"Neither too general so as to be meaningless, nor too specific so as to be overly rigid"
On 2 April 2013, the Article 29 Working Party ("WP"), an advisory body composed of representatives of the European Commission, the EU data protection supervisor and the data protection authorities of all EU Member States, issued Opinion 03/2013 on Purpose Limitation ("Opinion"). The Opinion seeks to clarify the purpose limitation principle of Article 6(1)(b) of Data Protection Directive 95/46/EC ("DPD") which, with a view to protecting data subjects from unexpected and excessive processing, sets a limit on the processing that a data controller may carry out in relation to personal data collected. The principle dictates that the purposes of the processing must be "specified, explicit and legitimate" and that any further processing cannot take place "in a way incompatible with those purposes".
There has been some divergence in the interpretation of these aspects, which the WP aims to alleviate through its Opinion. It seeks to offer guidance on the scope of the terms in addition to providing several practical examples of what might and might not be considered legitimate. The Opinion is intended to strengthen the protection for data subjects, while providing some flexibility for businesses in terms of how to assess the legitimacy of the processing as well as compatibility of further processing. The practical examples seem to suggest that many of the purposes stated in privacy policies are not specific enough and that the compatibility requirement may be an obstacle to recent trends such as the phenomenon of big data, i.e., the availability of gigantic datasets which are extensively analysed using computer algorithms. Therefore, the suggested flexibility might be difficult to attain for larger businesses.
The Opinion furthermore proposes a number of amendments to the proposed General Data Protection Regulation, introducing assessment mechanisms for further processing as well as limiting the proposal's scope of lawful processing.
Specified, explicit and legitimate purposes
The Opinion clarifies that the purposes must be communicated to the data subject at the latest at the point where the collection of the data commences.
For the purposes to be specified, they should be identified clearly enough to determine the extent of the processing. Specifically, purposes such as "improving user experiences", "marketing purposes", "IT-security purposes" or "future...