GDPR: When Is It Permissible to Use Data Beyond Its Original Purpose?

Any company with more than fleeting EU contacts that handles personal data should have a clear understanding of when personal data can be used beyond its original purpose. This is a question that will emerge as companies and government agencies acquire greater volumes of personal data about customers or website users and discover new ways to use it. A hardware store may want to offer personalized discounts to shoppers based on their purchase history, or a city government may want to use grocery store customer data to encourage people with certain shopping patterns to choose healthier food.[1] This installment of The eData Guide to GDPR discusses what companies should know about the GDPR’s restrictions on the use of data beyond its original purpose.

Usage beyond the original purpose is embedded in the core GDPR Article 5 data processing principle of purpose limitation.[2] According to Article 5(1)(b):

1. Personal data shall be

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).

Simply put, the purpose limitation principle of the GDPR requires that, when collecting personal data

• you must express clearly to the data subject the purpose for the processing of his or her data from the outset;
• your purposes must be set forth in privacy information provided to data subjects and must be documented as part of your record-keeping activities;
• you must comply with your transparency obligations to inform data subjects (individuals whose data you are processing); and
• you must make sure that if you ever intend to use data for any purpose other than what was originally specified, that further use is compatible with the original purpose or you get specific consent for the new purpose, i.e., lawful, fair, and transparent.[3]

The GDPR does not prohibit the use of personal data for purposes other than what was specified at collection, but it does place significant restrictions on the ability to do so.

Purpose limitation under the GDPR is very similar to the purpose limitation principle under the 1998 EU Privacy Directive.[4] Under the GDPR, however, companies can specify their purposes for processing by complying with the GDPR’s transparency and documentation obligations, instead of having to register with a data protection authority (DPA) as the 1998 Directive required.[5] Under Article 30 of the GDPR, organizations are required to keep documentation, including documentation specifying the purposes for which they processes data.

Purpose Specification

Per GDPR Recital 61, organizations are required to specify those purposes in their privacy notices. Specifying the purpose of collecting data accomplishes two things: (i) the specified purpose becomes a reference point helping organizations to remain accountable for processing; and (ii) it helps data subjects make informed decisions about whether or not they want to disclose their data to organizations. Purpose specification is a necessary step toward compliance with accountability obligations, with the added benefit of establishing public trust in an organization’s data processing practices.

If an organization determines that it wants to use collected data for a different purpose than what was originally specified, the GDPR provides specific criteria to determine when this is permissible. Organizations can use data for a purpose other than what was originally specified only if one of the following criteria is met:

• The new purpose is compatible with the original purpose
• The organization gets the individual’s specific consent for the further/new purpose
• The new purpose is clearly required or allowed by law, in the public interest or
• The new purpose is compatible with the original purpose. For example, a bank that provides a customer with a checking account can use that customer’s personal information to offer them a different type of checking account and informs the client that it will do so

Making a determination of whether or not data can be used for another purpose will depend on how the data was originally collected:

• If the data was collected on the basis of consent or pursuant to a legal requirement, then it cannot be used for another purpose unless new consent is obtained or a new legal basis is established
• If, however, the data was collected on the basis of legitimate interest, vital interests, or a contract, then the data can be used for another purpose if that purpose is compatible with the original purpose. The assessment of compatibility is often complex

Compatibility Assessment

Here are some examples of how to conduct the substantive, nuanced compatibility assessment required under GDPR:[6]

Example 1. A car manufacturer wants to use motor vehicles department records to identify and contact current owners of vehicles and notify them of a faulty product and recall the cars.

A car manufacturer found a significant design flaw in one of its models and needs to recall the car to prevent accidents caused by this flaw. Product safety regulations require that car manufacturers recall the cars and notify car owners by all reasonable means of any dangerous defects, although the regulation does not specify how. Per practice developed over time, state motor vehicle departments provide the car manufacturer with updated registration records upon request so that they can contact car owners. Typically, the transfer of data from the government authority to the private company is documented by a contract providing specific guidelines on the use of the data. The contract prohibits the data from being used for other purposes such as marketing and adequate technical and organizational measures to protect the security of the data are implemented as well.

Is this a permitted use of personal data beyond its original purpose? The first consideration here is that the current registration information is a better source of ownership data than the auto manufacturer’s sales data, such that it is in the data subjects’ interests that they be contacted by the most reliable means of communication, minimizing the risk of accidents. This is a strong indication of compatibility among data uses. Furthermore, although the use of public data to contact registrants about recalls was not specifically detailed to registrants, it is arguably foreseeable, or at a minimum not inappropriate to use the data for this specific purpose. These factors suggest that the use of registration data for the purpose of notifying car owners of a recall is compatible (i) because the use is somewhat related to the original purpose; (ii) it is clearly in the interest of the data subjects; and (iii) the data is not overly sensitive. The risk that the car manufacturer could misuse the data is real, but the contractual provisions against use of data for other reasons are a good way to manage that risk.

Example 2. A photo-sharing website changes its privacy policy.

 A social media company that is dominant in the marketplace operates a website allowing site users to upload photos and share them with people of their choosing. The website’s privacy notice says that photos posted by site users will be shared only “with whom they want, when they want.” Two years after the site’s launch, the company emails site users announcing a policy change under which the site users will be deemed to have given consent to the use of their photos by the company for any purpose, including site promotion, unless they remove the photos in the next 30 days. A detailed privacy policy and license agreement are provided in the email as well as the site whenever anyone visits it. The site user must acknowledge and accept these documents in order to continue navigating the site.

This new use of personal data (photos) raises multiple data protection concerns, starting with compatibility (validity of consent, proportionality, and legitimacy are concerns here as well). Many site users would argue that they could not have expected a change of this magnitude in the usage of their photos, which they uploaded for the past two years with the understanding the images would be shared with whom they want, when they want. They would argue that the original purpose of sharing the data (sharing pictures with friends) is entirely unrelated to this further use by the company. Importantly, the very specific assurances given at the point of initial collection further reinforce a determination of incompatibility.

The sensitive nature of the data is another important factor that bolsters the argument that this further use by the company is incompatible. At least some of the photos on the site could be intimate, embarrassing or simply poor quality. The notion that their photos could be used for promotional purposes would have a chilling effect on site users, discouraging them from uploading certain photos and therefore having a potential negative impact on customers. The unequal bargaining power between individual site users and the company, coupled with the dearth of adequate alternatives in the marketplace could very well contribute to a conclusion that consent alone that was collected in this manner and context cannot overcome this unexpected and potentially excessive change in usage.

As illustrated above, the determination of compatibility can depend on many factors. Taking a step back, however, the factors distill down to questions such as (1) Is this new use foreseeable by the data subject? (2) Will this new use clearly have an adverse impact on the data subject? (3) Is there a legitimate lawful basis for this new use? and (4) Is the data being handled properly by the data controller or processor? The European Commission has provided some helpful guidelines for determining if a new purpose is compatible with the original purpose, essentially, the “compatibility test”:[7]

• Consider the link between the original purpose and the new/upcoming purpose
• Consider the context in which the data was collected (the relationship between the company and the data subject)
• Consider the type and nature of the data; sensitive data will trigger greater scrutiny of compatibility
• Consider the possible consequences of the further processing and how it would affect the individual
• Are appropriate safeguards in place, such as encryption or pseudonymization?