Out-Law News 4 min. read
09 Apr 2013, 1:57 pm
The Article 29 Working Party said that organisations must "clearly and specifically" identify the purpose for which they are collecting personal data (70-page / 790KB PDF) in order to comply with data protection laws and said it was not sufficient for firms to outline "vague or general" reasons for why they are gathering the information.
Under EU data protection laws personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".
In a new opinion on 'purpose limitation', the Working Party outlined examples of what it said would generally be considered unacceptable explanations of the purpose for collecting personal data. However, it said that, ultimately, it would be the "particular context in which the data are collected" as well as the "personal data involved" that would determine how descriptive organisations would need to be about the purpose of their collection of personal data.
"In some clear cases, simple language will be sufficient to provide appropriate specification, while in other cases more detail may be required," it said. "The fact that the information must be precise does not mean that longer, more detailed specifications are always necessary or helpful. Indeed, a detailed description may at times even be counter-productive. This may particularly be the case if the written, detailed specifications of purpose are overly legalistic and provide disclaimers rather than helpful information to data subjects and other stakeholders."
"In light of this, the approach of a 'layered notice' to data subjects often works well, especially on the Internet, and has thus been recommended in many situations by the [Working Party]. This means that key information is provided to data subjects in a very concise and user-friendly manner, while additional information (perhaps via a link to a more detailed description of the processing on another Internet page) is provided for the benefit of those who require further clarification," the watchdog added.
Generally though, the Working Party said that merely stating that the purpose for collecting personal data is for 'improving users' experience', 'marketing purposes', 'IT-security purposes' or 'future research' would, "without more detail - usually not meet the criteria of being ‘specific’".
In its paper the Working Party gave some practical examples about just how descriptive organisations in certain settings would need to be when specifying the purpose of personal data collection. It said that a local shop selling to local people in a small town collecting limited information about customers would not need to go into as much detail about the purpose of their data collection as large cross-border online retailers using the data they collect to "inform personalised offers and targeted advertisements" through the use of "complex analytics".
As well as meeting the 'specification' requirements, organisations that collect personal data must be "explicit" in outlining what the purpose of that collect is, the Working Party said.
"The purposes of collection must not only be specified in the minds of the persons responsible for data collection," the watchdog said. "They must also be made explicit. In other words, they must be clearly revealed, explained or expressed in some intelligible form. It follows from the previous analysis that this should happen no later than the time when the collection of personal data occurs."
"The ultimate objective of this requirement is to ensure that the purposes are specified without vagueness or ambiguity as to their meaning or intent. What is meant must be clear and should leave no doubt or difficulty in understanding. The specification of the purposes must, in particular, be expressed in such a way so as to be understood in the same way not only by the controller (including all relevant staff) and any third party processors, but also by the data protection authorities and the data subjects concerned," it added.
The Working Party said that some EU member countries have given different meaning to the word 'explicit' when transposing the existing Data Protection Directive into national laws.
"The same Latin root is used in several languages including English, Italian and French as 'explicit', 'explicite' and 'esplicite'," the Working Party said. "The original Latin verb from which these adjectives all originate is 'explicare', with the meaning of 'unfold, unravel, explain', and thus appears to imply a requirement that the purposes must be expressed and explained in some form."
"Other language versions focus on the requirement of the end-result, that the specification of the purposes must be unambiguous. See, for example, the German 'eindeutig' and the Hungarian 'egyértelmű', which can be translated as 'unambiguous', and do not necessarily require that the purposes must also be 'expressed' in any way. However, the Dutch 'uitdrukkelijk omschreven' is again similar to 'explicit'," it said.
The Working Party outlined a four-factor criterion to help businesses evaluate whether further processing activities they wish to engage in that involve processing previously collected personal data are compatible with the purposes for which that information was first collected.
It said that the "relationship between the purposes for which the data have been collected and the purposes of further processing; the context in which the data have been collected and the reasonable expectations of the data subjects as to their further use; the nature of the data and the impact of the further processing on the data subjects; [and] the safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects" should be evaluated as part of the 'compatibility assessment'.