The Principle of Purpose Limitation and Big Data

Forgó, Nikolaus; Hänold, Stefanie; Schütze, Benjamin

doi:10.1007/978-981-10-5038-1_2

Nikolaus Forgó⁵,
Stefanie Hänold⁵ &
Benjamin Schütze⁵

Part of the book series: Perspectives in Law, Business and Innovation ((PLBI))

4158 Accesses
19 Citations

Abstract

In recent years, Big Data has become a dominating trend in information technology. As a buzzword, Big Data refers to the analysis of large data sets in order to find new correlations—for example, to find business or political trends or to prevent crime—and to extract valuable information from large quantities of data. As much as Big Data may be useful for better decision-making and risk or cost reduction, it also creates some legal challenges. Especially where personal data is processed in Big Data applications such methods must be reconciled with data protection laws and principles. Those principles need some further analysis and refinement in the light of technical developments. Particularly challenging in that respect is the key principle of “purpose limitation.” It provides that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. This may be difficult to achieve in Big Data scenarios. At the time personal data is collected, it may still be unclear for what purpose it will later be used. However, the blunt statement that the data is collected for (any possible) Big Data analytics is not a sufficiently specified purpose. Therefore, this contribution seeks to offer a closer analysis of the principle of purpose limitation in European data protection law in the context of Big Data applications in order to reveal legal obstacles and lawful ways to handle such obstacles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 149.00; Price excludes VAT (USA)

Softcover Book: USD 199.99; Price excludes VAT (USA)

