DATA PROTECTION
2. CENTRAL DATA PROTECTION CONCEPTS
2.3 DATA PROTECTION PRINCIPLES AND THE PURPOSE LIMITATION PRINCIPLELIMITATION PRINCIPLE
Data protection principles are often considered the backbone of the data protection regime.484 All processing of personal data must be carried out in accordance with the data protection principles. The Data Protection Directive did define six principles relating to data quality. These principles were derived from the European Data Protection Convention.485 The data protection principles have been maintained in the GDPR. While the core idea has not changed, some differences in emphasis
484 See for instance S. K. Karanja, Transparency and Proportionality in the Schengen Information System and Border Control Co-operation, (Leiden, 2008) 135–136.
485 Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data. In the English version, principles are called criteria, however, in French, Finnish and Swedish versions they are clearly named principles.
occur. The new principle of accountability stresses the controller’s responsibility, and the need to process personal data in a transparent manner has been underlined.486
The concepts of principle and rule were studied in Chapter I of this thesis. It was discovered that arguments founding the underlying principles are arguments aiming to establish individual rights. Another characteristic feature of principles is dimension. It is precisely the dimension of principles which allows balancing, instead of applying them in an all-or-nothing manner as rules are to be applied.487
It has been argued, that data processing which does not comply with these principles is illegitimate.488 It was earlier established that principles do not function in an all-or-nothing manner. This leads to a question whether of these principles should actually be considered rules in the sense of Alexy and Dworkin even if named principles. This argument is further supported by Article 23 of the GDPR, which empowers the national and Union legislator to derogate from the data protection principles in certain situations. The need for such empowerment is debatable if data protection principles were duly principles as they are understood in this thesis. Thus, the precise nature of these concepts remains unclear. They do contain principle-like features, but their nature approaches rules to certain extent. However, they will be called principles as this is the vocabulary adopted in the European data protection legislation. The data protection principles have been further specified in the national legislation of some Member States. For instance, in the United Kingdom, the former Data Protection Act defined eight data protection principles.489
Next, the most relevant principle for the purposes of this thesis will be studied.
This is the purpose limitation principle, which supports some specific data protection rules. The actual content of the principle must be drawn from the data protection rules which it supports. The principle of proportionality is not elaborated in this section. The issues related to proportionality are elaborated on more general level in this thesis.
The purpose limitation principle is one of the corner-stones of the European data protection framework. It sets boundaries for the processing of personal data. The core idea of the purpose limitation principle is that personal data may be processed only for the purposes for which it was originally collected. This principle is also the root of one of the key issues which needs to be solved in the relationship with access to documents legislation.
486 Proposal for a Regulation of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11 final.
487 See Chapter I.
488 S. K. Karanja, Transparency and Proportionality in the Schengen Information System and Border Control Co-operation, (Leiden, 2008) 135.
489 The GDPR does not leave similar margin for member states. The nature of the legal instrument does not allow national implementation in this regard.
Before engaging in more detailed discussion of the purpose limitation principle, it must be acknowledged that the structures of data processing are changing and the consequences of this change have not yet been duly reflected in the European data protection regime. While personal data was traditionally collected in specific databases, vast data flows are now taking the place of traditional data files. And even more importantly, different big data applications are commonly used by certain stakeholders. The sustainability of the traditional data protection principles has not been properly tested in this changing environment yet. However, this intriguing issue will be set aside when assessing the purpose limitation principle.
The purpose limitation principle has been laid down in different European data protection instruments. Consequently, it should exist in Member States’ national legislations.490 After May 2018, it follows directly from the GDPR. The formulation might vary in different instruments, but the core idea remains the same. The EU Institutions’ Data Protection Regulation sets the purpose limitation principle in Article 4(b) which states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. This was very similar to the former Data Protection Regulation and former Data Protection Directive, which the GDPR did not change.
The purpose limitation principle can be addressed in several ways. The weight can be, for example, on the aim of the said principle. It has been suggested that the principle has two aims: firstly, the data subject must be informed of the purpose of the processing, and secondly, the personal data cannot be used later on for purposes incompatible with the original purpose.491 This is, indeed, one way to perceive this principle. However, this section will examine the principle from a different angle.
The purpose limitation principle contains three elements, which will be analyzed.
First, the purpose of the data collection must be specified. Second, the purposes for the collection must be both explicit and legitimate. And third, further processing of the personal data cannot be incompatible with the original purpose of the data collection.492 These elements do also cover the two aims mentioned earlier.
