In Understanding data protection: the EU regulation in a nutshell above, most of the properties required in this principle were discussed in terms of balancing the power between controller and data subjects. This is summarized in the following: Both, lawfulness and legitimacy of the purposes is presented as a pre-requisite for the processing to be permissible. See For which purposes is processing allowed for detail. Fairness was not discussed in the introduction. Arguably, by balancing the power between controller and data subjects, the whole GDPR is about fairness. Transparency was presented as a pre-requisite for accountability. See Controllers are fully accountable for detail.
The GDPR defines the principle as follows:
| Definition in Art.5(1)(a) GDPR:
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); |
Lawfulness, fairness, and transparency are discussed in more detail in the following.
Prerequisite to lawfulness: specified, explicit purposes
Lawfulness is a requirement for the purposes of processing[1]. It is therefore impossible to reason about it without first knowing the precise purposes that are pursued by the processing. For this reason, the requirement from Art. 5(1)(b) that purposes must be specified and explicit is discussed here as a prerequisite:
| Personal data shall be collected for specified, explicit and legitimate purposes |
Specified purposes:
The Article 29 Data Protection Working Party writes[2]:
“Purpose specificationlies at the core of the legal framework established for the protection of personal data. In order to determine whether data processing complies with the law, and to establish what data protection safeguards should be applied, it is a necessary preconditionto identify the specific purpose(s) for which the collection of personal data is required.”
The specification can be seen as the first task of the conceptualization of a processing activity that guides all subsequent decisions including:
- whether the processing is permissible, i.e., lawful and legitimate,
- what the implementation of the processing that needs to achieve the purposes entails, and
- what data protection safeguards should be applied.
The Working Party further states[3]:
“The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards applied.”
and
“For these reasons, a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being specific”
Explicit purposes:
The Working Party further states[4]:
“Personal data must be collected for explicit purposes. The purposes of collection must not only be specified in the minds of the persons responsible for data collection. They must also be made explicit. In other words, they must be clearly revealed, explained or expressed in some intelligible form.”
Note that the requirement to make the purposes explicit is closely related to informing data subjects about the purposes of processing (see Art. 13(1)(c) and 14(1)(c) GDPR).
Based on the pre-requisite of specified explicit purposes, legitimacy and lawfulness can be discussed.
Legitimacy and lawfulness
WhileArt. 5(1)(a) GDPR speaks only of lawfulness, the closely related requirement of legitimacy is stated in Art. 5(1)(b) GDPR. Since both express requirements regarding the purposes of processing, they are discussed here together.
Art. 5(1)(b) GDPR states:
| Personal data shall be collected for specified, explicit and legitimate purposes and […] |
The GDPR fails to provide a definition for legitimacy; but the Article 29 Data Protection Working Party provides the following[5]:
| The requirement of legitimacy means that the purposes must be ‘in accordance with the law‘ in the broadest sense. This includes all forms of written and common law, primary and secondary legislation, municipal decrees, judicial precedents, constitutional principles, fundamental rights, other legal principles, as well as jurisprudence, as such ‘law’ would be interpreted and taken into account by competent courts. |
Legitimacy is thus a very broad requirement. This becomes even more significant when considering that certain legislation, such as the Clinical Trial Regulation[6], include also ethical requirements. But even where ethics is not prescribed by the law, there is a danger that purposes that are clearly unethical may be considered to also be illegitimate. For example, this may be the case where processing takes place in disregard of a disapproval by a research ethics committee.
In contrast to legitimacy, lawfulness is indeed defined in the GDPR. Namely, Art. 6(1) GDPR reads:
| Processing shall be lawful only if and to the extent that at least one of the following applies: […] |
In the omission represented by […], six possible so called legal bases are listed.
They can be seen of categories of purposes. These are described in more detail in the section Related articles and recitals below.
Fairness
Arguably, all of data protection and thus the GDPR is about fairness towards data subjects. The GDPR can be seen in spelling out what fair actually and concretely means.
So its explicit mention as a principle may be considered to be a “fall-back clause” for the case where a concrete requirement of fairness has not been explicitly stated in the GDPR. Even if this case, the fairness principle would prevent any “loophole” in the GDPR.
While the whole GDPR can be considered to be about fairness, the section Related articles and recitals below gives some examples where fairness is particularly evident.
Transparency
Transparency is a well-understood concept and is a key pre-requisite for accountability in the GDPR. The main focus of transparency is to inform data subjects up-front[7] of the existence of the processing and its main characteristics. Other information (such as the data about the data subject) is available on request. Data subjects also have to be informed of certain events, most notably data breaches (in the case where the data subject is exposed to high risk). Transparency is also supported by controllers designating a Data Protection Officer who acts as single point of contact for concerns by data subjects. In the GDPR, data subjects are empowered to be the main guardians of their own rights and freedoms. Evidently, transparency is a pre-requisite for detecting and intervening in case of non-compliance.
Supervisory authorities, as obvious from their name, are also guardians of the compliance with the GDPR, even if their involvement is often triggered by complaints lodged by data subjects[8]. There are transparency requirements for controllers that are specifically targeted at supervisory controllers, including the records of processing (see Documentation of Processing in the chapter Main Activities and Tools) and Data Protection Impact Assessments (see the section with the same name in the chapter Main Activities and Tools). Controllers being answerable[9] to supervisory authorities and having to permit on-premise[10] investigations and audits[11] further implement transparency.
References
1It is outside the scope of this document to provide a thorough legal analysis of the concept of purpose beyond its meaning in common language. It shall solely be pointed out that purposes of processing usually are related to a objective that the controller pursues. Such objectives should be concrete (much rather than theoretical) and it is often possible to determine whether the objective has been reached or measure to which degree it has been reached. ↑
2Highlighting added by the author, for the citation, see page 15 of: Article 29 Data Protection Working Party, 00569/13/EN, WP203, Opinion 03/2013 on purpose limitation, Adopted on 2 April2013, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf (last visited 27/05/2020). ↑
3WP203, page 15, highlighting added by the author. ↑
4WP203, page 17, highlighting added by the author. ↑
5WP203, page 20, , highlighting added by the author. ↑
6REGULATION (EU) No 536/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-1/reg_2014_536/reg_2014_536_en.pdf (last visited 27/05/2020). ↑
7Up-front here means that data subjects should be aware of the processing before it takes place. It does not imply a certain method of providing information or exclude dynamic ways of providing the necessary information. ↑
8See Art. 57(1)(f) GDPR. ↑
9See Art. 58(1)(a) GDPR. ↑
10See Art. 58(1)(f) GDPR. ↑
11See Art. 58(1)(b) GDPR. ↑