The Article 29 Data Protection Working Party has recently issued its opinion on the purpose limitation principle set out in the current EU Data Protection Directive and under review as part of the proposed new Data Protection Regulation. Purpose limitation is a key principle of data protection. The Opinion, which is of significance to all data controllers processing personal data within the EU, analyses the scope of the purpose limitation principle, provides guidance for its practical application under the current legal framework, and makes policy recommendations to strengthen it under the new regime.
The purpose limitation principle protects data subjects by placing limits on how data controllers can use their data, while also offering some degree of flexibility for data controllers. The concept has two main elements:
- personal data must be collected for “specific, explicit and legitimate purposes” (purpose specification)
- it must not be further processed in a way incompatible with those purposes (compatible use).
In carrying out a compatibility assessment, the Working Party urges an assessment of all the relevant circumstances of the case in order to determine whether the proposed further use may be considered compatible. In particular, the Working Party criticises current Article 6(4) of the draft Data Protection Regulation because it attempts to provide a very broad exception from the requirement of compatibility, which would in effect mean that a lack of compatibility could always be remedied by identifying a new legal ground for the processing.
A copy of the Opinion can be accessed here.