Abstract
In recent years, Big Data has become a dominating trend in information technology. As a buzzword, Big Data refers to the analysis of large data sets in order to find new correlations—for example, to find business or political trends or to prevent crime—and to extract valuable information from large quantities of data. As much as Big Data may be useful for better decision-making and risk or cost reduction, it also creates some legal challenges. Especially where personal data is processed in Big Data applications such methods must be reconciled with data protection laws and principles. Those principles need some further analysis and refinement in the light of technical developments. Particularly challenging in that respect is the key principle of “purpose limitation.” It provides that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. This may be difficult to achieve in Big Data scenarios. At the time personal data is collected, it may still be unclear for what purpose it will later be used. However, the blunt statement that the data is collected for (any possible) Big Data analytics is not a sufficiently specified purpose. Therefore, this contribution seeks to offer a closer analysis of the principle of purpose limitation in European data protection law in the context of Big Data applications in order to reveal legal obstacles and lawful ways to handle such obstacles.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Kanellos (2016).
- 3.
Kanellos (2016).
- 4.
Kanellos (2016).
- 5.
See http://www.abida.de and http://www.sobigdata.eu/ for further information.
- 6.
- 7.
- 8.
European Parliament and the Council (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 9.
European Parliament and the Council (2016), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- 10.
Laney (2001).
- 11.
Curry (2015), p. 30.
- 12.
Laney (2001).
- 13.
An overview of the different Big Data definitions can be found in Curry (2015), p. 31.
- 14.
Article 29 WP, p. 9.
- 15.
Article 8 (2) ECHR lists national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
- 16.
Article 29 WP, p. 7.
- 17.
Council of Europe Committee of Ministers (1973) Resolution (73) 22 on the protection of privacy of individuals vis-à-vis electronic data banks in the private sector, adopted on 26 Sept 1973.
- 18.
Council of Europe Committee of Ministers (1973) Resolution (74) 29 on the protection of privacy of individuals vis-à-vis electronic data banks in the public sector, adopted on 20 Sept 1974.
- 19.
Principle 2 (c).
- 20.
Council of Europe (1981) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 28 Jan 1981.
- 21.
Council of Europe (1981) Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 28 Jan 1981.
- 22.
OECD (1980) Annex to the recommendation of the Council of 23 September 1980: Guidelines governing the protection of privacy and transborder flows of personal data.
- 23.
OECD (2013) Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data [C(80)58/FINAL, as amended on 11 July 2013 by C(2013)79].
- 24.
Recital 8 Directive 95/46/EC.
- 25.
Article 29 WP, p. 15.
- 26.
Article 29 WP, p. 3.
- 27.
Article 29 WP, p. 15.
- 28.
Article 29 WP, p. 15.
- 29.
Article 29 WP, p. 13.
- 30.
Article 29 WP, p. 16; Ehmann and Helfrich (1999), p. 113.
- 31.
Article 29 WP, p. 16.
- 32.
Article 29 WP, p. 16.
- 33.
Article 29 WP, p. 51.
- 34.
Article 29 WP, p. 51.
- 35.
Article 29 WP, p. 51.
- 36.
OLG Frankfurt/M., Judgment 17 Dec 2015—6 U 30/15; LG Berlin, Judgement 19 Nov 2013—15 O 402/12; OLG Celle, Judgement 14 Nov 1979—3 U 92/79.
- 37.
See, e.g., Metschke and Wellbrock (2002), pp. 27–28.
- 38.
Article 7 (a) and Article 8 (2) (a) Directive 95/46/EC.
- 39.
Metschke and Wellbrock (2002), pp. 27–28.
- 40.
Article 29 WP, p. 17.
- 41.
Article 29 WP, p. 20.
- 42.
WMA General Assembly (2013) WMA Declaration of Helsinki—Ethical Principles for Medical Research Involving Human Subjects.
- 43.
Council for International Organizations of Medical Sciences (CIOMS), WHO (2008) International Ethical Guidelines for Biomedical Research Involving Human Subjects.
- 44.
Article 29 WP, p. 21.
- 45.
Article 29 WP, p. 21.
- 46.
National implementations of Article 7 and Article 8 Directive 95/46/EC provide legal grounds for processing personal data.
- 47.
Article 29 WP, p. 3.
- 48.
