Purpose limitation principle
On 28 November 2019, the Belgian Data Protection Authority imposed two administrative fines of EUR 5,000 each. One fine was imposed on a mayor who had initially received the contact details of 476 individuals who had resorted to the mayor between 2012-2018 and then reused this data in 2018 for his electoral campaign. The second fine was imposed on an alderman who had sent an electoral campaign letter to a list of clients consisting of 654 individuals, which he had obtained while concurrently carrying on an activity unrelated to his public office as an alderman. In both cases, the infringement concerned the re-use of personal data for purposes which were deemed incompatible with the purpose for which the data were initially collected.[1]
On 13 December 2019, the Romanian Data Protection Authority applied a reprimand to a controller, among other things, for the infringement of the purpose limitation principle, the controller having illegally processed the personal data of a former employee by using them in an e-mail correspondence for corporate business activities after the termination of the employee’s contractual relationship.[2]
All these cases mirror a very important data processing principle – the purpose limitation, regulated under Article 5 (1)(b) of EU Regulation 2016/679 of the European Parliament and of the Council („GDPR”). The purpose limitation principle has two components: (i) purpose specification, according to which personal data should only be collected for specified, explicit and legitimate purposes; and (ii) compatible use, according to which further processing must not be incompatible with the purposes for which personal data were initially collected. In our case, the latter component of the principle is of interest for this analysis.
It must be said that purpose limitation is not a novelty introduced by GDPR. Rather, it is a phoenix rising from the ashes of the OECD Guidelines, para. (9) (1980), Convention 108, article. 5 let. (b) (1981), Directive 95/46/EC, article 6 para. (2), let. b) (1995), the European Union Charter of Fundamental Rights, article 8, para (2) (2000) and other documents. However, the GDPR comes with a nuance as far as the purpose limitation is concerned: rather than imposing a requirement of compatibility, the legislator chose a double negation: it prohibited incompatibility. By setting forth that any further processing is authorized as long as it is not incompatible (and if the requirements of lawfulness are also simultaneously fulfilled), it would appear that the legislators intended to allow for some flexibility with regard to further use. Such further use may fit closely with the initial purpose or it may be different. The fact that further processing has a different purpose does not necessarily mean that it is automatically incompatible: this needs to be assessed on a case-by-case basis[3] as we will show below.
As specifically regards the second component of the principle, there are two divergent interests when further processing personal data. On the one hand, the data subjects’ expectations, trust and legal certainty when they share their personal data. The goal of this principle is not to let a one-time legitimization of data processing provide an unlimited further processing of data. On the other hand, from controllers’ point of view, data that have already been gathered may also be genuinely useful for other purposes, not initially specified, but further identified as long as innovation, competition and marketing evolve.
2. Further processing and its lawful grounds
Further processing of personal data means the processing of personal data for a purpose other than that for which they were initially collected. It is important to note that when setting out the requirement of compatibility, GDPR does not specifically refer to processing for the „originally specified purposes” and processing for „purposes defined subsequently”. Rather, it differentiates between the very first processing operation, which is collection, and all other subsequent processing operations (including, for instance, the very first typical processing operation following collection – the storage of data).[4]
There are three key mechanisms for further processing: (a) the consent of the data subjects – no need for purpose compatibility; (b) a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) – no need for purpose compatibility ; (c) a compatibility assessment that demonstrates the compatibility of such further processing with the initial purpose. The third mechanism in particular is relevant for this analysis.
In addition to the compatibility assessment which we will analyze below, there are additional aspects that should be considered in the context of further processing. One such aspect is the need to establish which is the lawful basis for further processing, given that in itself, this assessment is not mentioned among the grounds set forth under article 6 para. (1) of GDPR: consent, contract, legal obligation, vital interests, public task and legitimate interest as lawful bases). However, there are opinions according to which compatibility ascertaining is an independent lawful basis.
When setting forth such a lawful basis, the following aspects need to be considered:
a. there is no need to assess compatibility and debate about the lawful basis when further processing is based on either the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) (Article 6 para. (4) of GDPR);
b. no separate legal basis, other than that which allowed for the collection of personal data, is required (pursuant to Recital 50 of GDPR), although it is possible. This means that further processing of personal data should be based either on the initial lawful ground(s) or on other lawful ground(s), except for those provided under letter a) above.
c. controllers must meet all the requirements for the lawfulness of the original processing (pursuant to Recital 50 of GDPR).
3. Assessment of purpose compatibility. How closely related should the purposes be?
First, it is important to stress that there are some purposes presumed by the law to be compatible with the initial purposes and no assessment of compatibility is required:
a. archiving purposes in the public interest; scientific or historical research purposes; statistical purposes (article 5 para. (4) of GDPR). The former Article 29 Working Party (“Working Party”) was of the opinion that statistical purposes cover a wide range of processing activities, from commercial purposes (e.g. analytical tools of websites or big data applications aimed at market research) to public interests (e.g. statistical information produced from data collected by hospitals to determine the number of people injured as a result of road accidents).[5]
b. if processing is necessary for the fulfilment of a task carried out in the public interest or in the exercise of the official authority vested in the controller, the Union or Member State law may determine and specify the tasks and purposes for which further processing should be regarded as compatible and lawful (recital 50 of GDPR).
