Secondary Use
30 maart 2021 / in Nieuws / door Justin Loew
I. Introduction
Businesses increasingly notice that data collected for one purpose turns out to be useful for another purpose at a later stage. A camera installed for security purposes may be useful to watch employees at work. Similarly, logging data of virtual desktops may be used to monitor working hours of an employee. But is this legally allowed? In both scenarios the data is processed for an initial goal where it later turns out that it may also be handy for another, additional purpose. This practice of further processing is sometimes also referred to as secondary use and when it concerns personal data of individuals in Europe (so called ‘data subjects’) the GDPR applies. Usually, our gut feeling will be able to tell us whether or not such secondary use is compatible, however some scenarios are less clear-cut and require a more in-depth analysis to be performed. In this article we briefly summarize the requirements to permit such further processing, provide practical tips, guiding questions and finish with some illustrative examples.
II. Legal Requirements
The General Data Protection Regulation EU 2016/679 (GDPR) is the European core piece of legislation that regulates the processing of personal data. For the purposes of this article, it is assumed that you are processing personal data lawfully pursuant to Article 6 GDPR and, if applicable, Article 9 GDPR, in case you process special categories of personal data. The applicable legal ground must hold both for the original purpose as well as for further processing.
Article 6(4) GDPR is meant to facilitate and promote the European data economy. It allows personal data processed for one purpose to be processed for another purpose, as long as one of three scenarios applies:
-
- It is based on the data subject’s consent;
- It is based on an EU or Member State law restriction as referred to in Article 23 GDPR;
- Its purpose is compatible with the purpose for which the data was initially collected.
In this article we will focus on the third scenario: compatibility of a purpose and how to assess it, including the specific scenario of processing for archiving, research and statistical purposes. This is illustrated in the diagram below:
To assess the compatibility of a purpose Article 6(4) GDPR lists five matters that need to be considered:
-
- any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
- the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
- the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9 GDPR, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10 GDPR;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
When assessing the compatibility, it is important to keep in mind that the notions of legal ground and compatibility are cumulative. This means that further processing (secondary use) of already obtained data needs to continue to fulfil the legal ground from Article 6 GDPR that the initial processing is based on (and possible an Article 9 GDPR ground if special categories of personal data are processed) and on top of that be deemed compatible according to the compatibility assessment. In other words, one cannot simply consider the further processing as a new processing activity disconnected from the previous one and circumvent the compatibility assessment by using one of the legal grounds in Article 6 GDPR to legitimise the processing.
III. Compatibility Assessment – Guidelines and Guiding Questions
The Article 29 Working Party (WP29) has written guidelines in which they also discuss the compatibility assessment of purposes (Article 29 Working Party Opinion 03/2013). Although these guidelines were written under the legal regime that preceded the GDPR, the reasoning is still applicable today. Below we have summarized their guidelines and added questions that may help guide the compatibility assessment of further processing.
3.1 Compatibility Assessment
Any link between the purposes
For this factor the relationship between the initial and secondary purpose are important. Perhaps the secondary purpose was already more or less implied in the initial purpose or assumed as a logical next step. An example may be that a customer orders online and submits their address for the products to be delivered. Processing the address to determine which branch is closest and therefore best suited for delivery would be compatible further processing as it is a logical step and with a close relationship to the initial purpose. The more distant the relationship between the purposes the more problematic.
Questions to ask:
-
- Could the data subject reasonably expect this further processing when first submitting their personal data?
- Does the secondary purpose follow logically from the initial purpose?
- How are the initial and the second purpose linked? How close is this link?
Context of data collection, in particular the relationship between data subject and controller
The context of data collection is crucial. It entails the nature of the relationship between controller and data subject and entails customary and generally expected practice into account. It is important to consider whether the data subject can easily deny providing certain data without this having consequences for them. Special care must also be taken to consider the reasonable line of expectations of data subjects as well as the context of initial collection. The more specific and restrictive this context was (for example as part of a legal obligation), the less likely further processing is going to be possible. In an employer-employee relationship, for instance, it is fair to assume that there is a power imbalance and so further processing is more critical. Data subjects are less likely to deny the provision of data as this may affect them adversely, or, even if it does not, they may think so and out of fear for consequences submit data they would rather not submit.
Questions to ask:
-
- Is there a power imbalance?
- Does it have any consequences for the data subject if they refuse to hand over certain data?
- May they fear such consequences regardless?
- Do data subjects have a choice to not submit the requested personal data?