Article 29 WP, p. 28.
- 49.
Beyleveld (2004), p. 9.
- 50.
Article 29 WP, p. 28.
- 51.
Article 29 WP, pp. 30–32; Metschke and Wellbrock (2002), p. 16.
- 52.
Article 29 WP, p. 29.
- 53.
Article 29 WP, p. 21.
- 54.
Article 29 WP, p. 21.
- 55.
Article 29 WP, pp. 23–27.
- 56.
Article 29 WP, p. 40, e.g., example 15: mobile phone locations help inform traffic calming measures, p. 66.
- 57.
Werkmeister and Brandt (2016), p. 237.
- 58.
Article 29 WP, p. 16.
- 59.
Annex 3 of the Article 29 WP Opinion 03/2013 on purpose limitation gives a number of examples to illustrate purpose specification.
- 60.
OLG Frankfurt/M., Judgment 17 Dec 2015-6 U 30/15; LG Berlin, Judgement 19 Nov 2013–15 O 402/12; OLG Celle, Judgement 14 Nov 1979—3 U 92/79.
- 61.
- 62.
In the UK, broad consent is accepted in some instances (MRC 2011, p. 6). The legal situation in Germany is still unsettled in this regard. German courts (e.g., OLG Celle, Judgement 14 Nov 1979—3 U 92/79) have viewed the use of a broader forms of consent critically in non-medical fields of peronal data processing and it is unsure how this will be translated in medical research. The Data Protection Authorities of the Land Berlin and the Land Hessen seem not to require a consent restricted to a particular research project, but the data subject must be able to gain an idea for what research projects his data will be used for (see Metschke and Wellbrock 2002, p. 27). The working group “Biobanking” published a model broad consent form for biobanks based on recommendations of the National/German Ethics Council (Arbeitskreis Medizinischer Ethikkommissionen in der Bundesrepublik Deutschland e.V. (2013)).
- 63.
- 64.
Bretthauer (2016), p. 272.
- 65.
Handelsblatt Research Institute (2014), p. 14.
- 66.
- 67.
- 68.
Article 29 WP, pp. 46–47.
- 69.
Article 29 WP, pp. 46–47.
- 70.
Article 29 WP, p. 46.
- 71.
Information Commissioner’s Office (2014).
- 72.
Mayer-Schönberger and Padova (2016), p. 324.
- 73.
Recitals 5–9 of Regulation (EU) 2016/679; Mayer-Schönberger and Padova (2016), pp. 323–324.
- 74.
Article 99 (2) Regulation (EU) 2016/679.
- 75.
Mayer-Schönberger and Padova (2016), p. 325.
- 76.
Mayer-Schönberger and Padova (2016), p. 324.
- 77.
Article 20 Regulation (EU) 2016/679.
- 78.
Article 17 Regulation (EU) 2016/679.
- 79.
Article 33 Regulation (EU) 2016/679.
- 80.
Article 25 Regulation (EU) 2016/679.
- 81.
Schaar (2016), pp. 224–225.
- 82.
See elaborations made in footnote 15.
- 83.
Werkmeister and Brandt (2016), p. 237.
- 84.
European Commission (2012) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (COM/2012/011 final—2012/0011 (COD)).
- 85.
Albrecht (2016), p. 36.
- 86.
This shows that the criteria catalogue is not excluding other appropriate considerations.
- 87.
- 88.
Article 29 WP, pp. 66–67.
- 89.
Article 29 WP, p. 25; The Article 29 Working Party had investigated a considerable number of examples for further processing which is compatible and non-compatible. See Article 29 WP, pp. 51–69.
- 90.
- 91.
Mayer-Schönberger and Padova (2016), p. 326.
- 92.
Mayer-Schönberger and Padova (2016), p. 327.
- 93.
Mayer-Schönberger and Padova (2016), p. 327.
- 94.
Article 29 WP, pp. 27–33.
- 95.
Article 9 (1) Regulation (EU) 2016/679 defines special categories of personal data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
- 96.
