By Ezra Steinhardt and Oliver Grazebrook
On April 2, the Article 29 Working Party (the “Working Party”) approved a new Opinion on a principle of European data protection law known as the “purpose limitation”. The principle (which stems from Article 6(1)(b) of the Data Protection Directive) requires that data controllers only collect data for “specific”, “explicit” and “legitimate” purposes, and not process the data for further purposes that are incompatible with the purposes for which data were originally collected. As each of these terms have been interpreted differently in different Member States, causing potential confusion for data controllers operating in multiple jurisdictions, one of the main aims of the Working Party paper is to provide clearer, more harmonized interpretations of the principle. The paper also aims to generally clarify the current legal framework and assist policy makers in drafting the new EU data protection legal framework, and offers guidance on specific scenarios (such as so-called “Big Data” processing).
Specified, explicit and legitimate purposes
As mentioned above, the purpose limitation principle requires that personal data must be collected “for specified, explicit and legitimate purposes.” The Working Party defines these three key terms:
- Specified. In the Working Party’s view, this means that prior to, or at the point of collecting the personal data, the controller must “carefully consider what purpose or purposes the personal data will be used for, and must not collect personal data which are not necessary, adequate or relevant for the purpose or purposes which are intended to be served.” When the purpose is communicated to data subjects, it must be “detailed enough to determine what kind of processing is and is not included within the specified purpose.” The Working Party recommends that controllers use “layered notices” to deliver information concisely, and that controllers avoid using vague purposes such as “marketing purposes” or “to improve the customer experience.”
- Explicit. In the Working Party’s view, this means that prior to, or at the point of collecting the personal data, the purposes must be “clearly revealed, explained or expressed in some intelligible form.” The explanation “should leave no doubt or difficulty in understanding.” The explanation can be made in different forms, and writing “can be helpful, or even necessary, in many circumstances.” In deciding whether a data controller has complied, the controller should not be able to rely on a “carefully crafted document prepared by the controller’s lawyers,” but “all factual elements, as well as the common understanding and reasonable expectations of the data subjects based on such facts, shall be taken into account to determine the actual purposes.”
- Legitimate. In the Working Party’s view, this requirement is broad-based, and means generally that purposes must be “in accordance with the law” generally (i.e., legislation, common law, constitutional principles, etc.). The term may even take into account some non-legal requirements, such as those found in codes of conduct and ethical policy documents. Interestingly, the Working Party notes that what is viewed as “legitimate” may change over time as society’s expectations change and evolve.
The second primary requirement of the purpose limitation principle is that data collected shall “not be further processed in a way incompatible with those purposes.” When controllers seek to assess whether purposes are incompatible or not, the Working Party recommends that controllers undertake a “substantive assessment,” that takes into account the way the purposes “are (or should be) understood, depending on the context and other factors,” rather than a formal assessment that looks at how purposes are defined (generally) in writing. In such assessments of compatibility, the Working Party recommends that controllers consider:
- The relationship between the purpose for which the data have been originally collected and the purposes of further processing. This means that controllers should consider how “similar” the new purpose would be to the old ones. The chance that the new purpose is incompatible increases as similarity diminishes.
- The context in which the data have been collected and the reasonable expectations of the data subjects as to their further use. The Working Party makes clear that he more specific and restrictive the context of collection, and the more unexpected or surprising the further use is, the more likely it is that it would be considered incompatible.
- The nature of the data and the impact of the further processing on the data subjects. The Working Party states that the more sensitive the information involved, the narrower the scope for compatible use would be.
- The safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects. Interestingly, the Working Party also states that additional safeguards, designed to prevent undue impacts on data subjects, may help to “compensate” for changes in purposes for which data is processed, and/or for the fact that purposes were not specified with sufficient clarity when the data were collected. Examples of safeguards include technical or organisational safeguards to ensure functional separation, or providing a re-specification of purpose, or requesting separate consent for new processing.
Data Protection Regulation
The Working Party also uses the Opinion to advocate for a revision to be made to the EU’s current “General Data Protection Regulation” proposal that would, if enacted, replace the Data Protection Directive. Under the current Directive, failure to comply with the compatibility requirement is unlawful and can have serious consequences.
However, under current proposals for Article 6(4) of the General Data Protection Regulation, a controller would be able to change the purposes for which it processes data to a purpose that is incompatible, provided that the processing meets at least one of the grounds for lawful data processing set out in Article 7 of the Regulation (except for the “legitimate interest” grounds). The Working Party notes that this loophole effectively goes “against the spirit of the purpose limitation principle and remove[s] its substance”, and advocates for European legislators in the Council and Parliament to remove Article 6(4) of the General Data Protection Regulation from future drafts.
The Opinion also specifically provides guidance to so-called “Big Data” activities (analysis of large datasets). In short, if a company has collected customer data for other purposes, then if it wishes to “to analyze or predict the personal preferences, behaviour and attitudes of individual customers” using Big Data techniques, the Working Party states that “free, specific, informed and unambiguous” opt-in consent will “almost always” be required.