On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of Big Data and open data.
The Opinion looks at both components of the purpose limitation principle: (1) the requirement that processing must be for a specified, explicit and legitimate purpose; and (2) the requirement that any further processing must be compatible with the original purpose for which the personal data were collected.
Purpose Specification
The Working Party provides a number of examples of what the “specified, explicit and legitimate” processing requirement means in practice. For example, according to the Working Party, vague purpose statements such as “improving user experience” or “marketing purposes” will, on their own, usually not suffice.
Multi-layered privacy notices are recommended, particularly in the context of online data collection. Key privacy information should be presented in a user-friendly and accessible manner while additional details should be available via links.
Compatible Use
A central part of the Opinion addresses the “compatible use” requirement in the purpose limitation principle (i.e., when personal data may be processed for purposes other than those for which they were originally collected). In the Working Party’s view, a case-by-case analysis is required to determine whether further processing for a different purpose would be compatible with the original purpose. This analysis should take into account four key factors:
- the relationship between the purposes for data collection and the purposes for further processing;
- the context in which the data have been collected and the reasonable expectations of the data subjects regarding further use of the data;
- the nature of the data and the impact of the further processing on the data subjects; and
- the safeguards put in place by the data controller to ensure fair processing and prevent undue harm to data subjects.
Annex 4 of the Opinion includes 22 comprehensive examples of how this compatibility analysis can be carried out in practice. Among other issues, these examples address further processing in the context of marketing, automatic price discrimination, predicting purchasing habits by using algorithms, CCTV, health data, smart metering, location tracking via mobile phones, and the application of the Data Retention Directive.
Big Data and Open Data
As part of its analysis of compatible use, the Working Party also considers the potential impact of the purpose limitation principle on Big Data and open data.
Regarding Big Data, the Opinion identifies two scenarios: (1) when Big Data is analyzed to detect trends and correlations in the information, and (2) when the processing of Big Data directly affects individuals.
- In the first scenario, the data controller’s technical and organizational safeguards are paramount. The data controller needs to be able to achieve functionally separate processing of existing personal data for Big Data purposes as well as guarantee the confidentiality and security of the data.
- With respect to the second scenario, the Working Party considers that specific opt-in consent will almost always be necessary. This includes, for example, profiling that uses behavioral advertising, location-based advertising and tracking-based digital market research. According to the Working Party, organizations also should provide data subjects and consumers with easy access to profiles and disclose their underlying decision criteria.
The Working Party also states that the specific provisions of the Data Protection Directive relating to historical and statistical research are relevant to Big Data processing.
Regarding open data, the Working Party considers that the publication of personal data does not exclude the application of data protection law. Data protection law applies as soon as information relating to identified or identifiable individuals is processed, whether or not the information is publicly available.
Proposed Amendments
In light of its purpose limitation analysis, the Working Party recommends two amendments to the Proposed Regulation:
- The key factors referred to above should be added to Article 5 of the Proposed Regulation to make the compatibility test to be more specific; and
- Article 6(4) of the Proposed Regulation should be deleted to eliminate a broad exception to the compatibility requirement that would severely restrict its applicability.
The Working Party’s purpose limitation Opinion is one of the most significant opinions published recently. It goes to the heart of data protection law and is relevant to virtually all data controllers processing personal data in the EU.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code