Yesterday, the Article 29 Working Party ("WP29"), composed of representatives of the European data protection authorities, the European Data Protection Supervisor and the European Commission, published an opinion on the purpose limitation principle when processing personal data. The WP29's opinions provide authoritative guidance on EU data protection rules. To access the opinion, please click here.
1. Purpose limitation principle
Personal data may only be collected for specified, explicit and legitimate purposes. Once data are collected they may not be further processed in a way that is incompatible with those purposes. This is called the purpose limitation principle.
The assessment whether or not further use of data is compatible should be made in each situation where further use is considered, according to the WP29. In this opinion, guidance and practical examples are provided on compatibility and incompatibility for further use of personal data.
2. Proposed compatibility assessment
The WP29 proposes that a compatibility assessment is made prior to any further use of personal data. The compatibility assessment should at least take into account:
- The relationship between the purposes for which the data have been collected and the purposes of further processing;
- The specific context in which the data have been collected and the reasonable expectations of the individuals involved as to further use;
- The type of the data and the impact of the further processing on the individuals involved;
- The safeguards applied by the data controller to ensure fair processing and to prevent any undue impact on the individuals involved.
3. Regarding big data and open data
The WP29 specifically discusses various safeguards that should be applied with regard to big data and open data.
Big data refers to the availability and automated use of large amounts of information. The WP29 finds that opt-in consent would almost always be required for further use regarding e.g. behavioural advertisements and tracking and profiling for direct marketing. Furthermore, in order to obtain a valid consent, organisations should disclose their decision criteria, including the algorithm used to create a profile.
Open data in this regard refers to data processed by public bodies in projects on accessibility of information. The WP29 stresses i.a. the importance of anonymisation, aggregation and the use of privacy impacts assessment to ensure necessary safeguards. The WP29 mentions that it is preparing a guidance document on open data, which will address, among other things, issues related to anonymisation.
4. WP 29 proposed amendments to draft Data Protection Regulation
The WP29 also proposes amendments to the draft Data Protection Regulation regarding purpose limitation. The current draft provides for the possibility to remedy a lack of compatibility between original processing and further use where there is a new legal ground for the further use (not being legitimate interest). The WP29 is of the opinion that a change of purpose in a processing should only be allowed in case of a favourable outcome in a (prescribed) compatibility assessment. The WP29 proposes to amend the draft Data Protection Regulation in this regard.
5. First remarks
The WP29 in this opinion provides practical examples and guidance in determining to what extent further use of personal data is allowed.
However, we note that if the WP29's proposed amendment were to be adopted, it may become considerably more difficult for data controllers to process data for further use in the future.
Moreover, in this opinion, the WP29 again (like in its recent opinion WP 202 on apps on smart devices) encourages the use of so-called 'layered privacy notices' to inform individuals involved. This means that first a layer of basic information is offered in a concise and user-friendly manner and a second layer of additional information can be reviewed at request, e.g. on a separate website. It appears that the data protection authorities consider layered privacy notices the way forward to inform individuals.