The principle of purpose limitation in data-driven policing: A guiding light or an empty shell?

Purpose specification

According to the purpose specification requirement in Article 4(1)(b) LED, personal data must be collected only for specified, explicit and legitimate purposes. The function of this requirement is at least twofold. In the first place, the purpose specification requirement offers foreseeability of legislation, and thus legal certainty to the data subject. ²⁰ In the second place, purpose specification is also of importance to other data protection principles such as data minimization, or storage limitation. It is the purpose that determines when data processing is no longer characterised as minimal or that data must be deleted because it does not serve that purpose.

A closer look at the criteria of the purpose specification requirement reveals that the meaning of these criteria is barely further clarified in the LED. The recital of the LED only mentions that the processing purpose must be established by the competent authority the moment that the personal data are going to be collected, ²¹ and that the “personal data to be processed” must also be mentioned in the national law of the Member State. ²² However, the question is when exactly the standards of specified, explicit and legitimate are met and whether and how these standards interrelate.

In its judgment on 22 December 2022, the CJEU discussed the principle of purpose limitation in the LED, but unfortunately did not delve deeper into what is required by purpose specification. The court merely indicated that the purposes for which law enforcement authorities can process personal data are exhaustively listed in Article 1(1) LED. ²³ These ‘specific and distinct’ purposes are the prevention, investigation, detection or prosecution of criminal offences and execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. ²⁴

However, some guidance on the interpretation of specified, explicit and legitimate standards can be derived from CJEU’s judgement delivered on 26 January 2023 on the interpretation of the specific requirement ‘strictly necessary’ in Article 10 LED, which covers the processing of particularly sensitive data. ²⁵ The CJEU emphasized that Article 10 LED constitutes a special form of implementation of the principles set out in Articles 4 and 8 LED, and that the requirement ‘strict necessity’ implies that strengthened conditions for lawful processing of sensitive data must be in place. The strict necessity requirement must be determined in the light of the specified, explicit and legitimate purposes of data collection. ²⁶ For the processing of biometric and genetic data, these purposes “cannot be indicated in terms that are too general, but have to be defined sufficiently precisely and specifically to enable assessment of whether the processing is ‘strictly necessary’.” ²⁷ Thus, this judgement makes clear that the standard for purpose specificity varies depending on the nature of the data collected and can only be assessed contextually. Considering the fundamental importance of purpose specification – as a necessary precondition – for the assessment of compliance with other data protection principles, ²⁸ this is not surprising. Indeed, these other data protection principles can only be meaningfully assessed in relation to a specified purpose.

In his Opinion in the case of 26 January 2023, AG Pitruzzella elaborates on what the standards of specified, explicit and legitimate mean as well as how these standards relate to each other: he argues that the mere mention of one of the purposes in Article 1(1) LED, for example the prevention of criminal offences, cannot meet the standards provided for in Article 4(1)(b) LED. ²⁹ National law must be clear and precise to inform persons of the risks, rules, safeguards and rights with regard to the contemplated processing. ³⁰ In his Opinion, the review of the legitimate nature of the purpose pursued cannot be limited to the examination of the sole mention in national law of a purpose that is connected to the broad Article 1(1) LED purposes, but it also depends on the way the purpose is achieved. A legitimate purpose would not adhere to the conditions of explicitly and specificity when conditions for the achievement of that purpose are not sufficiently well-defined. ³¹ This implies that the requirements of ‘specified, explicit and legitimate’ are interdependent. He concludes the national law needs to adhere to the general purposes of Article 1(1) LED and in addition needs to indicate which concrete objectives can contribute to the achievement of the general purposes. ³²