Hardcover Book: USD 199.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Turner et al. (2014); Cavanillas et al. (2015), p. 3.
2.
Kanellos (2016).
3.
Kanellos (2016).
4.
Kanellos (2016).
5.
See http://www.abida.de and http://www.sobigdata.eu/ for further information.
6.
See, e.g., Zech (2012); Grützmacher (2016), pp. 485–495.
7.
See, e.g., Bundeskartellamt, Autorité de la concurrence (2016); Körber (2016), pp. 303–310; pp. 348–356.
8.
European Parliament and the Council (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
9.
European Parliament and the Council (2016), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
10.
Laney (2001).
11.
Curry (2015), p. 30.
12.
Laney (2001).
13.
An overview of the different Big Data definitions can be found in Curry (2015), p. 31.
14.
Article 29 WP, p. 9.
15.
Article 8 (2) ECHR lists national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
16.
Article 29 WP, p. 7.
17.
Council of Europe Committee of Ministers (1973) Resolution (73) 22 on the protection of privacy of individuals vis-à-vis electronic data banks in the private sector, adopted on 26 Sept 1973.
18.
Council of Europe Committee of Ministers (1973) Resolution (74) 29 on the protection of privacy of individuals vis-à-vis electronic data banks in the public sector, adopted on 20 Sept 1974.
19.
Principle 2 (c).
20.
Council of Europe (1981) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 28 Jan 1981.
21.
Council of Europe (1981) Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 28 Jan 1981.
22.
OECD (1980) Annex to the recommendation of the Council of 23 September 1980: Guidelines governing the protection of privacy and transborder flows of personal data.
23.
OECD (2013) Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data [C(80)58/FINAL, as amended on 11 July 2013 by C(2013)79].
24.
Recital 8 Directive 95/46/EC.
25.
Article 29 WP, p. 15.
26.
Article 29 WP, p. 3.
27.
Article 29 WP, p. 15.
28.
Article 29 WP, p. 15.
29.
Article 29 WP, p. 13.
30.
Article 29 WP, p. 16; Ehmann and Helfrich (1999), p. 113.
31.
Article 29 WP, p. 16.
32.
Article 29 WP, p. 16.
33.
Article 29 WP, p. 51.
34.
Article 29 WP, p. 51.
35.
Article 29 WP, p. 51.
36.
OLG Frankfurt/M., Judgment 17 Dec 2015—6 U 30/15; LG Berlin, Judgement 19 Nov 2013—15 O 402/12; OLG Celle, Judgement 14 Nov 1979—3 U 92/79.
37.
See, e.g., Metschke and Wellbrock (2002), pp. 27–28.
38.
Article 7 (a) and Article 8 (2) (a) Directive 95/46/EC.
39.
Metschke and Wellbrock (2002), pp. 27–28.
40.
Article 29 WP, p. 17.
41.
Article 29 WP, p. 20.
42.
WMA General Assembly (2013) WMA Declaration of Helsinki—Ethical Principles for Medical Research Involving Human Subjects.
43.
Council for International Organizations of Medical Sciences (CIOMS), WHO (2008) International Ethical Guidelines for Biomedical Research Involving Human Subjects.
44.
Article 29 WP, p. 21.
45.
Article 29 WP, p. 21.
46.
National implementations of Article 7 and Article 8 Directive 95/46/EC provide legal grounds for processing personal data.
47.
Article 29 WP, p. 3.
48.
Article 29 WP, p. 28.
49.
Beyleveld (2004), p. 9.
50.
Article 29 WP, p. 28.
51.
Article 29 WP, pp. 30–32; Metschke and Wellbrock (2002), p. 16.
52.
Article 29 WP, p. 29.
53.
Article 29 WP, p. 21.
54.
Article 29 WP, p. 21.
55.
Article 29 WP, pp. 23–27.
56.
Article 29 WP, p. 40, e.g., example 15: mobile phone locations help inform traffic calming measures, p. 66.
57.
Werkmeister and Brandt (2016), p. 237.
58.
Article 29 WP, p. 16.
59.
Annex 3 of the Article 29 WP Opinion 03/2013 on purpose limitation gives a number of examples to illustrate purpose specification.
60.
OLG Frankfurt/M., Judgment 17 Dec 2015-6 U 30/15; LG Berlin, Judgement 19 Nov 2013–15 O 402/12; OLG Celle, Judgement 14 Nov 1979—3 U 92/79.
61.
Bretthauer (2016), p. 272; Wolff (2016) margin number 19.
62.
In the UK, broad consent is accepted in some instances (MRC 2011, p. 6). The legal situation in Germany is still unsettled in this regard. German courts (e.g., OLG Celle, Judgement 14 Nov 1979—3 U 92/79) have viewed the use of a broader forms of consent critically in non-medical fields of peronal data processing and it is unsure how this will be translated in medical research. The Data Protection Authorities of the Land Berlin and the Land Hessen seem not to require a consent restricted to a particular research project, but the data subject must be able to gain an idea for what research projects his data will be used for (see Metschke and Wellbrock 2002, p. 27). The working group “Biobanking” published a model broad consent form for biobanks based on recommendations of the National/German Ethics Council (Arbeitskreis Medizinischer Ethikkommissionen in der Bundesrepublik Deutschland e.V. (2013)).
63.
Bretthauer (2016), p. 272; Wolff (2016) margin number 20.
64.
Bretthauer (2016), p. 272.
65.
Handelsblatt Research Institute (2014), p. 14.
66.
Handelsblatt Research Institute (2014), p. 14; Martini (2014), p. 7; Roßnagel et al. (2016), p. 123.
67.
Raabe and Wagner (2016), p. 437; Handelsblatt Research Institute (2014), p. 14; Martini (2014), p. 15; Dix (2016), p. 60.
68.
Article 29 WP, pp. 46–47.
69.
Article 29 WP, pp. 46–47.
70.
Article 29 WP, p. 46.
71.
Information Commissioner’s Office (2014).
72.
Mayer-Schönberger and Padova (2016), p. 324.
73.
Recitals 5–9 of Regulation (EU) 2016/679; Mayer-Schönberger and Padova (2016), pp. 323–324.
74.
Article 99 (2) Regulation (EU) 2016/679.
75.
Mayer-Schönberger and Padova (2016), p. 325.
76.
Mayer-Schönberger and Padova (2016), p. 324.
77.
Article 20 Regulation (EU) 2016/679.
78.
Article 17 Regulation (EU) 2016/679.
79.
Article 33 Regulation (EU) 2016/679.
80.
Article 25 Regulation (EU) 2016/679.
81.
Schaar (2016), pp. 224–225.
82.
See elaborations made in footnote 15.
83.
Werkmeister and Brandt (2016), p. 237.
84.
European Commission (2012) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM/2012/011 final—2012/0011 (COD)).
85.
Albrecht (2016), p. 36.
86.
This shows that the criteria catalogue is not excluding other appropriate considerations.
87.
Raabe and Wagner (2016), p. 438; Marnau (2016), p. 432.
88.
Article 29 WP, pp. 66–67.
89.
Article 29 WP, p. 25; The Article 29 Working Party had investigated a considerable number of examples for further processing which is compatible and non-compatible. See Article 29 WP, pp. 51–69.
90.
Dix (2016), pp. 60–61; Sarunski (2016), p. 427; Boehme-Neßler (2016), p. 422; Bretthauer (2016), p. 271.
91.
Mayer-Schönberger and Padova (2016), p. 326.
92.
Mayer-Schönberger and Padova (2016), p. 327.
93.
Mayer-Schönberger and Padova (2016), p. 327.
94.
Article 29 WP, pp. 27–33.
95.
Article 9 (1) Regulation (EU) 2016/679 defines special categories of personal data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
96.
Article 9 (2) (a) Regulation (EU) 2016/679. For personal data that do not qualify as special categories of personal data in the sense of Article 9 (1) Regulation (EU) 2016/679, Article 6 (1) (a) Regulation (EU) 2016/679 states that processing of such data shall be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The standard for explicit consent remains the same as under the Data Protection Directive with the result that, for example, implied consent interpreted out of the data subject’s conduct is not enough for an explicit consent in the sense of Article 9 (2) (a) Regulation (EU) 2016/679, but may be a sufficient legal basis for the processing of non-sensitive personal data in the sense of Article 6 Regulation (EU) 2016/679 (see Maldoff 2016).
97.
Recital 33 Regulation (EU) 2016/679.
98.
Article 29 WP, p. 46.
99.
European Union Agency for Network and Information Security (ENISA) (2005), pp. 17–18.
100.
European Union Agency for Network and Information Security (ENISA) (2005), pp. 17–18.

