On 2 April 2013, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, adopted and published Opinion 03/2013 on purpose limitation (the Opinion). The Opinion analyses the principle of purpose limitation, provides guidance on and examples of its practical application and recommendations for future policy.
Article 6(1)(b) of EU Data Protection Directive 95/46/EC (the Directive) provides for the principle of "purpose limitation" (the Principle). The Principle states that personal data must be collected for "specified, explicit and legitimate purposes" (purpose specification) and not be "further processed in a way incompatible" with those with purposes (compatible use). In this way, the Principle aims to protect individuals’ personal data whilst recognising the need for some flexibility in respect of data controllers.
Article 7 of the Directive sets out a number of legal grounds by which personal data may be processed. These grounds include where consent is given and the processing is necessary for the performance to which the data subject is a part, or for the purposes of the legitimate interests pursued by the controller. Through the draft general Data Protection Regulation (COM(2012) 11 final) (the Regulation), it has been proposed in Article 6(4) that incompatible further processing may be legitimised on the basis of one of the Article 7 legal grounds.
The Opinion provides useful definitions and examples of what purpose specification means in practice. In particular it defines its key terms as:
- Specified: the purpose must be "sufficiently defined to enable the implementation of any necessary data protection safeguards and to delimit the scope of the processing operation".
- Explicit: the purpose must be "sufficiently unambiguous and clearly expressed" so as to leave "no difficulty in understanding".
- Legitimate: according to WP29, legitimacy is broad and extends beyond the Article 7 legal grounds to all applicable law and codes of conduct/ethics, where relevant.
WP29 suggests that whether or not further processing is compatible should be assessed on a case-by-case basis, taking account of all relevant circumstances and the following key factors:
- The relationship between the purposes for which the personal data have been collected and the purposes of further processing.
- The context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use.
- The nature of the personal data and the impact of the further processing on the data subjects.
- The safeguards adopted by the data controller to ensure fair processing and to prevent any undue impact on the data subjects.
WP29 has advocated that Article 6(4) be removed from the proposed Regulation as it sees this provision as allowing further processing for incompatible purposes which may therefore erode the Principle. As such, WP29 proposes that data controllers should not be able to further process data already held on the basis of one of the Article 7 legal grounds and, instead, may only further process data on the basis of one of the stricter Article 13 grounds.
WP29’s Opinion provides useful clarification, consistency and increased certainty in the interpretation of the Directive, which should be welcomed by data subjects and data controllers alike. The Opinion recognises the Principle as one of the key data protection principles and seeks to strengthen its protection whilst recognising that its application should not be overly rigid.
The proposal for the deletion of Article 6(4) of the Regulation has been welcomed by many commentators.