The view of AG Pitruzzella on the conditions for purpose specification is in line with the position taken by the Commission when stating that the ‘objectives’ mentioned in Article 1(1) LED are defined in a general manner, while purposes have to be specifically defined “in order to clearly demonstrate what is behind each processing operation and why a certain processing operation is being carried out, such as: identification of a person by using his or her biometric data as a suspect for a crime for the purposes of investigation”. ³³ The Commission thus differentiates between processing purposes that refer to explicit, specific and legitimate processing purposes (for example the investigation of murder case X) and processing objectives that are mentioned in article 1(1) LED and are important to delineate the scope of the LED (for example the more general objective of investigation). ³⁴ The Commission therefore uses the term objectives instead of purposes in relation to Article 1(1) LED and thus deviates from the wording of the LED itself. This may lead to terminological confusion. However, it does make clear that the purposes mentioned in Article 1(1) LED cannot simply be equated with the purposes mentioned in Article 4 (1)(b) LED. The so-called Working Party 29 (WP29) also emphasised that the processing purpose has to be set precisely in order to allow for the assessment of the legality of the processing. ³⁵ WP29 made clear that ‘law enforcement’ per se cannot be considered as one specified, explicit and legitimate purpose. ³⁶ While the WP29 did not exclude the possibility that a purpose could be formulated as more general, overarching or collective purpose, it did not however clarify what such an overarching or collective purpose could be. ³⁷

In sum, the CJEU did not provide guidance on the question when the standards of purpose specification in Article 4(1)(b) LED are fulfilled. AG Pitruzella, the European Commission and the WP29 discussed the standards more elaborately, but this discussion still sheds only limited light on the question. This unclarity has at least two consequences. The first is that States get little guidance on how to examine whether the conditions mentioned in Article 4(1)(b) LED are met and thus enjoy a wide discretionary margin. This can be problematic since a broad approach, as mentioned before, hardly sets any boundaries to the way in which the police would be permitted to process data, thus potentially eroding the meaning of the principle of purpose limitation. This unclarity does especially raise a challenge with regard to data-driven policing. The complexity here is that it is not always feasible for law enforcement authorities to specify beforehand which forms of data processing they want to engage in. The so-called ‘Rafinery’ facility in the Netherlands mentioned before presents a relevant example. With this facility, the police aim to acquire new insights out of massive amounts of police data collected earlier in specific criminal investigations. ³⁸ The purpose of this data processing can only be described in general terms like ‘the analysis of data in order to glean information from them’. This purpose specification is obviously very general, imprecise, and little defined, and it hardly sets any limits to the processing of data. Later, we will examine more closely the question of how the purpose specification requirement can be interpreted in the context of data-driven policing.

A second consequence of the ambiguity with regard to the conditions set out in Article 4 (1)(b) LED is that it overshadows the interpretation of the second building block of purpose limitation, that is the compatible use (or the non-incompatibility requirement). The uncertainty with regard to the scope of the requirement of purpose specificity makes it more difficult to ascertain what specific test needs to be applied for the re-use of data for other purposes than for which data was collected in the first place. We will address this issue in the next section.

Further use for another purpose: Complex interplay between non-incompatibility and change of purpose

The LED provides several rules on further use of data for another purpose than the purpose for which the data is initially collected. We will specifically focus on the non-incompatibility requirement in Article 4(1)(b) LED, and the change of purpose requirements enshrined in Article 4(2) LED.

The second building block of the principle of purpose limitation is the requirement of compatibility (or non-incompatibility requirement) laid down in Article 4(1)(b) LED: “personal data shall not be processed in a manner that is incompatible with those purposes.” Notably, the LED – unlike the GDPR – does not mention relevant factors to answer the question whether two purposes are incompatible. ³⁹ Moreover, the LED does not clarify what the role is of the non-incompatibility requirement. Article 4(2) LED articulates that under certain conditions personal data may also be processed for other purposes than the purposes for which the data were collected. A literal reading implies that Article 4(2) LED is applicable regardless of any assessment of compatibility. ⁴⁰ This reading seems to have been endorsed by the CJEU. ⁴¹ The CJEU determined that the processing of data for another purpose mentioned in Article 1(1) LED than the one for which data was collected in the first place, must meet the conditions of Article 4(2) LED. Arguably, when a change of purpose in the sense of Article 4(2) LED took place, it is not necessary to assess whether the initial and secondary purpose are compatible, as was suggested in the literature as well as by Article 7a of an older version of the LED. ⁴² Therefore, one could argue, the compatibility test (non-incompatibility requirement) is superfluous under the LED. ⁴³

