Purpose limitation is a key personal data protection principle which requires that the collection and processing of personal data has a clearly defined purpose, and that such data cannot be reused for another purpose that is incompatible with the original purpose.
- Ensure that you only collect, process and store the necessary amount of data necessary for specified, explicit and legitimate purposes.
Already in 1995, one of the key principles of the Data Protection Directive was the principle of purpose limitation which requires that processing of personal data in the European Union has a clearly defined purpose at the time of data collection, and that such data cannot be reused for another purpose that is incompatible with the original purpose.
This principle is now reinstated in GDPR with Article 5(b) stating that personal data shall be:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
There are concerns that advancements in big data analytics and machine learning which are are fundamentally based around the idea of repurposing data challenge the principle of purpose limitation (Forgó et al 2017). The Information Commissioner’s Office (ICO) acknowledges these concerns and responds that fairness should be a key factor in assessing the compatibility of processing purposes (ICO 2017).
Information Commissioner’s Office (ICO), Big Data, Artificial Intelligence, Machine Learning and Data Protection (2017) [Link]
Forgó, N., Hänold, S. and Schütze, B., 2017. The Principle of Purpose Limitation and Big Data. In New Technology, Big Data and the Law (pp. 17-42). Springer, Singapore.
European Parliament and the Council (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).
European Parliament and the Council (2016), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)