In Understanding data protection: the EU regulation in a nutshell above, purpose limitation was motivated by limiting the use of the gained power exclusively to reaching the declared and legitimate purposes. (See Restricting the controllers to use the power solely for reaching the declared legitimate purposes for detail).
The GDPR defines the principle as follows:
|Definition in Art.5(1)(b) GDPR:
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; […] (‘purpose limitation’);
Note that the first half of this sentence has already been discussed under the previous principle. In particular, the requirement that purposes must be specified and explicit was a prerequisite for being able to speak of lawfulness; the requirement of legitimacy regards purposes and was therefore discussed together with lawfulness.
What is discussed here in more detail is the essence of this principle, namely the limitation to processing compatibly with the purposes. This is a requirement regarding the implementation of the processing activity, not the purposes.
Not processed in a manner that is incompatible with those purposes
The essential part of this principle is thus contained in the half-sentence “not further processed in a manner that is incompatible with those purposes”.The following analysis this sentence in more detail.
The sentence speaks about compatibility with purposes. It is clear from the first half of the sentence that these are the purposes that have been explicitly specified (see section). The part of Art. 5(1)(b) that has been represented by […] and will be discussed below also uses the concept of “compatibility with initial purposes”. The initial purposes therefore seem to be the same as those specified (during the conception of the processing activity).
Art. 5(1)(b) thus expresses, that processing shall be compatible with:
- the initial purposes themselves, or
- other purposes that are compatible with these initial purposes.
The former follows from the reasoning that purposes are always compatible with themselves.
The wording of Art. 5(1)(b) speaks of “further processed”. While this could be understood temporarily, i.e., in a sense of “after the initial purposes have been achieved”, the temporal aspect seems to be irrelevant for this principle. Instead, “further” has the meaning of “beyond” without temporal significance and purely refers purely to the purposes.
The situation is visualized in Figure 1:
Figure 1: Processing is allowed for the initial and compatible purposes.
It is important to know that no additional legal basis is necessary to further process for compatible purposes. This is stated explicitly in Recital 50 GDPR (2nd sentence). Referring to further processing for compatible purposes, it states:
|In such a case, no legal basis separate from that which allowed the collection of the personal data is required.|
Use for incompatible purposes
This raises the question how it can happen to process personal data for incompatible purposes and what its consequences are.
Understanding how processing can happen is important to be able to avoid it. The following three examples illustrate the issue without claim to comprehensiveness:
- Function creep: It is common for processing activities to evolve over time. It is also common that they then acquire new functionality or “features” that correspond to additional or modified processing. In cases where the controller fails to exercise sufficient control over such evolution, the processing can move unnoticed beyond the initial or compatible purposes.
- Lack of separation: Assume that a controller operates multiple independent processing activities that pursue distinct purposes. If the controller fails to implement adequate measures to separate the different processing activities, it is easy that data collected for one set of purposes is used for other purposes. This is illustrated in Figure 2.
Figure 2: A lack of separation leads to the use of data for incompatible purposes.
- Recipients who pursue their own purposes: Recipients are persons or organizations to whom personal data is disclosed (see definition in Art. 4(9) GDPR). Recipients can for example be:
- employees who access data legitimately on instruction by the controller to fulfill compatible purposes of the processing, or
- external attackers who illegitimately accesses the data through a breach.
In the latter case, it is obvious that the recipient uses the personal data for other purposes. It is these very purposes that likely motivated the attack in the first place. But even employees can have other interests in the data than pursuing the stated purposes of their employer. A prime example for that is where the employee already knows the data subject and learns information that would not otherwise be accessible.
With the understanding gained from these examples that illustrate how data can be used for other purposes, the question of the possible consequences must be asked.
In all cases, the basic principles of lawfulness and legitimacy are likely violated. According to these principles, processing is prohibited unless it is justified by a demonstrated lawfulness and legitimacy of the purposes. This is obviously not the case when processing happens for incompatible, and thus unjustified purposes.
The use of data outside and beyond the justified purposes also permits rogue controllers to accumulate power. This can happen for example when controllers combine the data sets of persons across distinct processing activities, keep and accumulate data when they are no longer necessary for the purposes, and possibly even acquire data from other sources in order to gain more power over their data subjects. Such accumulated power evidently exceeds the power gain that was justified by a demonstrated lawfulness and legitimacy of the initial purposes.
It is evident that beyond the sole violation of data protection principles, depending on the purposes for which the data is (ab)used, data subjects can also experience material or immaterial damage. For example, knowledge of certain health data may significantly affect relationships when accessible to acquaintances or prevent employment opportunities when accessible to potential employers. When used for criminal purposes, some kinds of data may be the basis for blackmail.
When are purposes compatible?
The following discusses how to determine whether potential additional purposes are considered compatible. It is predominantly based on Art. 6(4) GDPR.
In the case where a legal basis of consent (see Art. 6(1)(a) GDPR) was chosen for the processing, further processing for additional purposes other than the preapproved compatible ones (see below) are deemed incompatible. This is because consent is always specific to specified purposes. To “widen” the purposes of processing beyond the specified ones purposes that a data subject has consented to, would be clearly unfair and nontransparent.
Art. 6(4) then provides the following criteria to be used by controllers for determining whether an additional purpose is compatible (reworded slightly compared to the GDPR):
Further guidance including examples of applying these criteria is available from the Article 29 Data Protection Working Party. While this opinion refers to the Data Protection Directive (i.e., the predecessor or the GDPR), many aspects are still equally applicable today.
To simplify the determination whether additional purposes are compatible, the GDPR preapprovessome of the most common additional purposes pursued in further processing. Namely, Art. 5(1)(b) includes the following:
|[F]urther processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.|
The mentioned Art. 89(1) requires the presence of additional safeguards.
Here, the mentioned Art. 89 GDPR mandates that further processing for these preapproved purposes is only admissible if adequate safeguards are in place.
1These are also the purposes that are communicated to data subjects as required by Art. 13 and 14 GDPR). ↑
2Controllers are not responsible for the actions of attackers but only to prevent attacks through adequate security measures. ↑
3Note that Art. 6(4) GDPR about compatible purposes explicitly excludes that it is applicable when the legal basis is consent. ↑
4In particular, these purposes are specified in the dialog that asks for consent and the specification is an important aspect of the informedness of consent. ↑
5Article 29 Data Protection Working Party, 00569/13/EN, WP203, Opinion 03/2013 on purpose limitation, Adopted on 2 April 2013, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf (last visited 28/05/2020). ↑