However, the CJEU ruling merely addresses the applicability of Article 4(2) LED with regard to the change of purposes as mentioned in Article 1(1) LED. As argued in the previous section, those purposes are very broadly formulated. Thus, this leaves open the question whether Article 4(2) LED should be applied in a case a change of more specifically defined purposes within the broadly defined Article 1(1) LED purposes occurs and what the role of the compatibility requirement that is explicit in Article 4(1)(b) LED should be. It can be argued that the compatibility test (the non-incompatibility requirement) is included in Article 4(2) LED as part of the assessment whether the processing for a new purpose is proportionate. ⁴⁴ Importantly, this second approach arguably does more justice to the rationale of the principle of purpose limitation. After all, this prevents data from being processed for another purpose, without that processing being sufficiently foreseeable for the data subject. Support for this approach can be found in Article 3(2) of the predecessor of the LED – the Framework Decision 2008/977/JHA, which stated that further processing for another purpose is permitted in so far as “it is not incompatible with the purposes for which the data were collected^”, lawful, necessary and proportional. ⁴⁵ Also, De Hert and Sajfert argue that any subsequent use of data by the police or other controllers within the scope of the LED, is covered by Article 4(2) of LED “coupled with the ‘compatible use’ building block of the purpose limitation principle in Article 4(1)(b)”. ⁴⁶ They, however, do not elaborate on how the subsequent use under Article 4(2) LED is related to the compatibility test in Article 4(1) LED or how the latter test should be applied in the realm of the LED.

This leads us to taking a closer look at the rules on change of purpose. Article 4(2) LED stipulates that personal data processed – by the same or another controller – for any of the purposes set out in Article 1(1) LED other than that for which the personal data are collected, shall be permitted in so far as it complies to four prerequisites:

1. The other purpose is within the scope of the LED as set out in Article 1(1);

In its judgment of 22 December 2022 on a Bulgarian preliminary request, the CJEU explicitly discussed Article 4(2) LED for the first time. ⁴⁸ In this case, the public prosecutor collected and used personal data of an individual initially found to be a victim of crime, but ultimately used the data to prosecute the same individual as a suspect. The referring court wanted to know whether a change of purpose in the sense of Article 4(2) LED took place. According to the CJEU, Article 4(2) LED is applicable when data where initially collected for the purpose of the ‘detection’ or ‘investigation’ of a criminal offence and have subsequently been used for the purpose of ‘prosecution’. ⁴⁹ Consequently, the conditions as provided for by Article 4(2) LED should be fulfilled. Whether these conditions are met, is ultimately up to national courts. ⁵⁰ The CJEU only indicated that personal data necessary for the purposes of the ‘detection’ and ‘investigation’ of a criminal offence will not be automatically necessary for the purposes of ‘prosecution’. The consequences of the different personal data processing might differ depending on, among other things, the degree of interference with fundamental rights and the effects of that processing on the legal situation in the criminal proceedings in question. ⁵¹

Despite this ruling, the framework concerning change of purpose as provided for by Article 4(2) LED is still unclear. The first outstanding question is when Article 4(2) LED is applicable because the LED does not provide any guidance on how to distinguish between different law enforcement purposes. ⁵² The Bulgarian case made clear that processing of personal data of an individual initially regarded as a victim and processing data of the same individual ultimately as a suspect, pursue separate purposes: detection/investigation and prosecution. This suggests that Article 4(2) LED is applicable only when the processing of data shifts to another purpose in the sense of Article 1(1) LED. For example, from detection/investigation of criminal offences to the prosecution of criminal offences. This reading is supported by the wording of Article 4(2) LED which refers to purposes set out in Article 1(1) LED.