Secondly, for other situations, according to article 6 para. (4) of GDPR, the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, consider, inter alia:
a. any link between the purposes for which the personal data have been collected and the purposes of the intended further processing. According to the Working Party, generally, the greater the distance between the purposes of collection and further use, the more problematic it is from a compatibility perspective. Also, this should not only be seen as a textual issue (how the language of the initial purpose compares to the purposes of further processing). The focus should rather be on the substance of the relationship between the purposes of collection and the purposes of further processing;
b. the context in which the personal data have been collected, in particular the relationship between data subjects and the controller. The Working Party emphasizes the need to look at the nature of the relationship between the data controller and the data subject and the balance of power, which includes not only the information provided to the data subject, but also a consideration of what would be a customary and generally expected practice in the given (commercial or otherwise) relationship;
c. the nature of the personal data, in particular whether special categories of personal data are processed. The Working Party confirms that, generally, the more sensitive the information involved, the narrower the scope for compatible use;
d. the possible consequences for data subjects of the intended further processing. The Working Party confirms that in assessing the impact of further processing, both positive and negative consequences should be taken into account. These may include potential future decisions or actions by third parties and situations where the processing may lead to the exclusion or discrimination of individuals. In addition to adverse outcomes that can be specifically foreseen, emotional impacts also need to be taken into account, such as the irritation, fear and distress that may result from a data subject losing control over personal information.
e. the existence of appropriate safeguards, which may include encryption or pseudonymization. The Working Party views this factor as providing data controllers with an opportunity to compensate for any deficiencies that might be highlighted in the other criteria listed above.
An inherent characteristic of a multi-factor assessment is that deficiencies at certain points may in some cases be compensated by a better performance in other aspects. This is why the fourth and last factor looks at the safeguards that have been applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects. Also, as technology, society and business practices continue to evolve, it is possible that certain factors may become more or less important and may require specific attention when assessing compatibility.[6]
The Working Party further distinguishes between formal or substantive assessment. A formal assessment will compare the purposes that were initially provided, usually in writing, by the data controller, with any further purposes in order to find out whether these purposes were covered (explicitly or implicitly). On the other hand, a substantive assessment will go beyond formal statements to identify both the new and the original purpose, taking into account the way they are (or should be) understood, depending on the context and other factors. In the opinion of the Working Party, the second method is more flexible and pragmatic, but also more effective.[7]
4. Assessment results
Purposes are incompatible. In the event that the different purposes did not pass the compatibility test, the intended further processing would be considered as a new data processing operation unrelated to the original purpose and the data controller should both identify and document a new lawful basis and re-collect the personal data. As a result, due to the compatibility requirement, a data controller that does not successfully pass the compatibility test, either (i) requests data subjects to provide the same data multiple times if required for multiple, yet incompatible purposes, which is a very difficult standard to meet from a practical perspective, or (ii) processes the data based on the consent of the data subject (obtained for each purpose) or (iii) processes the data based on a legal obligation, if any. Also, the infringement of the purpose limitation principle can result in fines of up to Euro 20 million or 4 % of the worldwide annual turnover
Example: Data collected for recruitment or employment purposes should not be used for commercial purposes such as marketing the controller’s products among its employees. This would represent a purpose incompatible with the original one.
Purposes are compatible. If the different purposes did pass the compatibility test, the controller can proceed to further processing of personal data, but it is also recommended to look at adequate safeguards and compensation measures, as we will show below.
Example: A client has entered into a contract with a bank in order to open a bank account and take a personal loan. At the end of the first year the bank uses the client’s personal data to check whether they are eligible for a better type of loan and savings scheme. It informs the client. The bank can process the client’s data again as the new purposes may be deemed compatible with the initial purposes.
5. Safeguards and compensating measures
In order to overcome the shortcomings of the compatibility mechanism, a couple of measures can be implemented by the controller. It is self-evident that the greater the distance between goals, the more effective and serious the compensatory measures should be. In other words, the compensatory measures should be directly proportional to the distance between goals. Also, we consider that the guarantees offered in the context of further processing should have at least the same level of safeguards as the guarantees offered during the initial processing.
Examples of technical and organizational measures: full or partial anonymization, pseudonymization, aggregation of the data, privacy enhancing technologies, as well as other measures.
Examples of additional steps taken for the data subject’s benefit: increase transparency through disclosure of the compatibility assessment and methodology; allow individuals the possibility to object to the controller’s compatibility assessment (opt-out), as well as other measures.
6. Conclusion
The importance of purpose limitation arises from its duality – a safeguard for data subjects and a possible carte blanche for controllers. In particular, it aims to achieve a balance between the colliding fundamental rights of the data controller and of the data subject. Moreover, the purpose limitation principle is particularly important, since every aspect of processing and any other principles should be seen in the light of the purposes of processing.
Therefore, further processing requires at least an initial lawful processing, subsequent goals compatible with the initial goals, compatibility proved and supported by the compatibility test and, as a recommendation, appropriate compensation measures should be implemented, usually directly proportional to the distance between goals.
[1] https://www.autoriteprotectiondonnees.be/news/la-chambre-contentieuse-sanctionne-deux-candidats-aux-elections-communales-de-2018;
[2] https://www.dataprotection.ro/index.jsp?page=O_noua_sanctiune_pentru_incalcarea_RGPD_2020_3&lang=en
[3] Article 29 data protection working party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, p.21;
[4] Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, p.21;
[5] Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, p.29;
[6] Article 29 data protection working party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, p. 27;
[7] Article 29 data protection working party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, p. 21-22.
Monica Iancu, BONDOC ȘI ASOCIAȚII
Vasile Soltan, BONDOC & ASOCIAȚII