2.3.1 SPECIFICITY
The data processing purposes should be defined before the personal data is collected.
Only personal data which is necessary, adequate and relevant for the processing
490 For instance, the former Finnish Personal Data Act includes an article concerning the defined purpose of processing and another article relating to exclusivity of purpose.
491 C. Kuner, European Data Privacy Law and Online Business, (Oxford, 2003) 59–61.
492 For further processing and compatible processing purposes, see case C-536/15, Tele2 (Netherlands) and others, ECLI:EU:C:2017:214, paras 34–40.
purposes may be collected.493 In other words, first the controller has to know why the personal data will be collected and thereafter the controller can only collect data that is necessary for the said purpose.
Processing purposes should not be defined in a wide manner, even if this might seem tempting when all the possible scenarios for further processing are not evident at the time of the data collection. It is possible to have several processing purposes for the data collection though. In such cases each processing purpose should be separately and specifically defined according to Working Party 29.494
The requirement to process personal data for specific purposes is also apparent in the Schrems case, even if the CJEU did not underline this in its reasoning but rather argued the case based on proportionality. The personal data transferred to the United States was not processed for the specific commercial purposes for which it was initially collected when the local authorities had vast rights to access this data in order to process it for national security purposes.495 Hence, the data was processed for different purposes from the original purpose for which the data was stored.
2.3.2 EXPLICITLY AND LEGITIMACY
It was earlier noted that the purpose limitation principle can also be seen referring to the duty to inform the data subject of the purposes of the data collection. It can be argued that the requirement for explicit data processing includes this element.
However, when assessing the meaning of the said requirement, the core element is that the processing purposes must be clearly defined by the controller. The processing purposes should be unambiguously expressed, in such a manner that both data protection authorities and also data subjects would have the same solid understanding of the processing purposes.496
As for the legitimate purposes, it clearly refers to the legal basis for processing laid down, for example, in Article 6 of the GDPR.497 However, legitimacy has been considered wider than simply the legal processing of personal data. It has been suggested that legitimacy also implies such things as cultural values, fair processing and necessity.498 Further, it has been suggested that such elements as customs, codes
493 WP 29 Opinion 3/2015, p. 15–16.
494 WP 29 Opinion 3/2015, p. 15–16.
495 Case C-362/14, Schrems, ECLI:EU:C:2015:650, para 90. See for example Article 29 Data Protection Working Party, Opinion 3/2013 on purpose limitations, p. 17–18.
496 See for example Article 29 Data Protection Working Party, Opinion 3/2013 on purpose limitations, p. 17–18.
497 For legal basis, see also Case C-13/16, Rigas satiksme, ECLI:EU:C:2017:336.
498 L.A. Bygrave, Data Protection Law, Approaching Its Rationale, Logic and Limits, (Kluwer, 2002), 57–61.
of conduct, codes of ethics, contractual arrangements and the general context and facts of the case form part of the legitimate purposes.499
2.3.3 FURTHER PROCESSING
The third element of the purpose limitation principle relates to further processing.
Personal data may not be further processed for purposes which are incompatible with the original purpose of the data collection. This requirement also stems from the Charter of Fundamental Rights, which emphasizes that personal data must be processed for specified purposes.500 However, data processing for historical, statistical and scientific purposes are not considered incompatible with the original processing purpose.
It has been suggested that this requirement can be approached from two angles.
It can be examined either from the data controller’s perspective or from the data subject’s perspective. When the question is studied from the data controller’s viewpoint, the emphasis would be on the realization of the original processing purpose. The further processing should not render the actualization of the original purpose void or even difficult. When examined from the data subject’s perspective, the emphasis would be on legitimate expectations etc.501 This approach might appear alluring when personal data is increasingly processed for further purposes, which are unknown at the time of the data collection. An example of such use is the transfer of flight passengers’ name records for security purposes.