Article 9 (2) (a) Regulation (EU) 2016/679. For personal data that do not qualify as special categories of personal data in the sense of Article 9 (1) Regulation (EU) 2016/679, Article 6 (1) (a) Regulation (EU) 2016/679 states that processing of such data shall be lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The standard for explicit consent remains the same as under the Data Protection Directive with the result that, for example, implied consent interpreted out of the data subject’s conduct is not enough for an explicit consent in the sense of Article 9 (2) (a) Regulation (EU) 2016/679, but may be a sufficient legal basis for the processing of non-sensitive personal data in the sense of Article 6 Regulation (EU) 2016/679 (see Maldoff 2016).
- 97.
Recital 33 Regulation (EU) 2016/679.
- 98.
Article 29 WP, p. 46.
- 99.
European Union Agency for Network and Information Security (ENISA) (2005), pp. 17–18.
- 100.
European Union Agency for Network and Information Security (ENISA) (2005), pp. 17–18.
References
Albrecht JP (2016) The EU’s new data protection law—how a directive evolved into a regulation. Comput Law Rev Int 17(2):33–43
Arbeitskreis Medizinischer Ethik-Kommissionen (2013) Mustertext zur Spende, Einlagerung und Nutzung von Biomaterialien sowie zur Erhebung, Verarbeitung und Nutzung von Daten in Biobanken. http://www.med.uni-freiburg.de/Forschung/VerantwortungForschung/mustertext-biobanken-deutsch.doc. Accessed 17 Nov 2016, English Version: http://www.ak-med-ethik-komm.de/index.php?lang=de. Accessed 17 Nov 2016
Article 29 Data Protection Working Party (2013) Opinion 03/2013 on purpose limitation, 00569/13/EN, WP 203
Beyleveld D (2004) An overview of directive 95/46/EC in relation to medical research. In: Beyleveld D et al (eds) The data protection directive and medical research across Europe. Ashgate Publishing Company, Burlington
Boehme-Neßler V (2016) Das Ende der Anonymität – Wie Big Data das Datenschutzrecht verändert. Datenschutz Datensich 40(7):419–423
Bretthauer S (2016) Compliance-by-design-anforderungen bei smart data. Z Datenschutz 6(2):267–274
Bundeskartellamt, Autorité de la concurrence (2016) Competition law and data. http://www.bundeskartellamt.de/SharedDocs/Publikation/DE/Berichte/Big%20Data%20Papier.pdf;jsessionid=9F9A418331598CA75471DEA51872F638.1_cid371?__blob=publicationFile&v=2. Accessed 16 Sept 2016
Cavanillas JM, Curry E, Wahlster W (2015) The big data value opportunity. In: Cavanillas JM, Curry E, Wahlster W (eds) New horizons for a data-driven economy. Springer, Cham
Curry E (2015) The big data value chain: definitions, concepts, and theoretical approaches. In: Cavanillas JM, Curry E, Wahlster W (eds) New horizons for a data-driven economy. Springer, Cham
Dix A (2016) Datenschutz im Zeitalter von Big Data. Wie steht es um den Schutz der Privatsphäre. Stadtforsch Stat 29(1):59–64
European Union Agency for Network and Information Security (ENISA) (2005) Privacy by design in Big Data—an overview of privacy enhancing technologies in the era of Big Data analytics. https://webcache.googleusercontent.com/search?q=cache:bsgvi1hfgTYJ:https://www.enisa.europa.eu/publications/big-data-protection/at_download/fullReport+&cd=2&hl=de&ct=clnk&gl=de&client=firefox-b-ab. Accessed 4 Oct 2016
Ehmann E, Helfrich M (1999) Kurzkommentar zur EG-Datenschutzrichtlinie. Verlag Otto Schmidt, Cologne
Grützmacher M (2016) Dateneigentum – ein Flickenteppich. Comput Recht 32(8):485–495
Handelsblatt Research Institute (2014) Datenschutz und Big Data: Ein Leitfaden für Unternehmen. http://www.umweltdialog.de/de-wAssets/docs/2014-Dokumente-zu-Artikeln/leitfaden_unternehmen.pdf. Accessed 17 Nov 2016
Information Commissioner’s Office (2014) Big Data and data protection. https://ico.org.uk/media/1541/big-data-and-data-protection.pdf. Accessed 28 Sept 2016