Considering the broadly formulated purposes in Article 1(1) LED, this approach gives the competent authorities quite some leeway for the re-use of personal data because Article 4(2) LED would not apply to the processing of personal data in another investigation than the investigation for which the data initially is collected. The purpose of this secondary use of the data can still be regarded as falling within the purpose of investigation of crime. The case of the EncroChat can illustrate this point. From the outset, it was clear that the collected data would not only be used in the case against the organisation EncroChat, but also in investigations that involve individual EncroChat users. ⁵³ Both the initial purpose of data collection (detection of criminal activity by EncroChat as a criminal organisation) and the secondary use of that data (investigation of criminal activity of individual EncroChat users) can be considered as ‘investigation’ or ‘detection’ of crime. This implies that no change of purpose in the sense of Article 4(2) LED took place and thus this Article would probably not be applicable in this case.

This approach, however, is difficult to align with the criminal procedural law perspective, where the use of data beyond the specific investigation for which the data was collected, would be considered a change of purpose. Moreover, this approach is at odds with the requirement of purpose specification. As argued above, processing purposes like the prevention of criminal offences or the investigation/detection of criminal offences could hardly be considered to fulfil the requirements of Article 4(1)(b) LED.

Therefore, a more fitting reading would be that Article 4(2) LED applies where a change of the more specifically defined purposes takes place including within the separate broad purposes of Article 1(1). ⁵⁴ This broadened applicability of Article 4(2) LED arguably offers less room to the competent authorities for manoeuvre in the re-use of personal data. Support for this second reading can to a certain extent be found in the Bulgarian case. The Court states that “the scope of Article 4(2) is not limited to the processing of personal data in connection with the same criminal offence as that warranting the collection of those data.” ⁵⁵ This suggests that using personal data beyond the specific investigation that prompted the collection of data can also be considered as a change of purpose. In the next section, we will explore whether the right to privacy can provide an answer to the question when a change of purpose takes place.

A second outstanding question in relation to Article 4(2) LED is how to assess when the re-use of data that was initially collected for another purpose is necessary and proportionate in the sense of Article 4(2) LED. ⁵⁶ In the Bulgarian case, the CJEU only stated that the ‘detection’ or ‘investigation’ of a criminal offence is not the same as the ‘prosecution’ of a criminal offence. Therefore, data required for criminal investigations is not automatically necessary for the prosecution of criminal offences. The CJEU concludes, however, by stating that the assessment of the necessity and proportionality is ultimately up to national courts to decide. ⁵⁷ The LED itself does not provide the answer either. Recital 27 of the LED only indicates in general terms that it is necessary for competent authorities to process personal data collected in the context of the prevention, investigating, detection or prosecution of specific criminal offences beyond that context in order to develop an understanding of criminal activities and make links between different criminal offences detected. ⁵⁸ This seems to imply the LED is not prohibiting data-driven policing but leaves open the question how to examine the necessity and the proportionality of the re-use of data initially collected for a different purpose. Lacking more concrete guidance, we will direct our focus towards the fundamental rights framework in the next section.

Purpose specification

The principle of purpose specification is connected to all three justification requirements for a legal, legitimate and necessary interference with the right to privacy enshrined in Article 8(2) ECHR as well as in Article 52(1) CFREU. ⁶² The principle is particularly tightly connected to the requirement ‘in accordance with the law’, which not only ensures the accessibility of the law, but also provides for a certain quality of that law in the sense that it demands foreseeability of the law. ⁶³ Foreseeability imposes a duty on the legislator to formulate laws with ‘sufficient precision to enable the citizen to regulate his conduct’ and herewith provide for adequate protection against arbitrary application of the law. ⁶⁴ With regard to the legitimacy and necessity of an interference with the right to privacy, purpose specification more indirectly provides for a starting point in the assessment of the criterion of a legitimate aim and the general requirement of proportionality of data processing. ⁶⁵