However, the core of the idea of this principle is that personal data must not be further processed for purposes which are incompatible with the original processing purpose. The Data Protection Regulation does not give clear guidelines on how to interpret the purpose limitation principle nor does the EU Institutions’ Data Protection Regulation, former Data Protection Directive or the GDPR. When applying this principle, the reasonable and legitimate expectations of the data subject should be taken into consideration. In other words, for example, genetic data, which was collected in the course of scientific research, cannot be used by insurance companies later when assessing the risk a particular client might pose for the company. However, this should not be considered as an absolute ban for further processing of personal data. When assessing what further processing is allowed, the emphasis should be on the reasonable and legitimate expectations of the data subject.502 For instance, when a public figure has participated in a public
499 Article 29 Data Protection Working Party, Opinion 3/2013 on purpose limitations, p. 19–20.
500 Charter of Fundamental Rights of the European Union (OJ C 303, 14.12.2007, p. 1–16), article 8.
501 L.A. Bygrave, Data Protection Law, Approaching Its Rationale, Logic and Limits, (Kluwer, 2002), 340.
502 For the extent of consent and further processing, see Case C-536/15, Tele2 (Netherlands) and others,
meeting, he or she should reasonably expect that his or her name will be disclosed at a later stage.
2.3.4 EXCEPTIONS TO PURPOSE LIMITATION PRINCIPLE
There are some exceptions to the purpose limitation principle laid down in the GDPR and also in the EU Institutions’ Data Protection Regulation. Despite the purpose limitation principle, personal data may be processed for archiving purposes in the public interest or for scientific, statistical or historical purposes. In other words, processing personal data for scientific research purposes or to draw up statistics has been considered privileged in the sense that the purpose limitation principle is seen to create unnecessary obstacles for such processing.503
While this might clarify the situation when personal data is processed for the said purposes, this might cause some confusion how to interpret “compatible” and
“incompatible”. It is important to note that this Article only states that processing for these purposes is not incompatible. It does not claim that processing for these purposes would be compatible with the original purposes. In other words, the core idea of this provision is that personal data may be processed for the said purposes despite the requirements set by the purpose limitation principle. The importance of the difference in what is meant by “not incompatible” and “compatible” becomes evident when what can be considered compatible processing is assessed in more general terms. If the said processing purposes were considered compatible with the original processing purposes, the weight on the assessment would lay on the importance of the secondary processing purpose. Not on the assessment of whether the secondary processing actually fits in the scope of the original processing purposes. However, in such cases, the assessment should rather be carried out by assessing whether there exist grounds to consider the aim of the secondary processing purposes as a public interest and whether the secondary processing meets the requirements of proportionality.504
ECLI:EU:C:2017:214, paras34–40.
503 For the collection of personal data for statistical purposes, see also a judgment by the German Constitutional Court, BVerfGE 65, 1 (15 December 1983).
504 For proportionality and the overriding public interest in the context of further processing, see judgment by the German Constitutional Court, BVerfGE 65, 1 (15 December 1983).
2.3.5 FURTHER PROCESSING BASED ON LEGISLATION
It is often seen that data processing in the public sector requires stronger frames than that taking place in the private sector.505 Generally speaking, processing in the public sector derives its legitimacy from legislation. While the GDPR leaves a rather wide margin for assessing the legitimacy of processing in the private sector (processing is based on the legitimate interest of the controller), this is not the case when it comes to the public sector.
The CJEU has also given some further guidance on the stipulations of national legislation on data processing carried out by public authorities. The CJEU clarified that when personal data is transferred from one public authority to another public authority, the data subjects should be informed in certain cases. The CJEU underlined the fact that national legislation which provided the legal basis for such data transfers did not cover all of the information transferred to another public authority, nor the manner in which it was transferred. The CJEU saw that data subjects had to be informed that their personal data was transferred. 506 One could argue that the CJEU’s decision could be read in a way which allows the disclosure of personal data to another public authority when it is regulated in a detailed manner in national legislation. Another significant point in the said judgment is that it did not articulate anything on the right to object, but simply on the data subject’s right to be informed.
How further processing based on legislation and the purpose limitation principle will be perceived under the new data protection regime remains obscure.
Nevertheless, it does seem that further processing based on legislation does not need to be compatible with the original processing purposes. In such cases, the legislator has deemed the secondary processing purposes so important that the purpose limitation principle can be derogated. Clearly, the legislator is not free to stipulate on the matter however it wishes. The Charter of Fundamental Rights sets the parameters for the legislator to reconcile different interests, without interfering with the essence of the rights protected by the Charter.
505 See for example the exclusion of public sector in the last sentence in Art. 6(1)(f) of the GDPR.
506 C-201/14, Samaranda Bara and others, ECLI:EU:2015:638, paras 35, 37–43.