobile phones to name but a few.
Criticism of proposed regulation
Article 6(4) of the Draft Protection Regulation attempts to provide a broad exception to the requirement of compatibility and would serve to remove the need for data controllers to undertake a compatibility assessment if they can justify the further processing of data on one of the legal grounds for lawful processing (set out in Article 6(1)). The Working Party believe that if this Article is adopted it may erode the principle of purpose limitation. They therefore call for its deletion from the Regulation and advise that the protection provided by the Directive ought to be maintained instead. While only time will tell whether the recommendation for the deletion of Article 6(4) will be taken on board, the proposal has certainly found favour among many commentators.
Big data & open data
As part of the compatible use analysis, the Opinion discusses the specific safeguards that should be applied in relation to big data and open data. Big data refers to the availability and automated use of large amounts of information which are then analysed extensively by using computer algorithms. It can be used to identify trends and correlations, but its processing can also directly affect individuals, for example, by way of behavioural advertisements and tracking or profiling users for direct marketing purposes. In short, if a company has collected customer data for other purposes and then wishes to “analyse or predict the personal preferences, behaviour and attitudes of individual customers” using big data techniques, the Opinion states that “free, specific, informed and unambiguous” opt-in consent will “almost always” be required.
As regards open data, the Working Party considers that the publication of personal data does not exclude the application of data protection law. Data protection law applies as soon as information relating to identified or identifiable individuals is processed, whether or not the information is publicly available.
The use of layered notices
The Working Party has once again advocated the use of multi-layered privacy data notices, particularly in the context of online data collection. The idea is that the key information relating to privacy should be presented in an “accessible and user-friendly manner”, while any additional detail should be available via a link for those who require it. The Working Party consider that longer and more detailed specifications are not always necessary or useful, in fact in its opinion, very detailed descriptions may even be counter-productive at times and thus layered notices are favoured.
Impact & conclusions
The Working Party has now identified purpose limitation as one of the key data protection principles but crucially, while they seek to strengthen its protection they also recognise that it should not be applied in an overly rigid manner. Overall, the Opinion provides clarification and increased certainty in the interpretation of the Data Protection Directive and is of significance to all data controllers processing personal data within the EU.