Purpose limitation
Home » AI » General exposition » Privacy and data governance » GDPR provisions » Purpose limitation

The purpose limitation principle limits the use of personal data to the original purpose(s), or those purposes that are compatible with it. However, AI development requires data to be reused quite often. Moreover, it might happen that the AI tool re-uses the data automatically (this certainly happens in the case of deep learning). These situations create tension between the AI training techniques and the principle of purpose limitation (see “Purpose limitation principle” within Part II section “Principles” of these Guidelines).

In order to avoid unlawful data processing, controllers using AI systems should determine the purpose of the processing “at the outset of its training or deployment, and perform a re-assessment of this determination should the system’s processing throw up unexpected results, since it requires that personal data only be collected for “specified, explicit and legitimate purposes” and not be used in a way that is incompatible with the original purpose”[1] (see the “Data protection by design and by default” section in “Main Concepts”, within Part II of these Guidelines).

The re-use of data in the development of an AI tool entails deeply challenging issues in terms of purpose limitation. AI systems process personal data in various stages and for a variety of purposes. As a result, a controller may fail to distinguish each distinct processing operation and process data for purposes others than those for which they were initially collected. Controllers should be particularly concerned about these situations since they could lead to a failure to comply with the data protection principle of lawfulness[2] (see the “Use for incompatible purposes” subsection in “Purpose limitation principle’”section of the “Principles” within Part II of these Guidelines).

Controllers must consider that the identification of the appropriate lawful basis is tied to principles of fairness and purpose limitation(see “Lawfulness, fairness and transparency principle” within Part II section “Principles” of these Guidelines).[3] Theymust select the legal basis that most closely reflects the true nature of their relationship with the individual and the purpose of the processing. This decision is key, since changing the legal grounds for processing is impossible if there are not substantial reasons that justify it, due to the purpose limitation principle. If the AI developers are planning to use a dataset at different stages (e.g. training, validation or deployment), they should consider these steps as having distinct and separate purposes.[4] Moreover, they must consider the type of relationship they hold with the data subject. For instance, consent might be an appropriate lawful basis for processing if there is on-going contact with the data subjects and controllers are able to obtain successive consents for different uses or are able to obtain consent for several processings from data subject before processing starts. However, in the case of AI, it is often hard to keep this type of relationship, since AI is often built by aggregating and merging big datasets.

Last but not least, controllers should be aware that for processing of personal data for scientific, historical research or statistical purposes, Union or Member State law or rules may provide derogations from data subjects’ rights stipulated in Art. 15,16,18,21- Therefore processing of those data for purposes other than those for which they were initially collected should be lawful as long as appropriate technical and organizational measures are in place, in particular data minimization. (see the “Data protection and scientific research”within “Main Concepts” in Part Ii of these Guidelines).

Checklist: purpose limitation[5]

☐ The controllers have clearly identified their purpose or purposes for processing.

☐ The controllers have documented those purposes.

☐ The controllers include details of their purposes in the privacy information for individuals.

☐ The controllers regularly review their processing and, where necessary, update their documentation and privacy information for individuals.

☐ If the controllers plan to use personal data for a new purpose other than a legal obligation or function set out in law, they check that this is compatible with their original purpose or they get specific consent for the new purpose.
Additional information

Article 29 Data Protection Working Party (2013) Opinion 03/2013 on purpose limitation. European Commission, Brussels. Available at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

CIPL (2020) Artificial intelligence and data protection: how the GDPR regulates AI. Centre for Information Policy Leadership, Washington DC / Brussels / London. Available at: www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl-hunton_andrews_kurth_legal_note_-_how_gdpr_regulates_ai__12_march_2020_.pdf

EDPB (2018) Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Adopted on 9 April 2019, p.6. European Data Protection Board, Brussels. Available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf

ICO (2020) Guidance on the AI auditing framework: draft guidance for consultation. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/media/about-the-ico/consultations/2617219/guidance-on-the-ai-auditing-framework-draft-for-consultation.pdf

ICO (no date) Principle (b): purpose limitation. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/

 

References

1CIPL (2020) Artificial intelligence and data protection: how the GDPR regulates AI. Centre for Information Policy Leadership, Washington DC / Brussels / London, p.6. Highlighted by the author. Available at: www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl-hunton_andrews_kurth_legal_note_-_how_gdpr_regulates_ai__12_march_2020_.pdf(accessed 17 May 2020).

2ICO (2020) Guidance on the AI auditing framework: draft guidance for consultation. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/media/about-the-ico/consultations/2617219/guidance-on-the-ai-auditing-framework-draft-for-consultation.pdf(accessed 15 May 2020).

3EDPB (2018) Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Adopted on 9 April 2019, p.6. European Data Protection Board, Brussels. Available at: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf (accessed 15 May 2020).

4ICO (2020) Guidance on the AI auditing framework: draft for consultation. 2020. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/media/about-the-ico/consultations/2617219/guidance-on-the-ai-auditing-framework-draft-for-consultation.pdf (accessed 15 May 2020).

5ICO (no date) Principle (b): purpose limitation. Information Commissioner’s Office, Wilmslow. Available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/(accessed 17 May 2020).

 

Skip to content