In its case law on investigative powers by intelligence and security services and criminal investigation authorities, the ECtHR has made clear that (national) law should incorporate safeguards in order to prevent abuse of power. ⁶⁶ When it comes to targeted interception of communications, the ECtHR takes different ‘minimum safeguards’ into account. The legal provisions governing communications surveillance should address: (1) the nature of offences which may give rise to an interception order; (2) a definition of the categories of people liable to have their telephones tapped; (3) a limit on the duration of telephone tapping; (4) the procedure to be followed for examining, using and storing the data obtained; (5) the precautions to be taken when communicating the data to other parties; and (6) the circumstances in which recordings may or must be erased or destroyed. ⁶⁷ When it comes to bulk interception for intelligence purposes, the ECtHR takes in Big Brother Watch a wider range of criteria into account. ⁶⁸ While the case concerns powers of intelligence service, the judgment is arguably also relevant for bulk interception regimes in the context of criminal law. ⁶⁹ In addressing jointly the questions whether the bulk interception is ‘in accordance with the law’ and ‘necessary’, the domestic legal framework should clearly define: (1) the grounds on which bulk interception may be authorised; (2) the circumstances in which an individual’s communications may be intercepted; (3) the procedure to be followed for granting authorisation; (4) the procedures to be followed for selecting, examining and using intercept material; (5) the precautions to be taken when communicating the material to other parties; (6) the limits on the duration of interception, the storage of intercept material and the circumstances in which such material must be erased and destroyed; (7) the procedures and modalities for supervision by an independent authority of compliance with the above safeguards and its powers to address non-compliance; (8) the procedures for independent ex post facto review of such compliance and the powers vested in the competent body in addressing instances of non-compliance. ⁷⁰

Arguably, the purpose specification principle is encapsulated in these safeguards, more specifically in the first two requirements/criteria of both interception frameworks. However, the criteria differ: for the targeted interception a “description of the nature of offenses” is required, where for the bulk regime it is only necessary that the “grounds for interception” be described. ⁷¹ The question of specificity also rose in relation to the use of other forms of material gathered by the authorities. In the key case S & Marper, the Grand Chamber, for example, found a violation of Article 8 ECHR based on lack of specificity of purpose for which large amounts of data like fingerprints, cellular samples and DNA of persons suspected but not convicted of criminal activity, were retained. ⁷² In the same way, the CJEU has – with reference to case law of the ECtHR – clarified that legislation that foresees in interferences must lay down clear and precise rules governing the scope and application of the measure in question. ⁷³

At the same time, the ECtHR nor the CJEU has dealt explicitly with the question of how precise the purpose needs to be formulated. ⁷⁴ The reason for this is that both courts often do not engage in the discussion under what conditions a purpose is sufficiently precise, but rather evaluate the legitimacy of the purpose as provided by the state authorities. For instance, the ECtHR found a violation of Article 8 ECHR in the case of Rotaru v Romania, because national law did not set any limits on the possibility to store information about an individual. ⁷⁵ Romanian national law did not make it clear which information was allowed to be stored, whose data were allowed to be stored, how long the information was allowed to be stored or how the integrity and confidentiality of those data was safeguarded. The ECtHR did arrive at this conclusion without further clarifying when a purpose, generally, is sufficiently precise. Neither has the CJEU yet provided for criteria on how to assess the specificity of a purpose. As mentioned in the previous section, the CJEU merely stresses that purposes must be legitimate and formulated with sufficient precision without further clarifying when these standards are met. ⁷⁶

In sum, in human rights case law the principle of purpose specification is materially embedded in the requirement of foreseeability as a quality of law justified to interfere with the right to privacy. The rationale thus relates in particular to the prevention of arbitrary action from the authorities. National legislation must delineate with sufficient clarity the scope of an investigatory power and – when it comes to targeted collection of data – at least include a category of offences and a category of people that can be subjected to those powers, to prevent abuse of power. Notwithstanding some overlap, the foreseeability requirement as formulated in the human rights framework does not exactly cover the principle of purpose specification for which data can be processed. Thus, the precise criteria for the assessment of the specificity of the purpose are difficult to detract from this framework.