Kanellos M (2016) 152,000 Smart devices every minute in 2025: IDC outlines the future of smart things. http://www.forbes.com/sites/michaelkanellos/2016/03/03/152000-smart-devices-every-minute-in-2025-idc-outlines-the-future-of-smart-things/#4ec22cb069a7. Accessed 15 Aug 2016
Körber T (2016) “Ist Wissen Marktmacht?” Überlegungen zum Verhältnis von Datenschutz, “Datenmacht” und Kartellrecht – Teil 1. Neue Z Kartellr 4(7):303–310
Laney D (2001) 3D data management: controlling data volume, velocity, and variety. Technical report, META Group, https://blogs.gartner.com/doug-laney/files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf. Accessed 16 Aug 2016
Maldoff G (2016) Top 10 operational impacts of the GDPR: Part 3—consent https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-3-consent/. Accessed 4 Oct 2016
Marnau N (2016) Anonymisierung, Pseudonymisierung und Transparenz für Big Data. Datenschutz Datensich 40(7):428–433
Martini M (2014) Big Data als Herausforderung für den Persönlichkeitsschutz und das Datenschutzrecht. http://www.uni-speyer.de/files/de/Lehrst%C3%BChle/Martini/PDF%20Dokumente/Typoskripte/BigData-TyposkriptiSd%C2%A738IVUrhG.pdf. Accessed 17 Nov 2016
Mayer-Schönberger V, Padova Y (2016) Regime change? Enabling big data through Europe’s new data protection regulation. Columbia Sci Technol Law Rev 17:315–335
Medical Research Council (2011) MRC Policy and Guidance on Sharing of Research Data from Population and Patient Studies. http://www.mrc.ac.uk/publications/browse/mrc-policy-and-guidance-on-sharing-of-research-data-from-population-and-patient-studies/. Accessed 29 Sept 2016
Metschke R, Wellbrock R (2002) Berliner Beauftragter für Datenschutz und Informationsfreiheit, Hessischer Datenschutzbeauftragter, Datenschutz in Wissenschaft und Forschung. https://datenschutz-berlin.de/attachments/47/Materialien28.pdf?1166527077. Accessed 28 Sept 2016
Raabe O, Wagner M (2016) Verantwortlicher Einsatz von Big Data. Datenschutz Datensich 40(7):434–439
Roßnagel A et al (2016) Datenschutzrecht 2016 “Smart” genug für die Zukunft. Kassel University Press GmbH, Kassel
Sarunski M (2016) Big Data—Ende der Anonymität? Fragen aus Sicht der Datenschutzaufsichtsbehörde Mecklenburg-Vorpommern. Datenschutz Datensich 40(7):424–427
Schaar K (2016) DS-GVO: Geänderte Vorgaben für die Wissenschaft—Was sind die neuen Rahmenbedingungen und welche Fragen bleiben offen? Z Datenschutz 6(5):224–226
Turner V et al (2014) The digital universe of opportunities: rich data and the increasing value of the Internet of Things. Rep. from IDC EMC. https://www.emc.com/collateral/analyst-reports/idc-digital-universe-2014.pdf. Accessed 15 Aug 2016
Werkmeister C, Brandt E (2016) Datenschutzrechtliche Herausforderungen für Big Data. Comput Recht 32(4):233–238
Wolff H (2016) In: Wolff HA, Brink S (eds) Beck’scher Online Kommentar Datenschutzrecht, Prinzipien des Datenschutzrechts. https://beck-online.beck.de/Home. Accessed 17 Nov 2016
Zech H (2012) Information als Schutzgegenstand. Mohr Siebeck Verlag, Tübingen
Acknowledgements
This work has been supported by the EU project SoBigData (http://www.sobigdata.eu/) which receives funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No. 654024 and the German national project ABIDA (http://www.abida.de/) which has been funded by the Bundesminsterium für Bildung und Forschung (BMBF). The authors would like to thank Marc Stauch for his valuable support.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Forgó, N., Hänold, S., Schütze, B. (2017). The Principle of Purpose Limitation and Big Data. In: Corrales, M., Fenwick, M., Forgó, N. (eds) New Technology, Big Data and the Law. Perspectives in Law, Business and Innovation. Springer, Singapore. https://doi.org/10.1007/978-981-10-5038-1_2
Download citation
DOI: https://doi.org/10.1007/978-981-10-5038-1_2
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5037-4
Online ISBN: 978-981-10-5038-1
eBook Packages: Law and CriminologyLaw and Criminology (R0)