The nature of the personal data, in particular special categories and criminal data
In general, the more sensitive the data involved, the narrower the scope for compatible use. Sensitive data includes special categories (Article 9 GDPR) and criminal data (Article 10 GDPR), but is to be understood broader as to encroaching upon more intimate details of an individual. In this way data such as social security numbers, (live) location data and communication data are also sensitive. Besides the sensitivity of the data, other factors should also be considered such as the amount of data, whether they are shared with a third party or which other data they are combined with.
Questions to ask:
-
- Does this data point to (more) intimate details of the data subject’s life?
- Does it concern special categories (Article 9 GDPR) or criminal data (Article 10 GDPR)?
- Does it concern large amounts of data?
- Does the data paint a detailed picture?
Possible consequences of the intended further processing for data subjects
This factor requires the controller to view the processing from the data subject’s perspective. To consider the impact it is important to understand the context in which the initial processing took place, the context of the envisioned secondary use and potential other contexts as well as how these contexts may differ and what the impact is of this difference. An example may be that while data pertaining to criminal convictions may be purely informative within a correctional facility to assess how to deal with and where to place an inmate, it may cause discrimination in another context. Besides obvious adverse outcomes it is also important to consider the emotional impact further processing (and potential data breaches of the further processed data) may cause. Consequences of further processing may vary on a scale from targeted and well defined to more general and unpredictable. The more negative and unpredictable an impact may be, the less likely it will be deemed compatible.
Questions to ask:
-
- How would you feel if someone processed your personal data for the suggested secondary use?
- Might the envisioned processing cause the data subjects to be excluded or discriminated against in the future/in a different context?
- Are the consequences clear-cut or rather unpredictable?
Appropriate safeguards, which may include encryption or pseudonymisation
An inherent characteristic of a multi-factor assessment is that deficiencies at certain points may in some cases be compensated by a better performance on other aspects. For this reason it is important to consider safeguards that have been applied. Examples may include practices such as pseudonymising the data used, reaching out to inform the data subject directly (not just updating the privacy policy) or letting the data subject actively opt-in for further processing.
Questions to ask:
-
- Which steps have been taken to reduce or mitigate negative impacts on the data subject?
- Which (technical and organisational) measures are in place to ensure the security of the data processed?
- Which design features offset an undue impact on the data subject?
3.2 Archiving, Research and Statistical Purposes
As mentioned earlier, a specific scenario of further processing pertains to archiving, research and statistical purposes. Article 5(1)(b) GDPR reads that “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) GDPR, not be considered to be incompatible with the initial purposes”.
This means that data may be further processed for one of the following uses:
-
- archiving purposes in the public interest;
- scientific or historical research purposes;
- statistical purposes.
In practice, the final option of statistical purposes will be the most viable option for the majority of companies. For all three options, Article 89(1) GDPR is applicable. In this Article the GDPR stipulates the importance of taking measures to respect data minimisation. Data minimisation entails that no more data is processed than necessary. For the three above-mentioned options it is oftentimes possible to work with aggregated data, pseudonymised data, or even anonymised data, where possible.
On top of being processed for one of the three listed uses, the compatibility must still follow the assessment as discussed under Section 2.1, taking into considerations factors a-e. Furthermore, ‘functional separation’ must be ensured, which means that data for archiving, research or statistical purposes should not be available to support measures or decisions that are taken with regard to the individual data subjects concerned. Another important factor to consider, especially in the contexts of archiving, research and statistics, is whether the processing will be carried out by the same entity that collected the initial data or another entity.
Questions to ask:
-
- Is the archiving done for purposes of public interest or in the private interest of an entity?
- Is further processing part of scientific or historical research, for instance at a university or other research institution?
- Is the secondary use of the data for statistical purposes?
- Which measures have been taken to ensure data minimisation?
- Is all previously collected data required for the secondary use, or are parts of it also sufficient, for instance only specific data points, in aggregated form or anonymised?
- Will insights gained from the research or statistical data be used to take other measures or decisions that will influence the data subjects?
- Will the further processing be carried out by the same entity that collected the initial data?
IV. Examples
Below we have compiled some examples that we find particularly illustrative. The examples originate from the Article 29 Working Party Opinion 03/2013 (for all examples see Annex 3 from pg. 56 onwards).
Example 1: Chatty receptionist caught on CCTV
A company installs a CCTV camera to monitor the main entrance to its building. A sign informs people that CCTV is in operation for security purposes. CCTV recordings show that the receptionist is frequently away from her desk and engages in lengthy conversations while smoking near the entrance area covered by the CCTV cameras. The recordings, combined with other evidence (such as complaints), show that she often fails to take telephone calls, which is one of her duties.