References

Albrecht JP (2016) The EU’s new data protection law—how a directive evolved into a regulation. Comput Law Rev Int 17(2):33–43
Article Google Scholar
Arbeitskreis Medizinischer Ethik-Kommissionen (2013) Mustertext zur Spende, Einlagerung und Nutzung von Biomaterialien sowie zur Erhebung, Verarbeitung und Nutzung von Daten in Biobanken. http://www.med.uni-freiburg.de/Forschung/VerantwortungForschung/mustertext-biobanken-deutsch.doc. Accessed 17 Nov 2016, English Version: http://www.ak-med-ethik-komm.de/index.php?lang=de. Accessed 17 Nov 2016
Article 29 Data Protection Working Party (2013) Opinion 03/2013 on purpose limitation, 00569/13/EN, WP 203
Google Scholar
Beyleveld D (2004) An overview of directive 95/46/EC in relation to medical research. In: Beyleveld D et al (eds) The data protection directive and medical research across Europe. Ashgate Publishing Company, Burlington
Google Scholar
Boehme-Neßler V (2016) Das Ende der Anonymität – Wie Big Data das Datenschutzrecht verändert. Datenschutz Datensich 40(7):419–423
Article Google Scholar
Bretthauer S (2016) Compliance-by-design-anforderungen bei smart data. Z Datenschutz 6(2):267–274
Google Scholar
Bundeskartellamt, Autorité de la concurrence (2016) Competition law and data. http://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf;jsessionid=9F9A418331598CA75471DEA51872F638.1_cid371?__blob=publicationFile&v=2. Accessed 16 Sept 2016
Cavanillas JM, Curry E, Wahlster W (2015) The big data value opportunity. In: Cavanillas JM, Curry E, Wahlster W (eds) New horizons for a data-driven economy. Springer, Cham
Google Scholar
Curry E (2015) The big data value chain: definitions, concepts, and theoretical approaches. In: Cavanillas JM, Curry E, Wahlster W (eds) New horizons for a data-driven economy. Springer, Cham
Google Scholar
Dix A (2016) Datenschutz im Zeitalter von Big Data. Wie steht es um den Schutz der Privatsphäre. Stadtforsch Stat 29(1):59–64
Google Scholar
European Union Agency for Network and Information Security (ENISA) (2005) Privacy by design in Big Data—an overview of privacy enhancing technologies in the era of Big Data analytics. https://webcache.googleusercontent.com/search?q=cache:bsgvi1hfgTYJ:https://www.enisa.europa.eu/publications/big-data-protection/at_download/fullReport+&cd=2&hl=de&ct=clnk&gl=de&client=firefox-b-ab. Accessed 4 Oct 2016
Ehmann E, Helfrich M (1999) Kurzkommentar zur EG-Datenschutzrichtlinie. Verlag Otto Schmidt, Cologne
Google Scholar
Grützmacher M (2016) Dateneigentum – ein Flickenteppich. Comput Recht 32(8):485–495
Article Google Scholar
Handelsblatt Research Institute (2014) Datenschutz und Big Data: Ein Leitfaden für Unternehmen. http://www.umweltdialog.de/de-wAssets/docs/2014-Dokumente-zu-Artikeln/leitfaden_unternehmen.pdf. Accessed 17 Nov 2016
Information Commissioner’s Office (2014) Big Data and data protection. https://ico.org.uk/media/1541/big-data-and-data-protection.pdf. Accessed 28 Sept 2016
Kanellos M (2016) 152,000 Smart devices every minute in 2025: IDC outlines the future of smart things. http://www.forbes.com/sites/michaelkanellos/2016/03/03/152000-smart-devices-every-minute-in-2025-idc-outlines-the-future-of-smart-things/#4ec22cb069a7. Accessed 15 Aug 2016
Körber T (2016) “Ist Wissen Marktmacht?” Überlegungen zum Verhältnis von Datenschutz, “Datenmacht” und Kartellrecht – Teil 1. Neue Z Kartellr 4(7):303–310
Google Scholar
Laney D (2001) 3D data management: controlling data volume, velocity, and variety. Technical report, META Group, https://blogs.gartner.com/doug-laney/files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf. Accessed 16 Aug 2016
Maldoff G (2016) Top 10 operational impacts of the GDPR: Part 3—consent https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-3-consent/. Accessed 4 Oct 2016
Marnau N (2016) Anonymisierung, Pseudonymisierung und Transparenz für Big Data. Datenschutz Datensich 40(7):428–433
Article Google Scholar
Martini M (2014) Big Data als Herausforderung für den Persönlichkeitsschutz und das Datenschutzrecht. http://www.uni-speyer.de/files/de/Lehrst%C3%BChle/Martini/PDF%20Dokumente/Typoskripte/BigData-TyposkriptiSd%C2%A738IVUrhG.pdf. Accessed 17 Nov 2016
Mayer-Schönberger V, Padova Y (2016) Regime change? Enabling big data through Europe’s new data protection regulation. Columbia Sci Technol Law Rev 17:315–335
Google Scholar
Medical Research Council (2011) MRC Policy and Guidance on Sharing of Research Data from Population and Patient Studies. http://www.mrc.ac.uk/publications/browse/mrc-policy-and-guidance-on-sharing-of-research-data-from-population-and-patient-studies/. Accessed 29 Sept 2016
Metschke R, Wellbrock R (2002) Berliner Beauftragter für Datenschutz und Informationsfreiheit, Hessischer Datenschutzbeauftragter, Datenschutz in Wissenschaft und Forschung. https://datenschutz-berlin.de/attachments/47/Materialien28.pdf?1166527077. Accessed 28 Sept 2016
Raabe O, Wagner M (2016) Verantwortlicher Einsatz von Big Data. Datenschutz Datensich 40(7):434–439
Article Google Scholar
Roßnagel A et al (2016) Datenschutzrecht 2016 “Smart” genug für die Zukunft. Kassel University Press GmbH, Kassel
Google Scholar
Sarunski M (2016) Big Data—Ende der Anonymität? Fragen aus Sicht der Datenschutzaufsichtsbehörde Mecklenburg-Vorpommern. Datenschutz Datensich 40(7):424–427
Article Google Scholar
Schaar K (2016) DS-GVO: Geänderte Vorgaben für die Wissenschaft—Was sind die neuen Rahmenbedingungen und welche Fragen bleiben offen? Z Datenschutz 6(5):224–226
Google Scholar
Turner V et al (2014) The digital universe of opportunities: rich data and the increasing value of the Internet of Things. Rep. from IDC EMC. https://www.emc.com/collateral/analyst-reports/idc-digital-universe-2014.pdf. Accessed 15 Aug 2016
Werkmeister C, Brandt E (2016) Datenschutzrechtliche Herausforderungen für Big Data. Comput Recht 32(4):233–238
Article Google Scholar
Wolff H (2016) In: Wolff HA, Brink S (eds) Beck’scher Online Kommentar Datenschutzrecht, Prinzipien des Datenschutzrechts. https://beck-online.beck.de/Home. Accessed 17 Nov 2016
Zech H (2012) Information als Schutzgegenstand. Mohr Siebeck Verlag, Tübingen
Google Scholar

