Any company with more than fleeting EU contacts that handles personal data should have a clear understanding of when personal data can be used beyond its original purpose. This is a question that will emerge as companies and government agencies acquire greater volumes of personal data about customers or website users and discover new ways to use it. A hardware store may want to offer personalized discounts to shoppers based on their purchase history, or a city government may want to use grocery store customer data to encourage people with certain shopping patterns to choose healthier food. This installment of The eData Guide to GDPR discusses what companies should know about the GDPR’s restrictions on the use of data beyond its original purpose.
Usage beyond the original purpose is embedded in the core GDPR Article 5 data processing principle of purpose limitation. According to Article 5(1)(b):
1. Personal data shall be
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).
Simply put, the purpose limitation principle of the GDPR requires that, when collecting personal data
The GDPR does not prohibit the use of personal data for purposes other than what was specified at collection, but it does place significant restrictions on the ability to do so.
Purpose limitation under the GDPR is very similar to the purpose limitation principle under the 1998 EU Privacy Directive. Under the GDPR, however, companies can specify their purposes for processing by complying with the GDPR’s transparency and documentation obligations, instead of having to register with a data protection authority (DPA) as the 1998 Directive required. Under Article 30 of the GDPR, organizations are required to keep documentation, including documentation specifying the purposes for which they processes data.
Per GDPR Recital 61, organizations are required to specify those purposes in their privacy notices. Specifying the purpose of collecting data accomplishes two things: (i) the specified purpose becomes a reference point helping organizations to remain accountable for processing; and (ii) it helps data subjects make informed decisions about whether or not they want to disclose their data to organizations. Purpose specification is a necessary step toward compliance with accountability obligations, with the added benefit of establishing public trust in an organization’s data processing practices.
If an organization determines that it wants to use collected data for a different purpose than what was originally specified, the GDPR provides specific criteria to determine when this is permissible. Organizations can use data for a purpose other than what was originally specified only if one of the following criteria is met:
Making a determination of whether or not data can be used for another purpose will depend on how the data was originally collected:
Here are some examples of how to conduct the substantive, nuanced compatibility assessment required under GDPR:
Example 1. A car manufacturer wants to use motor vehicles department records to identify and contact current owners of vehicles and notify them of a faulty product and recall the cars.
A car manufacturer found a significant design flaw in one of its models and needs to recall the car to prevent accidents caused by this flaw. Product safety regulations require that car manufacturers recall the cars and notify car owners by all reasonable means of any dangerous defects, although the regulation does not specify how. Per practice developed over time, state motor vehicle departments provide the car manufacturer with updated registration records upon request so that they can contact car owners. Typically, the transfer of data from the government authority to the private company is documented by a contract providing specific guidelines on the use of the data. The contract prohibits the data from being used for other purposes such as marketing and adequate technical and organizational measures to protect the security of the data are implemented as well.
Is this a permitted use of personal data beyond its original purpose? The first consideration here is that the current registration information is a better source of ownership data than the auto manufacturer’s sales data, such that it is in the data subjects’ interests that they be contacted by the most reliable means of communication, minimizing the risk of accidents. This is a strong indication of compatibility among data uses. Furthermore, although the use of public data to contact registrants about recalls was not specifically detailed to registrants, it is arguably foreseeable, or at a minimum not inappropriate to use the data for this specific purpose. These factors suggest that the use of registration data for the purpose of notifying car owners of a recall is compatible (i) because the use is somewhat related to the original purpose; (ii) it is clearly in the interest of the data subjects; and (iii) the data is not overly sensitive. The risk that the car manufacturer could misuse the data is real, but the contractual provisions against use of data for other reasons are a good way to manage that risk.
This new use of personal data (photos) raises multiple data protection concerns, starting with compatibility (validity of consent, proportionality, and legitimacy are concerns here as well). Many site users would argue that they could not have expected a change of this magnitude in the usage of their photos, which they uploaded for the past two years with the understanding the images would be shared with whom they want, when they want. They would argue that the original purpose of sharing the data (sharing pictures with friends) is entirely unrelated to this further use by the company. Importantly, the very specific assurances given at the point of initial collection further reinforce a determination of incompatibility.
The sensitive nature of the data is another important factor that bolsters the argument that this further use by the company is incompatible. At least some of the photos on the site could be intimate, embarrassing or simply poor quality. The notion that their photos could be used for promotional purposes would have a chilling effect on site users, discouraging them from uploading certain photos and therefore having a potential negative impact on customers. The unequal bargaining power between individual site users and the company, coupled with the dearth of adequate alternatives in the marketplace could very well contribute to a conclusion that consent alone that was collected in this manner and context cannot overcome this unexpected and potentially excessive change in usage.
As illustrated above, the determination of compatibility can depend on many factors. Taking a step back, however, the factors distill down to questions such as (1) Is this new use foreseeable by the data subject? (2) Will this new use clearly have an adverse impact on the data subject? (3) Is there a legitimate lawful basis for this new use? and (4) Is the data being handled properly by the data controller or processor? The European Commission has provided some helpful guidelines for determining if a new purpose is compatible with the original purpose, essentially, the “compatibility test”:
If you have any questions or would like more information on the issues discussed in this in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:
 For context, the other Article 5 processing principles are as follows:
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
 Another key difference between the two regulations is that the GDPR carves out the following exceptions, as compatible and lawful purposes for further processing (GDPR Recital 50):
 These examples are offered by an advisory board of DPAs (all examples are adapted from Working Party 29 Opinion 03/2013 on purpose limitation). These examples are from an opinion published in 2013, but this opinion continues to be relied upon and cited to by the EU Commission in its GDPR materials (see here.)