![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
This article analyses the proposed changes to the purpose limitation principles contained in the draft Data Protection Regulation adopted by the European Commission in January 2012. It examines the historical motives for the introduction of the principle as part of the 1995 Data Protection Directive, and looks at the constitutional framework under which it operates both at EU and member state level. It considers the risks and long-term consequences that EU citizens may face if the principle is eroded or substantially abandoned.
Notes
1. 2 John 1:8, The Holy Bible, King James Version.
2. Directive on the use of Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, COM(2011) 32 final, Brussels, 2.2.2011.
3. Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), OJ L 204, 4.8.2007, p. 18–25. This agreement was replaced with effect from July 2012 by the Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security, OJ 2012 L 174/1.
4. Agreement between the European Community and the Government of Canada on the processing of Advance Passenger Information and Passenger Name Record Data, OJ L 86, 24.3.2006, p. 19–19.
5. Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian customs service, OJ L 213, 8.8.2008, p. 49–57. This agreement was replaced December 2011 with a new Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the Australian Customs and Border Protection Service.
6. Proposal for a directive on the use of passenger name record data in the EU: press conference by Cecilia Malmström, European Commissioner for Home Affairs, 2 February 2011. An audio recording of the press conference (Reference 75222) can be accessed via the European Commission's Audiovisual Service at http://ec.europa.eu/avservices/audio/audioDetails.cfm?ref=75222&sitelang=fr; last accessed 10 December 2012.
7. Ibid., at 2:38.
8. Ibid., at 29:57.
9. Ibid., at 28:39.
10. Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program, OJ L 8/11
11. In May 2012, the European Commission adopted a draft Regulation (COM(2012) 254 final, Brussels, 30.05.2012) that would allow national law enforcement authorities to consult the EURODAC database for the purpose of prevention, detection and investigation of terrorist offences and other serious criminal offences. EURODAC, which contains the fingerprints of asylum seekers, was originally set up for the purpose of determining which member state is responsible for examining an asylum application to prevent multiple asylum applications within the EU.
12. 2006/24/EC.
13. Most EU member states have by now adopted national laws that authorize such access. See, for example, section 113b of the German Telecommunications Act 2004 (declared void in 2010 by the German Constitutional Court) and section 22 of the UK Regulation of Investigatory Powers Act 2000.
14. The changes were included in the Coroners and Justice Bill published on 14 January 2009. The Bill as introduced is available at http://services.parliament.uk/bills/2008-09/coronersandjustice/documents.html, last accessed 9 December 2012. The information-sharing provisions were later withdrawn.
15. A 2012 Freedom of Information request revealed that between 2008 and 2011, the police requested Oyster Card data in more than 22,000 cases, see Laja Citation(2012).
16. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23/11/1995, p. 31–50.
17. A new Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, COM(2012) 11 final, 25.1.2012 (Data Protection Regulation) that would replace the current regime has been proposed by the European Commission in January 2012.
18. These Guidelines were annexed to the Recommendations of the Council concerning Guidelines governing the protection of privacy and transborder data flows (23 September 1980). Available at http://www.oecd.org/internet/interneteconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#guidelines; last accessed 6 December 2012.
19. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ETS no. 108, Strasbourg, 28.I.1981. Available at http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm; last accessed 6 December 2012.
20. Paragraph 14, Part B2 of the Guide to Data Protection, Information Commissioner's Office. Available at http://www.ico.gov.uk/for_organisations/data_protection/~/media/documents/library/Data_Protection/Practical_application/the_guide_to_data_protection.ashx; last accessed 10 December 2012.
21. Ibid.
22. Opinion 03/2013 on purpose limitation, WP203, 2 April 2013; available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf; last accessed 20 April 2013.
23. Ibid., p. 24.
24. Ibid.
25. ‘Evaluation of the implementation of the Data Protection Directive’, p. 25, published as Annex 2 to the Impact Assessment accompanying the European Commission's data protection reform package, Brussels, 25.1.2012; available at http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf; last accessed 19 April 2013.
26. Opinion of the European Data Protection Supervisor on the data protection reform package, Brussels, 7 March 2012, para. 117; available at http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf; last accessed 12 February 2013.
27. Article 6(1), Data Protection Directive.
28. Similar exceptions are included in Article 9(2)(a) of Convention 108 and in Article 4 of the OECD Guidelines.
29. Paragraph 54 of the explanatory memorandum to the OECD Guidelines.
30. Article 4(b), OECD Guidelines.
31. Paragraph 2 of the Explanatory report to Convention 108. Available at http://conventions.coe.int/Treaty/EN/Reports/HTML/108.htm; last accessed 10 December 2012.
32. Ibid.
33. See Note 22, at p.37.
34. Ibid., p.38.
35. See Note 25.
36. Section 29(3), Data Protection Act 1998.
37. Section 35(1), Data Protection Act 1998.
38. Section 35(2), Data Protection Act 1998.
39. An exception to this rule may apply if the Act in question simultaneously violated the right to privacy contained in Article 8 of the European Convention on Human Rights (ECHR). In that case, the UK courts might be able to judicially review any administrative measures taken on the basis of the Act under the Human Rights Act 2000.
40. Article 93(4a). German Basic Law
41. §95(3), Federal Constitutional Court Act (Bundesverfassungsgerichtsgesetz)
42. BverfGE 65, 1, at para. 152 (translation by the author)
43. Ibid., at para. 155.
44. Ibid.
45. BverfGE 65, 1, at 156; 115, 320, at 81
46. BverfGE 65, 1, at 157.
47. Ibid., at 158.
48. See, for example, sections 14-16 of the German Data Protection Act (Bundesdatenschutzgesetz).
49. BverfGE 65, 1, at 157.
50. Article 35(1), ECHR.
51. It should be noted, however, that under Article 46(1) ECHR, the contracting parties agree to abide by the ECtHR's final judgments in all cases to which they are parties. The Committee of Ministers is charged with supervising their execution, Article 46(2), ECHR. Disregarding an ECtHR judgment might therefore enable the claimant to bring a case against the government before the ECtHR. If the ECtHR finds that a contracting party has infringed its citizens' fundamental rights, it can afford ‘just satisfaction’ (consisting, for example, of damages payable to the claimant) to the injured party, Article 41, ECHR.
52. [2005] ECHR 681.
53. Wintour and Sparrow Citation(2012).
54. Wintour and Sparrow Citation(2013).
55. R (T and others) v Chief Constable of Greater Manchester and others [2013] EWCA Civ 25.
56. Hope Citation(2013). Although the Home Office did eventually announce legislative proposals to relax the current criminal records checking scheme, the proposals arguably do not address all of the issues raised by the Court of Appeal; see Home Office press release ‘Filtering of old and minor convictions and cautions’, 27 March 2013; available at https://www.gov.uk/government/news/filtering-of-old-and-minor-convictions-and-cautions; last accessed 19 April 2013.
57. Dicey (Citation1915, 39–40).
58. Although it should be noted that this longstanding principle has recently been called into question, both by senior judicial figures as well as the Supreme Court itself. Lord Woolf observed in 195 that ‘if Parliament did the unthinkable’ (that is enact legislation that was clearly in breach of human rights) then ‘the courts would also be required to act in a manner without precedent’ (Woolf Citation1995). Similarly, Lord Steyn, in the case of R (Jackson) v A-G ([2005] UKHL 56), said that if Parliament ‘sought to abolish judicial review of flagrant abuse of power by a government or even the role of ordinary courts in standing between the executive and citizens’ the courts might have to ‘qualify’ the doctrine of parliamentary supremacy.
59. Save to the extent that certain powers are devolved to the Scottish Parliament and the Welsh and Northern Ireland Assemblies.
60. Simitis (Citation1984, 399).
61. ‘Protocol on the Application of the Charter of Fundamental Rights of the European Union to Poland and to the United Kingdom’, OJ C 306/156.
62. COM (2012) 11 final, 25 January 2012. The Regulation forms part of a reform package adopted by the European Commission, which also includes a proposal for a Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (COM (2012) 10 final). However, this article will focus on the Regulation as the instrument that is likely to permit the transfer of personal data held by public or private bodies to, or access to that data by, law enforcement authorities under ‘further processing’ provisions set out in Article 6(4) of the draft Regulation.
63. See Note 22 and Opinion WP191 of the Article 29 Working Party on the data protection reform proposals, 23 March 2012 (WP191). Available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp191_en.pdf; last visited on 11 December 2012.
64. See Note 26, para.124.
65. See Note 26, para. 123.
66. See Note 22, p. 41.
67. Draft report on the proposal for a regulation of the European Parliament and of the Council on the protection of the individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 2012/0011(COD), 16.01.2013. Available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-501.927%2b04%2bDOC%2bPDF%2bV0%2f%2fEN; last accessed 12 January 2013.
68. BVerfGE 73, 339. The court held that as long as (‘solange’) Community law and, in particular, the Treaties guaranteed the same fundamental rights as the Basic Law it would not need to review Community law for its compatibility with the fundamental rights catalogue contained in the Basic Law. As a result, it tends to declare applications for judicial review under Article 100(1) of the Basic Law as inadmissible.
69. Although this is of course unlikely to improve the position of UK citizens given the UK's opt-out from the Charter, see Note 61.
70. Article 6(c) of the Data Protection Directive.
71. Note from the Presidency to the Working Party on Data Protection and Exchange of Information, Brussels, 22 June 2012, Ref.11326/12. Available at http://www.statewatch.org/news/2012/jun/eu-council-revised-dp-position-11326-12.pdf; last accessed 10 December 2012.
72. Opinion of the Committee on the Internal Market and Consumer Protection for the Committee on Civil Liberties, Justice and Home Affairs on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 2012/0011(COD), 28.01.2013, Amendment 77. Available at http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-496.497%2b02%2bDOC%2bPDF%2bV0%2f%2fEN; last accessed 12 January 2013.