Download references

Acknowledgements

This work has been supported by the EU project SoBigData (http://www.sobigdata.eu/) which receives funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No. 654024 and the German national project ABIDA (http://www.abida.de/) which has been funded by the Bundesminsterium für Bildung und Forschung (BMBF). The authors would like to thank Marc Stauch for his valuable support.

Author information

Authors and Affiliations

Institute for Legal Informatics, Leibniz Universität Hannover, Hannover, Germany
Nikolaus Forgó, Stefanie Hänold & Benjamin Schütze

Authors

Nikolaus Forgó
View author publications
You can also search for this author in PubMed Google Scholar
Stefanie Hänold
View author publications
You can also search for this author in PubMed Google Scholar
Benjamin Schütze
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nikolaus Forgó .

Editor information

Editors and Affiliations

Institute for Legal Informatics, Leibniz Universität Hannover, Hannover, Japan
Marcelo Corrales
Faculty of Law, Kyushu University, Fukuoka, Japan
Mark Fenwick
Institute for Legal Informatics, Leibniz Universität Hannover, Hannover, Germany
Nikolaus Forgó

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Forgó, N., Hänold, S., Schütze, B. (2017). The Principle of Purpose Limitation and Big Data. In: Corrales, M., Fenwick, M., Forgó, N. (eds) New Technology, Big Data and the Law. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-10-5038-1_2

Download citation

DOI: https://doi.org/10.1007/978-981-10-5038-1_2
Published: 05 September 2017
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5037-4
Online ISBN: 978-981-10-5038-1
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics