When it comes to further processing of personal data, will the EU institutions be able to agree on how to deal with purpose incompatibility?
The extent to which businesses can justify further processing of personal data for new purposes (that is, for reasons distinct from the original purpose for which the data was collected) can be a perplexing issue under data protection law. This is especially true when data controllers want to process personal data initially collected for one purpose with the data subject’s consent for another purpose without their consent.
As I mentioned in an earlier post, in such cases, businesses may argue that they can justify their envisaged further use under the ‘balance of interests – legitimate interest’ condition in Article 7(f) of the Data Protection Directive, however, its applicability should not be readily assumed. This condition states that, “personal data may also be processed if this is necessary for the purposes of the legitimate interests pursued by the controller or by the third party except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms”.
It is useful to remind ourselves of the legal foundations of this debate for further probing of how companies can come unstuck determining their compliance obligations in this area. Article 6(1)(b) of the Data Protection Directive describes the ‘purpose limitation’ principle, which is designed to safeguard individuals’ right to control who has the right to process information about them and for what purpose. The principle has two constituent elements: purpose specification; and, compatible use. That is, “personal data must be collected for specified, explicit and legitimate purposes, and not be further processed in a way incompatible with those purposes”.
Therefore, envisaged further use of personal data must be compatible with the ‘original’ purpose for which data was collected. Said otherwise, the processing of personal data in a way incompatible with the purpose specified at collection is unlawful. There are limited exceptions to this rule, the main one being that data controllers may process existing data for incompatible purposes based on an exemption adopted by an EU Member State under Article 13 of the Directive. The other exception being that “further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards” (Article 6(1)(b) of the Directive).
Moreover, in order to be lawful, not only must the purpose of the further processing be compatible with the original purpose but, in addition, that further processing should be based on one of the criteria for making data processing legitimate as set forth in Article 7 of the Directive.
The consequence of these twin issues – compatibility and legitimacy – is twofold:
- Even where a data controller establishes (correctly) that a further use is compatible with the initial one, this does not mean that data may be further processed without a valid legal basis described in Article 7 or, indeed, merely by assuming that they can rely on the legal ground that legitimised the original processing.
In other words, evaluating on a case-by-case basis the purpose of further processing against the original purpose for compatibility is a separate matter from evaluating whether the further processing activity has an autonomous legal basis.
Recently, the Article 29 EU Data Protection Working Party (WP) wrote to representatives at the trilogue discussions involved in negotiating the final text of the new General Data Protection Regulation (GDPR) – see my earlier post on the lead up to these negotiations – reconfirming its strong views on this point. In the Annex to its three letters, the WP states as follows:
“The new legal provisions should ensure at least the same level of protection offered by the current Directive…Compatibility and legitimacy are cumulative requirements and, for a change of purpose which is not incompatible, one of the legal bases has to be applied.”
The catalyst for this part of its letter can be found in the European Commission’s proposal for the introduction of a new Article 6(4) in its proposal for a GDPR (COM(2012)11). This states as follows:
“Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract”.
In other words, this provision would permit further processing of personal data for incompatible purposes, provided that one of the legal grounds set out in Article 6(1) (a) to (e) of the draft GDPR [mirroring Article 7 (a) to (e) of the Directive] is met. This would exclude reliance upon the ‘balance of interests – legitimate interest’ condition in Article 6(1)(f) of the GDPR [mirroring Article 7(f) of the Directive quoted above].
Article 6(4) has become a point of significant controversy so far in the GDPR reform discussions. In particular, in its 2014 legislative resolution on the GDPR, the European Parliament proposed to delete Article 6(4). This approach has been supported by the European Data Protection Supervisor (EDPS), the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), as well as the WP. For example, the EDPS (in an Opinion on the European Commission’s proposals for a revised data protection framework) states that it “has strong reservations with regard to this new provision, which has broad practical consequences and changes the spirit of the purpose limitation principle as we currently know is”. He goes on to say that, “It gives broad possibilities for re-use of personal data in particular in the public sector, in cases based on Article 5(c) and (e) where the controller is subject to a legal obligation, or in case of public interest or exercise of officially authority vested in the controller, without any assurance that the infringement of the purpose limitation principle has been considered separately and adequately”. The EDPS, therefore, recommended the deletion of the provision or, at the very least, the restriction of it. A restriction should ensure that personal data cannot be further processed lawfully, where an additional purpose is envisaged that is incompatible with the initial purpose, on the basis of a legal obligation (which may, in any case, only be created after the data was collected).
From a UK perspective, the Information Commissioner’s Office (ICO) has also taken the view that the legitimisation of incompatible processing provided for in Article 6 (4) will be very confusing in practice, not least for data subjects.
By contrast, under its General Approach on the GDPR, the Council proposed to extend Article 6(4) much further than the Commission in proposing that the ground contained in Article 6(1)(f), the ‘balance of interests – legitimate interest’ condition should also be capable of being relied upon for further use for an incompatible purpose. It states as follows (the bold lettering indicating the Council’s suggested amendments to the Commission’s text):
“Where the purpose of further processing is incompatible with the one for which the personal data have been collected by the same controller, the further processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1179 180. Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject”
Article 6(4) will undoubtedly be a key point of contention in the trilogue discussions. When it comes to further processing of personal data, will the EU institutions ultimately be able to agree on how to deal with purpose incompatibility? Moreover, will the WP’s warnings be taken on board?