Apart from any other CCTV concerns that may be raised by this case, in terms of the compatibility assessment it can be accepted that a reasonable data subject would assume from the notice that the cameras are there for security purposes only. Monitoring whether or not an employee is appropriately carrying out her duties, such as answering phone calls, is an unrelated purpose that would not be reasonably expected by the data subject. This gives a strong indication that the further use is incompatible. Other factors, such as the potential negative impact on the employee (for example, possible disciplinary action), the nature of the data (video-footage), the nature of the relationship (employment context, suggesting imbalance in power and limited choice), and the lack of safeguards (such as, for example, notice about further purposes beyond security) may also contribute to and confirm this assessment.
Example 2: Breathalyser checks working hours
A public transport company requires bus drivers, each day before starting their shift, to blow into a breathalyser in order to check for the presence of alcohol. The time and date of the test is recorded, along with information on whether the test was successfully passed. This procedure is integrated with an entry-exit system. When bus drivers start their work shift, they are required to hold their magnetic ID card at the breathalyser module and then blow into the breathalyser. The purpose of the collection and further processing of these data, as specified in law and also notified to the employees, is to check that the drivers do not have an unauthorized amount of alcohol in their bodies during the work shift, which is a legal requirement in the country in question. However, unbeknownst to the drivers, the breathalyser system is also used to check if drivers have fulfilled their work time obligations (i.e. whether they have arrived punctually at the start of their shift).
Apart from any other concerns over labour law practices that this case may raise, in terms of compatibility it can be said that a reasonable data subject would assume that the breathalysers are there to check the presence of alcohol, and not for the entirely unrelated purpose of checking whether drivers arrive late at work. This gives a strong indication that further use is incompatible. Other factors, such as the potential negative impact on the employee (for example, possible disciplinary action), the sensitive nature of the data, the legal obligation for the employee to provide the data, the imbalance of power between the data subject and the employer, and the lack of safeguards (such as, for example, notice about further purposes beyond checking alcohol limits) may contribute to and confirm this assessment.
Example 20: Smart metering data used for tax purposes and to detect indoor cannabis factories
Smart meters have recently been rolled out in households in a certain EU country. They provide detailed and remote electricity readings. The meters have been introduced primarily for reasons relating to energy efficiency and environmental concerns. The detailed readings are needed both for the efficient management of the smart grid (i.e. smart electricity network) and to bill the customers according to dynamic time of use tariffs.
The tax authorities wish to have bulk access to the data in order to detect whether any houses or apartments that are declared unoccupied actually have people residing in them. Law enforcement also wishes to mine the data in order to detect secret indoor cannabis factories. As an alternative, they are considering a partnership with energy companies whereby it would be the companies who would help identify specific violations of tax or criminal law. In that approach, data would be transferred to the tax authorities and law enforcement more selectively, on the basis of a risk analysis and profiling carried out by the energy companies, which would result in a selection of data subjects with an increased risk of rule violation.
In both cases, as with the previous examples, commercial data provided for an entirely unrelated purpose are to be used for law enforcement or tax purposes. Such use may not be reasonably expected by the data subjects, especially if they have not done anything wrong and are not under any particular suspicion or investigation. These factors strongly indicate incompatibility.
The nature of the data (electricity load profiles allow detailed inferences about what individuals do in the privacy of their own homes), the way in which it is processed (secret algorithms and hidden profiling) and the significant potential impact on the data subjects (tax consequences, administrative penalties, arrest, criminal sanctions) all indicate that the further use is incompatible. Therefore, it could only be permissible, subject to the strict conditions set forth in Article 23 GDPR.
V. Final Remarks
As we have seen, there are quite some requirements that need to be met in order to allow for a secondary use of data initially obtained for another purpose. Certain situations therefore by default do not lend themselves very well to be considered under the secondary use clause, such as matters pertaining to employer-employee relationships or the use of big data. Such uses are quick to fail the compatibility assessment.
However, it is important to note that this does not mean that the desired processing of personal data is therefore not possible. It merely means that it is not viable to do so under the cloak of secondary use. It may, instead, be necessary to process the data for a ‘new’ purpose that fulfils the requirements of the GDPR, where data subjects are informed about the intended purpose before their data is collected.
Are you considering processing personal data for a secondary use? Have you gone through the compatibility assessment and have you answered the guiding questions but still have questions? Or is something unclear? For any questions about secondary use our experts Paul Dam (paul.dam@lexidigtalis.nl) and Justin Loew (justin.loew@lexdigitalis.nl) will gladly assist you.