(In)compatible use and change of purpose

The principle of compatible use (non-incompatibility requirement) can also be traced in the human rights case law, especially in the case law of the ECtHR. ⁷⁷ The parallel can be drawn between the principle of compatible use and the concept of the individual’s ‘reasonable expectations’ – also referred to as ‘legitimate privacy expectation’ ⁷⁸ or ‘foreseeability’ ⁷⁹ – that the ECtHR sometimes uses when assessing whether an interference with the right to privacy has occurred. In doing so, the ECtHR indirectly compares the initial purpose of processing to the new processing purposes. ⁸⁰

Various cases can illustrate how the reasonable expectation standard is tightened to compatible use. There is, for example, a list of cases where the disclosure of medical data for new purposes constitutes an infringement of the right to respect for private life. ⁸¹ In the framework of criminal investigations the case of Perry v United Kingdom is exemplary. ⁸² In this case, the ECtHR examined whether the use of security cameras in a police station to take clear footage of the applicant in order to use this footage in an identity parade constituted an infringement of Article 8(1) ECHR. The ECtHR recalled that in principle the monitoring of the actions of an individual in public area by a camera that does not record the visual data, does not raise issues under Article 8 ECHR. This can be different when data is recorded, systematically or permanently. ⁸³ In this case, the applicant had refused to participate in an identity parade for which reason the police regulated the security camera to take clear pictures of the applicant that were shown to witnesses and at the public trial later on. The applicant was, however, not aware of the adopted ploy by the police that went beyond the normal or expected use of this type of camera, as is supported by the fact that an engineer was called upon to adjust the security camera. Therefore, the recording and use of the video constituted an interference with the right to respect for private life. This interference was not justified, because the police did not inform the applicant about the actual purpose of filming beforehand. This case shows that the purpose of the data processing plays an essential role in the assessment whether an interference with Article 8 ECHR took place. ⁸⁴ The purpose of data collection provides a link for examining whether an individual could expect an intrusion into his private sphere. ⁸⁵ A change of purpose in data processing can thus lead to an interference with the right to privacy. This means that the re-use of data for another law enforcement purpose than the purpose for which the data initially is collected will interfere with Article 8(1) ECHR if (and only if) the re-use could not be reasonably expected or foreseen. The question is then whether it can be reasonably expected or foreseen that data collected with various criminal investigation powers will later be used for intelligence purposes, i.e., to combine various data sets, to analyse these data and to detract new information from these data as is aimed for by data-driven policing. Arguably, such expectation will not be reasonable in many cases. Therefore, data analysis for intelligence purposes will in most cases amount to a (new) privacy infringement and can thus only be justified when the conditions of Article 8(2) ECHR are met.

In its case law on investigative powers by intelligence and security services and criminal investigation authorities, the ECtHR does not address explicitly the issue of compatible use and change of purpose. At the same time, however, in particular compatible use can be recognised in both frameworks regarding targeted interception as well as bulk interception. The compatible use standard can be recognized in the last three safeguards of the framework regarding targeted interception. ⁸⁶ In short, these safeguards should set limits to the actual use of the data. When it comes to bulk interception, the ECtHR pays even more attention to compatible use standards, since the interception is less targeted. Therefore, this seems at least to be the logic of the ECtHR, it is all the more important to limit the way in which the data can be used through material and procedural safeguards. According to the ECtHR, national law should provide in the procedures to be followed for selecting, examining, and using intercept material and it does emphasise the need for supervision by an independent authority (see criteria 7 and 8 in the previous section). ⁸⁷ Furthermore, the supervising authority must have sufficient corrective, supervisory and advisory powers. The ECtHR expressly distinguishes different types of supervision, ex ante supervision (authorisation by an independent authority), supervision during the processing and ex post supervision (access to a judge or other legal remedies). ⁸⁸

Implementation of purpose specification: Rule-based approach vs principle-based approach

Considering the functions as well as the normative foundations of purpose specification, this requirement should in our view be interpreted strictly. This means the purposes provided for in Article 1(1) LED cannot always meet the requirement of specificity. ⁸⁹ Purposes like investigation or detection of crime cannot provide legal certainty. More importantly, with a more lenient interpretation, the purpose limitation principle could easily become an empty shell and that will impact the connected requirements of data minimization and storage limitation. The Member States therefore must specify explicitly for which purposes the police are allowed to process data. Under Article 8(2) LED, these purposes must also be laid down in national law.

