On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of Big Data and open data.
The Opinion looks at both components of the purpose limitation principle: (1) the requirement that processing must be for a specified, explicit and legitimate purpose; and (2) the requirement that any further processing must be compatible with the original purpose for which the personal data were collected.
The Working Party provides a number of examples of what the “specified, explicit and legitimate” processing requirement means in practice. For example, according to the Working Party, vague purpose statements such as “improving user experience” or “marketing purposes” will, on their own, usually not suffice.
Multi-layered privacy notices are recommended, particularly in the context of online data collection. Key privacy information should be presented in a user-friendly and accessible manner while additional details should be available via links.
A central part of the Opinion addresses the “compatible use” requirement in the purpose limitation principle (i.e., when personal data may be processed for purposes other than those for which they were originally collected). In the Working Party’s view, a case-by-case analysis is required to determine whether further processing for a different purpose would be compatible with the original purpose. This analysis should take into account four key factors:
- the relationship between the purposes for data collection and the purposes for further processing;
- the context in which the data have been collected and the reasonable expectations of the data subjects regarding further use of the data;
- the nature of the data and the impact of the further processing on the data subjects; and
- the safeguards put in place by the data controller to ensure fair processing and prevent undue harm to data subjects.
Annex 4 of the Opinion includes 22 comprehensive examples of how this compatibility analysis can be carried out in practice. Among other issues, these examples address further processing in the context of marketing, automatic price discrimination, predicting purchasing habits by using algorithms, CCTV, health data, smart metering, location tracking via mobile phones, and the application of the Data Retention Directive.
Big Data and Open Data
As part of its analysis of compatible use, the Working Party also considers the potential impact of the purpose limitation principle on Big Data and open data.
Regarding Big Data, the Opinion identifies two scenarios: (1) when Big Data is analyzed to detect trends and correlations in the information, and (2) when the processing of Big Data directly affects individuals.
- In the first scenario, the data controller’s technical and organizational safeguards are paramount. The data controller needs to be able to achieve functionally separate processing of existing personal data for Big Data purposes as well as guarantee the confidentiality and security of the data.
- With respect to the second scenario, the Working Party considers that specific opt-in consent will almost always be necessary. This includes, for example, profiling that uses behavioral advertising, location-based advertising and tracking-based digital market research. According to the Working Party, organizations also should provide data subjects and consumers with easy access to profiles and disclose their underlying decision criteria.
The Working Party also states that the specific provisions of the Data Protection Directive relating to historical and statistical research are relevant to Big Data processing.
Regarding open data, the Working Party considers that the publication of personal data does not exclude the application of data protection law. Data protection law applies as soon as information relating to identified or identifiable individuals is processed, whether or not the information is publicly available.
In light of its purpose limitation analysis, the Working Party recommends two amendments to the Proposed Regulation:
- The key factors referred to above should be added to Article 5 of the Proposed Regulation to make the compatibility test to be more specific; and
- Article 6(4) of the Proposed Regulation should be deleted to eliminate a broad exception to the compatibility requirement that would severely restrict its applicability.
The Working Party’s purpose limitation Opinion is one of the most significant opinions published recently. It goes to the heart of data protection law and is relevant to virtually all data controllers processing personal data in the EU.