Articles

Article 29 Working Party publishes opinion on purpose limitation principle

Article 29 Working Party publishes opinion on purpose limitation principle

Article 29 Working Party publishes opinion on purpose limitation principle

25.04.2013 BE law

On April 2, 2013, the Article 29 Working Party ("WP29") published an opinion that clarifies further the purpose limitation principle contained in Article 6 (1)b of the EU Data Protection Directive 95/46/EC.
The opinion focuses on the scope and limitations of this principle as well as its application in the context of big data and open data. WP29 also puts forth some recommendations to the proposed Data Protection Regulation.

1. Purpose limitation principle


The purpose limitation principle has two main building blocks: 
  • Personal data must be collected for a specified, explicit, and legitimate purpose (“Purpose Specification”);
  • Personal data collected for one or more purposes may not be further processed in a way that is incompatible with those initial purposes (“Compatible Use”).
2. Purpose specification

WP 291 considers that longer and more detailed specifications are not always necessary or helpful. In WP29’s opinion, very detailed descriptions may even be counter-productive at times.

In light of this, WP29 recommends that a “layered notice” approach be taken.  This means that key information is provided to data subjects in a very concise and user-friendly manner, while a second layer of additional information is provided for the benefit of those who require further clarification (perhaps via a link to a separate website).

3. Compatibility assessment

Further processing for a different purpose does not necessarily mean that this purpose is incompatible with the initial purpose.  According to WP29, compatibility needs to be assessed on a case-by-case basis.

WP29 identifies four (non-exhaustive) key factors that need to be considered for the compatibility assessment before there is any further use of personal data:
 
  • The relationship between the initial purposes for which the data have been collected and the purposes of the further processing;
  • The specific context in which the data have been collected and the reasonable expectations of the data subjects involved concerning the further use of their personal data;
  • The nature of the data and the impact of the further processing on the data subjects involved;
  • The safeguards adopted by the data controller to ensure fair processing and to prevent any undue impact on the data subjects.
The opinion provides 22 practical examples illustrating the concept and methodology of the compatibility assessment. These examples include assessment in the private and public sector, assessment of  sensitive and non-sensitive data, and a variety of processing in different contexts, such as from social networking websites and according to the Data Retention Directive.

4. Big data and open data

WP29 also draws attention to the specific safeguards that should be applied with regard to big data and open data.

Big data refers to the availability and automated use of large amounts of information which are then extensively analyzed by using computer algorithms. Big data can be used to identify trends and correlations, but its processing can also directly affect individuals, for example, by way of behavioral advertisements and tracking and profiling users for direct marketing purposes.

Therefore, WP29 concludes that an opt-in consent would almost always be necessary. In addition, for the consent to be valid, organizations should disclose their decision-making criteria in relation to the data and provide the data subjects with access to their ‘profiles’, as well as the algorithms used in developing their profile.

Open data refers to the data processing of public bodies that are involved in projects concerning the accessibility of information. In this respect, WP29 emphasizes the importance of anonymisation, aggregation, and data protection impact assessment to ensure necessary safeguards.

WP29 also announces that it is preparing a guidance document about open data which will address issues related to anonymisation, among other things.

5. Recommendations to the proposed Data Protection Regulation

Article 6 par. 4 of the current draft regulation lays down a very broad exception to the compatibility requirement, namely that the lack of compatibility can simply be remedied by identifying a new legal ground for the processing. This could in fact severely erode the purpose limitation principle. Therefore, WP29 recommends that the entire proposed paragraph 4 of Article 6 be removed.

WP29 also proposes that the four key factors (cfr. Par. 3 above) be integrated into Article 5 of the proposed Data Protection Regulation.

6. First remarks

This opinion is of great importance because not only does the purpose limitation principle affect all data controllers that process personal data in the EU but also the opinion provides a wealth of practical examples that put WP29’s guidelines into practice.

However, if WP29’s recommendations were adopted, it would become considerably more difficult for data controllers to process data for different purposes.

Finally, in this opinion WP29 once againencourages the use of so-called “layered privacy notices”. It appears that WP29 considers these type of notices as the way forward in informing data subjects.

The opinion can be found here.

Footnotes 
  1. An independent and advisory organization composed of representatives of the European data protection authorities, the European Data Protection Supervisor, and the European Commission. WP29 provides authoritative guidance on EU data protection rules.
  2. See, for example, the opinions WP 100, 160 and 202.

All rights reserved. Care has been taken to ensure that the content of this e-bulletin is as accurate as possible. However the accuracy and completeness of the information in this e-bulletin, largely based upon third party sources, cannot be guaranteed. The materials contained in this e-bulletin have been prepared and provided by Stibbe for information purposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this e-bulletin without consulting legal counsel. Consultation of this e-bulletin will not create an attorney-client relationship between Stibbe and the reader. The e-bulletin may be used only for personal use and all other uses are prohibited.

 

Related news

26.02.2020 BE law
18 March 2020: Erik Valgaeren sheds a light on the legal perspectives of industrial data during a Beltug conference

Speaking slot - In this era of digitisation, data is often called the 'new gold' or 'oil'.  In our aim to gain more insights that will lead us to higher revenue, new market opportunities or new regions, we are analysing data at full throttle. But it needs to be handled with care, using a data architecture that follows your general strategy while ensuring solid security, quality, etc.

Read more

16.01.2020 BE law
24 January 2020: Carol Evrard participates in a panel session on Global Compliance at the CPDP conference in Brussels

Speaking slot - Stibbe is a long standing partner of the International Computers, Privacy and Data Protection Conference (CPDP) which takes place in Brussels between 22 and 24 January 2020 This year's theme is “Data protection and Artificial intelligence”. Carol Evrard, associate in our TMT team, participates in a panel organised by TrustArc (a privacy compliance technology company based in San Francisco, California) on "Changing Technology and Laws: Can Accountability be a Key to Global Compliance?"

Read more

21.02.2020 NL law
Podcast: Data en financiële instellingen

Short Reads - In deze podcast praten Roderik Vrolijk en Frederiek Fernhout van Stibbe in Amsterdam en Joran Iedema van Stibbe StartsUP-deelnemer Dyme over Fintech, PSD2 en het gebruik van data door financiële instellingen. Aan de ene kant biedt nieuwe regelgeving zoals PSD2 nieuwe mogelijkheden, aan de andere kant neemt de regeldruk en het toezicht op bescherming van persoonsgegevens toe.

Read more

15.01.2020 NL law
Consultatiereactie 'Wet plan van aanpak witwassen'

Short Reads - Soeradj Ramsanjhal, Karlijn van den Heuvel, Djoe Kuils, Rogier Raas, Judica Krikke en Muriël Rosing hebben een reactie ingediend op het concept wetsvoorstel ‘Wet plan van aanpak witwassen’. Dit wetsvoorstel is 2 december 2019 in consultatie gegaan en bevat verschillende voorgestelde wijzigingen van de Wet ter voorkoming van witwassen en financieren van terrorisme en de Wet op de economische delicten. 

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring