The principle of purpose limitation protects data subjects by setting limits to the collection and further processing of their data. When an individual provides his or her personal data to a company or another organisation, he or she usually has certain expectations about the purposes for which the data will be used. There is a value in honouring these expectations and preserving trust and legal certainty. The principle of purpose limitation is regarded by the Article 29 Working Party as an important cornerstone of data protection.
Nevertheless, data that have already been gathered may be genuinely useful for other purposes, which are not initially specified. Therefore, there is also value in allowing, within carefully balanced limits, some degree of additional use. The principle of purpose limitation is designed to offer a balanced approach: an approach that aims to reconcile the need for predictability and legal certainty regarding the purposes of the processing on the one hand, and the pragmatic need for flexibility on the other.
In their latest opinion (WP203), the Article 29 Working Party, assess the principle of purpose limitation with the aim of offering guidance on its practical application under the current legal framework. The Opinion highlights areas for improvement and provides recommendations with regard to the revision of the data protection reform package.
The principle of purpose limitation has two main building blocks: personal data must be collected for ‘specified, explicit and legitimate’ purposes (purpose specification) and not be ‘further processed in a way incompatible’ with those purposes (compatible use). Further processing for a different purpose does not necessarily mean that it is incompatible, but compatibility needs to be assessed on a case-by-case basis, taking into account all relevant circumstances.
The Working Party Opinion stipulates that, in particular, the following key factors need to be taken into account:
– the relationship between the purposes for which the personal data have been collected and the purposes of further processing;
– the context in which the personal data have been collected and the reasonable expectations of the data subjects as to their further use;
– the nature of the personal data and the impact of the further processing on the data subjects;
– the safeguards adopted by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
Processing of personal data in a way incompatible with the purposes specified at collection is against the law and therefore prohibited. A data controller can therefore not legitimise incompatible data processing by simply relying on a new legal ground, such as, for example, in the context of a new privacy policy or another government task.
Laurence Eastham writes:
Perhaps I am imagining things in my old age but I suspect that the draft Opinion had ‘Get Google’ as a working title. Notwithstanding that, this is an important Opinion. In an age of growth for Big Data, it deserves very close scrutiny and will worry a lot of commercial ‘users’ of data.