The obligations concerning purpose specification with regard to data-driven policing can be complied with in two different ways, in short characterised as the rule-based and the principle-based approach. ⁹⁰ The rule-based approach means specifying in legislation the purposes for which law enforcement authorities can process data. This approach is generally followed in various Police Data Acts. ⁹¹ For instance, the Dutch Police Data Act specifies several purposes for which the police can process personal data. Sometimes this is done by referring to a purpose within the broad tasks of the police or by stating which data subjects’ data (suspects, affiliations) is allowed to be processed. Other times, the Act obliges the police to further specify for which purpose data will be processed. The Dutch legislator stipulated in Article 9 of the Police Data Act that the police must further specify within the broad objective ‘maintaining law and order in a specific case’ what the processing purpose is and that this must be done within a week after the start of data processing.

Specifying the purpose beyond a general category such as ‘investigation of crime’ in legislation beforehand might however be hard to achieve for data-driven policing methods, primarily because it is not always feasible to formulate sufficiently precise for which specific purposes law enforcement authorities can employ data-driven policing methods. Here too the abovementioned EncroChat and Sky ECC cases provide for a telling example. In these cases, it was quite impossible to anticipate beforehand what kind of criminality would resurface to justify and limit the data analysis. Therefore, a second more principle-based approach should be considered. This option is inspired by the way special investigative powers are usually drafted and exercised in practice. ⁹² Purpose specification can also be achieved by laying down grounds which may authorize the data processing, such as the nature of the offences for which the data can be processed, the circumstances under which the data can be processed and the specification of prior authorisation procedures. This second more principle-based approach allows to assess on a case-by-case basis through prior authorisation procedures whether the processing of data is allowed. In doing so, it is possible to consider the specifics of the case at hand. This second approach is in fact followed by Dutch authorities in the cases of Encrochat and SkyECC. While using his authorization power, the investigative judge formulated specific conditions under which the investigative authorities could search and use the data. ⁹³ The goal of formulating these conditions for specifically the analysis and use of the available dataset, was to protect the rights to privacy and to avoid fishing expeditions.

This second approach is particularly relevant for data-driven policing methods, such as the interception of bulk data and the Dutch ‘Rafinary’ facility. As elaborated above, for these methods it is hard to formulate beforehand with sufficient precision for which purpose the data will be processed. The principle-based approach would imply that national legislators must clarify under what conditions the processing of data is allowed. For instance, national legislators could specify how investigative authorities can analyse bulk information, by stating for which offences the data can be searched, whether the use of keywords are necessary, and importantly which authority must authorize the data analysis beforehand, supervise an ongoing analysis and review the process of data analysis when completed. It is ultimately up to national legislators to decide where to lay down those rules, in criminal procedural law, in data protection law or in both laws. ⁹⁴

Identifying and mitigating risks of further use through the change of purpose doctrine

As shown above, the framework concerning the further use of data and change of purpose as enshrined in the LED is unclear in two ways. First, Article 4(2) LED does not seem to cover all ways in which data collected in a criminal investigation can be used for another purpose. Second, the LED does not provide guidance on how to assess whether the further use of data for another purpose is necessary and proportionate. In this section, we will focus on these issues. Let us start with the first issue.

The foregoing analysis showed that Article 4(2) LED is applicable in any case when law enforcement authorities switch between purposes provided for in Article 1(1), which are formulated rather broadly. It remains unclear what the CJEU would say about the applicability of Article 4(2) LED in case where a change of purpose took place within one of the general purposes mentioned in Article 1(1) LED. Considering the ECtHR case law, it could be argued that Article 4(2) LED should also apply to this kind of change of purpose. The ECtHR assesses whether a change of purpose took place on a case-by-case basis through the ‘reasonable expectation’ test. ⁹⁵ Accordingly, the right to privacy will be infringed if data is processed in another context for a new and reasonably unexpected purpose. The question whether a change of purpose took place, can thus not be answered solely on the basis of the purposes mentioned in Article 1(1) LED. The answer depends in particular on the specificity of the initial purpose as well as on the context in which the processing took place.

