Introduction
In today’s digital age where the processing of personal data has become an essential part of modern-day business operations, the result has been the rise of data processing. Hence, principles have been developed to curb the arbitrary processing of data. Last month, we discussed the lawfulness principle. This month, we will discuss another fundamental principle under data protection laws — the ‘Purpose Limitation Principle’.
Purpose Limitation: The Definition and Scope
The principle of purpose limitation provides that controllers must limit the processing of personal data to specific purposes. In other words, personal data can only be collected, processed, and stored for specific and legitimate purposes, which have been communicated with the data subjects.
Purpose limitation protects data subjects by setting limits on how data controllers are able to use their personal data while also offering some degree of flexibility for data controllers. The concept of purpose limitation has two main building blocks: personal data must be collected for ‘specified, explicit and legitimate’ purposes (purpose specification) and not be ‘further processed in a way incompatible’ with those purposes (compatible use). At the point of collecting the data, the purpose for its collection must be clearly stated and the data must not be processed in furtherance of a purpose contrary to that for which it was given. The GDPR puts it as follows: personal data shall be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’.
The purpose should be specific and concrete; vague and abstract purposes such as ‘promoting consumer satisfaction’, ‘product development’, or ‘optimizing services’ are prohibited. A specific purpose exists, for example, when a pizza delivery service asks for the consumer’s address, for the purpose of delivering pizza.
Specifying the processing purpose is a pre-requisite for applying other data protection principles’ requirements, including the adequacy, accuracy of the data collected, and the requirements regarding the period of data retention. The principle of purpose limitation is designed to establish the boundaries within which personal data collected for a given purpose may be processed and may be put to further use.
The Complexities of the Purpose Limitation Principles
Navigating the complexity of purpose limitations in data protection laws can be a challenging task for organizations. While the principle of purpose limitation inhibits ‘mission creep’, which would otherwise give rise to the usage of the available personal data beyond the purposes for which they were initially collected, it also recognizes that there is also value in allowing, within carefully balanced limits, some degree of additional use. The prohibition of ‘incompatibility’ in Art. 6(1)(b) of the GDPR does not altogether rule out new, different uses of the data – provided that this takes place within the parameters of compatibility. The principle of purpose limitation – which includes the notion of compatible use – requires that in each situation where further use is considered, a distinction be made between additional uses that are ‘compatible’, and other uses, which should remain ‘incompatible’.
The purpose limitation principle requires organizations to be transparent about the purposes for which they are collecting and processing personal data, and where additional use is required, consider if it is compatible with the initial purpose or not. Where it is not, fresh consent for the new purpose for processing will be required. And failure to comply with this principle can lead to severe consequences, including hefty fines and damage to an organization’s reputation.
Organizational Tips
Here are some tips on how organizations can navigate the complexity of purpose limitation in data protection laws:
- Be clear about the purposes for which personal data is collected: Organizations should be transparent about the purposes for which they are collecting personal data and also have a lawful basis for processing data under the purposes identified. This information should be communicated to individuals in a clear and concise manner, preferably in a privacy notice. In deciding whether an additional purpose is compatible or not, consider these questions; will this additional purpose be complimentary to the initial one? Will a data subject reasonably foresee this additional purpose? If the answers to both questions are negative, fresh consent will be needed.
- Limit the collection of personal data: Organizations should only collect personal data that is necessary for the purposes for which it is being processed. The collection of excessive personal data is not only a violation of the purpose limitation principle but also increases the risk of data breaches.
- Keep personal data accurate and up-to-date: Organizations should ensure that the personal data they hold is accurate and up-to-date. If personal data is no longer necessary for the purposes for which it was collected, it should be deleted or anonymized.
Conclusion
Navigating the complexity of purpose limitation in data protection laws requires organizations to be transparent, responsible, and accountable for the personal data they collect and process. By adhering to the purpose limitation principle, organizations can build trust with their customers and demonstrate their commitment to protecting individuals’ rights to privacy.