On April 2, 2013, the European data protection regulators (the “Article 29 Working Party” or the “WP29”) issued a 70-page opinion providing guidance on how to comply with the core EU data protection principle of “purpose limitation.”1 This opinion gives a good indication of how EU regulators would apply their national data protection law to specific processing activities such as email marketing, behavioral advertising, profiling, and tracking of user behavior and big data. It is relevant for companies of all sizes, including non-EU-based companies, offering online services to users in the EU, since the EU regulators tend to take a broad approach regarding the applicability of EU data protection law.2 This article addresses certain aspects of the opinion.3

The Principle of “Purpose Limitation”

“Purpose limitation” means that personal data can only be collected for specific, pre-defined purposes (“purpose specification”) and not be used for purposes that are incompatible with the purposes for which the data was originally collected (“compatible use”).4 The WP29 elaborates further on these two elements:

  1. Purpose specification: Personal data must be collected for specific, explicit, and legitimate purposes. This means that the purposes of the data collection must be: defined prior to the collection (i.e., companies should be able to predict the data uses); clearly communicated in an intelligible and transparent form; and be legitimate under one of the legal grounds listed in the EU Data Protection Directive.5 In the online context, the WP29 recommends using layered notices6 so that users can determine the level of information they would like to obtain. In addition, vague and generic language should be avoided (e.g., data is used “for marketing”).
  2. Compatibility test: A compatibility test is necessary to ensure that personal data is not further processed for purposes that are incompatible with the purposes for which the data was originally collected. A simple change of privacy policy would not be sufficient to legitimize a new, incompatible data-processing purpose. In order to assess whether a purpose is compatible or not, companies should conduct a “compatibility test” that takes into account the following criteria:
    1. the relationship between the purposes of the processing at the time of data collection and the purposes of further processing;
    2. the context of the data processing (e.g., purchase, service subscription) and the reasonable expectations of the individuals regarding further use of data (e.g., email marketing in the context of existing customer relationships);
    3. the sensitivity of the data and the impact on individuals’ privacy; and
    4. the use of mitigating measures, such as adequate security and confidentiality measures ensuring fair processing and limiting the impact on individuals’ privacy.

However, a new purpose is not necessarily incompatible. For example, further use of data for historical, statistical, or scientific purposes is generally compatible and would not raise major issues, provided that adequate security is in place (e.g., data minimization, anonymization, privacy-enhancing techniques).

Compatibility Test and Big Data

The WP29 defines “big data” as reuse of “gigantic digital datasets” held by corporations that are extensively analyzed using computer algorithms (i.e., data analytics). It acknowledges the benefits associated with the use of big data for research and innovation, especially in the fields of marketing, mobile communications, smart grid, traffic management, fraud detection, and healthcare. However, the WP29 stresses that big data entails certain privacy risks (e.g., tracking and profiling based on a combination of data from different sources, limited transparency, inaccurate analytics results, highly intrusive personalized advertising, poor data security, and increased risk of government surveillance). Therefore, it recommends conducting a compatibility test when big data is used for the following:

  1. Predicting general trends (emphasis on security): According to the WP29, companies should apply adequate security and confidentiality measures (e.g., anonymization, pseudonymization, aggregation) when they use big data to predict general trends, especially if it involves the sharing of data with third parties. In particular, the WP29 advocates for the “functional separation” of processing activities, meaning, for example, that data used for statistical or other research purposes should not be used for other purposes directly related to individuals.
  2. Analyzing preferences, behaviors, and attitudes to target users (emphasis on opt-in consent): Big data can also be used to analyze or predict preferences, behavior, and attitudes of customers with a view to create personalized discounts or provide special offers and targeted advertisements. In such cases, the WP29 requires free, specific, informed, and unambiguous opt-in consent to legitimize the reuse of customer data, in particular when conducting the following activities: tracking and profiling for direct marketing, behavioral advertising, data-brokering, location-based advertising, or tracking-based digital market research. In those circumstances, the WP29 recommends that companies disclose to their customers the decisional criteria and sources of data used for the targeting; implement strong security safeguards; and provide individuals with access to their data in a portable and user-friendly format to allow them to correct or update their profiles.

Examples of Incompatible Further Use of Data

  • Marketing: Opaque racial profiling of customers to provide greater personalized discounts in a specific region (e.g., Asian customers); use of data analytics on a loyalty card to identify when a woman is pregnant and to send targeted marketing offers without providing prior specific information.
  • Social media: Oversimplification of the different purposes (e.g., email, social networking, photo and video uploads) without any granularity; modifying the privacy policy with the intention to start using photos already uploaded on the platform for the promotion of the website and subjecting such changes to an “I accept” button without allowing individuals to continue using the website.

Recommendations and Conclusions

Below are a few key takeaways from the WP29’s opinion:

  • Assess new purposes in light of a compatibility test
  • Use granular layered notices
  • Break down general purposes into “sub-purposes”
  • Avoid generic descriptions such as “marketing,” “IT-security,” and “further research”
  • Avoid using general terms and conditions to justify new data processing to which individuals have not consented

The opinion is probably one of the most important opinions analyzing compliance with EU data protection law, since the purpose limitation principle is one of the core principles of EU data protection. It analyzes a large number of examples with a view to help companies interpreting this principle in light of innovative business trends such as the (re)use of personal data in the context of big data.

1 Article 29 Working Party Opinion 03/2013 on purpose limitation, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf.
2 Regarding the applicability of EU data protection law to non-EU-based companies, see for exampleEU Regulators Issue Opinion on Mobile Apps,” March 2013.
3 The opinion also suggests improvements of “purpose limitation” in the context of the draft EU Data Protection Regulation and analyzes issues related to “open data” (i.e., accessibility of information processed by public bodies).
4 See Art. 6(1)(b) of the EU Data Protection Directive 95/46/EC.
5 Legal grounds for data processing are, e.g., consent, performance of a contract, or a company’s overriding interest.
6 A layered notice consists of multiple layers with different levels of detail, ranging from high-level information that is easy for customers to understand to more detailed information that includes all the requirements for processing.