Articles

Article 29 Working Party publishes opinion on purpose limitation principle

Article 29 Working Party publishes opinion on purpose limitation principle

Article 29 Working Party publishes opinion on purpose limitation principle

25.04.2013 BE law

On April 2, 2013, the Article 29 Working Party ("WP29") published an opinion that clarifies further the purpose limitation principle contained in Article 6 (1)b of the EU Data Protection Directive 95/46/EC.
The opinion focuses on the scope and limitations of this principle as well as its application in the context of big data and open data. WP29 also puts forth some recommendations to the proposed Data Protection Regulation.

1. Purpose limitation principle


The purpose limitation principle has two main building blocks: 
  • Personal data must be collected for a specified, explicit, and legitimate purpose (“Purpose Specification”);
  • Personal data collected for one or more purposes may not be further processed in a way that is incompatible with those initial purposes (“Compatible Use”).
2. Purpose specification

WP 291 considers that longer and more detailed specifications are not always necessary or helpful. In WP29’s opinion, very detailed descriptions may even be counter-productive at times.

In light of this, WP29 recommends that a “layered notice” approach be taken.  This means that key information is provided to data subjects in a very concise and user-friendly manner, while a second layer of additional information is provided for the benefit of those who require further clarification (perhaps via a link to a separate website).

3. Compatibility assessment

Further processing for a different purpose does not necessarily mean that this purpose is incompatible with the initial purpose.  According to WP29, compatibility needs to be assessed on a case-by-case basis.

WP29 identifies four (non-exhaustive) key factors that need to be considered for the compatibility assessment before there is any further use of personal data:
 
  • The relationship between the initial purposes for which the data have been collected and the purposes of the further processing;
  • The specific context in which the data have been collected and the reasonable expectations of the data subjects involved concerning the further use of their personal data;
  • The nature of the data and the impact of the further processing on the data subjects involved;
  • The safeguards adopted by the data controller to ensure fair processing and to prevent any undue impact on the data subjects.
The opinion provides 22 practical examples illustrating the concept and methodology of the compatibility assessment. These examples include assessment in the private and public sector, assessment of  sensitive and non-sensitive data, and a variety of processing in different contexts, such as from social networking websites and according to the Data Retention Directive.

4. Big data and open data

WP29 also draws attention to the specific safeguards that should be applied with regard to big data and open data.

Big data refers to the availability and automated use of large amounts of information which are then extensively analyzed by using computer algorithms. Big data can be used to identify trends and correlations, but its processing can also directly affect individuals, for example, by way of behavioral advertisements and tracking and profiling users for direct marketing purposes.

Therefore, WP29 concludes that an opt-in consent would almost always be necessary. In addition, for the consent to be valid, organizations should disclose their decision-making criteria in relation to the data and provide the data subjects with access to their ‘profiles’, as well as the algorithms used in developing their profile.

Open data refers to the data processing of public bodies that are involved in projects concerning the accessibility of information. In this respect, WP29 emphasizes the importance of anonymisation, aggregation, and data protection impact assessment to ensure necessary safeguards.

WP29 also announces that it is preparing a guidance document about open data which will address issues related to anonymisation, among other things.

5. Recommendations to the proposed Data Protection Regulation

Article 6 par. 4 of the current draft regulation lays down a very broad exception to the compatibility requirement, namely that the lack of compatibility can simply be remedied by identifying a new legal ground for the processing. This could in fact severely erode the purpose limitation principle. Therefore, WP29 recommends that the entire proposed paragraph 4 of Article 6 be removed.

WP29 also proposes that the four key factors (cfr. Par. 3 above) be integrated into Article 5 of the proposed Data Protection Regulation.

6. First remarks

This opinion is of great importance because not only does the purpose limitation principle affect all data controllers that process personal data in the EU but also the opinion provides a wealth of practical examples that put WP29’s guidelines into practice.

However, if WP29’s recommendations were adopted, it would become considerably more difficult for data controllers to process data for different purposes.

Finally, in this opinion WP29 once againencourages the use of so-called “layered privacy notices”. It appears that WP29 considers these type of notices as the way forward in informing data subjects.

The opinion can be found here.

Footnotes 
  1. An independent and advisory organization composed of representatives of the European data protection authorities, the European Data Protection Supervisor, and the European Commission. WP29 provides authoritative guidance on EU data protection rules.
  2. See, for example, the opinions WP 100, 160 and 202.

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

 

Team

Related news

10.04.2018 EU law
The External DPO: Controller or Processor?

Short Reads - The upcoming General Data Protection Regulation (GDPR) has caused many companies intense compliance headaches due to its comprehensive scope, far-reaching obligations and severe penalties. However, the new rules have also brought about a range of new economic opportunities, in particular through the creation of the roles of  Data Protection Officer (DPO) and EU-representative.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring