Subsequent Use of GDPR Data for a Law Enforcement Purpose: The Forgotten Principle of Purpose Limitation?
European Data Protection Law Review, Vol. 4 (2018), Issue 2, pp. 152-167
25 Pages Posted: 23 Aug 2018 Last revised: 23 Oct 2018
Date Written: March 1, 2018
This article questions the role of the principle of purpose limitation in a situation where personal data are collected under the General Data Protection Regulation (GDPR) and further processed under the regime of the ‘police and criminal justice’ Directive. It reviews the rules set out in both instruments, concerning the principle of purpose limitation and the further processing of personal data for a different purpose. The analysis of the rules under Directive 2016/680 reveals some ambiguity: are the rules applicable to the subsequent use of any personal data (including those collected under the GDPR)? Or are the rules limited to the subsequent use of ‘police or criminal justice’ data? Building on the ambiguous wording of Article 4(2) of the Directive, the article addresses the two hypotheses and analyses their consequences. It concludes with the uncertainty of the applicable rules and the likelihood of diverging interpretations at the national level.
Keywords: Data Protection, Directive 2016/680, GDPR, Principle of Purpose Limitation
Suggested Citation: Suggested Citation