A strict interpretation of Article 4(2) LED implies that this provision is applicable to the use of data in another investigation than the investigation for which the data initially were collected. Data which is for example obtained by special investigative powers could thus not automatically be used in another investigation. This reading means that Article 4(2) LED is applicable to the use of data in another investigation than the investigation that prompted the collection of data, such as in the EncroChat and Sky ECC cases. The strict interpretation also implies that Article 4(2) LED applies in cases where already collected data is re-evaluated to derive new insights, such as in the Dutch facility ‘Rafinery’.

Second, the LED is silent on how to assess whether the use of data for another purpose is necessary and proportionate in the sense of Article 4(2) LED. It is difficult to determine on an abstract level when the use of data for a new and different purpose is necessary and proportionate. The right to privacy could also play a role here by providing a scale to assess the necessity and proportionality of the further processing of data. ⁹⁶ Stated differently, the risks the further use of data poses to the right to privacy are imperative to consider when assessing whether that further processing is necessary and proportionate. To make this somewhat more concrete it can be useful to make a distinction between two ways in which data can be used for other purposes: repurposing and recontextualization. ⁹⁷ This distinction is particularly useful when thinking about the necessary safeguards to be included in national law.

The concept of repurposing implies the use of data for another purpose than the investigation that prompted the collection of data. For example, when law enforcement authorities collect data on a specific suspect in a specific investigation, but meanwhile they accidentally discover data which is relevant for another case and can be used in that other case (the so-called ‘bycatch’). Another example can be found in the CJEU Bulgarian case in which a law enforcement authority initially collected data to investigate a specific crime and used this data later in the prosecution of an accused person. The privacy risk of repurposing lies primarily with the broader disclosure of personal data of (several) subjects.

The concept of recontextualization is more complicated than repurposing. Recontextualization can also be characterized by the use of data for a purpose other than for which they were collected. However, the difference with repurposing lies in the re-evaluation of data with the aim of deriving new information that is not already known. One might think of combining datasets from different investigations in order to detract information on yet unsuspected individuals, which is the aim of the mentioned Dutch example of ‘Rafinary’. Generally, recontextualization is more privacy intrusive than repurposing. Since the aim of recontextualization is to generate new knowledge, this could have consequences for individuals whom the police did not have on their radar yet. Furthermore, the re-evaluation of data is less foreseeable and could lead to interpretative mistakes.

In the Netherlands, the conceptual difference between repurposing and recontextualization is not reflected in the law and that creates a real risk for safeguarding the right to privacy. Recontextualization can be – and is in practice – based on Article 11 of the Dutch Police Data Act, which provision empowers the police to conduct automated comparison and combined search of data that was collected in different criminal investigations or during the daily police task. However, this Article does not take into account the severity of the interference with the right to privacy that recontextualization implies, since the provision neither sets any limits on the type of data that can be used nor on the permissible methods of analysis. ⁹⁸ In contrast, Germany provides an example of legal regulation that is at least more attuned to the conceptual difference between repurposing and recontextualization. When it comes to the re-use of data, the Bundesverfassungsgericht considers automated analysis for intelligence purposes of combined data that was previously collected in specific criminal investigations as constituting a new infringement of the personality rights (the German concept of the right to privacy). ⁹⁹ Consequently, the principle of proportionality in strict sense applies to this type of data processing and strong safeguards must be put in place. When it comes to repurposing, a more lenient approach is followed which results in a less strict application of the principle of proportionality. ¹⁰⁰

It is not our intention to make a precise comparison of the different national rules on the re-use of data at this juncture. The point is that when national legislators want to create new rules on the further use of data, they should take into account the different privacy risks associated with the further use of data, especially when it concerns the recontextualization of data. Article 4(2) LED should thus be considered to function as a tool for legislators to identify risks associated with the re-use of data for secondary processing purposes as well as a tool to mitigate those risks optimally.