Abstract
The purpose limitation principle is traditionally considered as a core pillar of European and international data protection law, and as encompassing two sub-principles, that is purpose specification and compatible use. However, the current articulation of the purpose limitation principle in EU primary and secondary law raises questions regarding its role more broadly, as well as the function of the compatible use sub-principle in particular. The Norra Stockholm Bygg ruling delivered by the Court of Justice of the European Union on 2 March 2023 sheds light on the latter. More specifically, the ruling endorses the framework of compatibility laid down in art.6(4) of the General Data Protection Regulation (GDPR), according to which, under certain circumstances, an assessment of compatibility does not need to take place where lawfulness is otherwise established. When first proposed, this provision was criticised for neglecting how purpose limitation and lawfulness give rise to separate and cumulative requirements. Although it has undergone a degree of alteration since then, art.6(4) GDPR still challenges the purpose limitation principle as a self-standing pillar of data protection law. The Court’s approval, in Norra Stockholm Bygg , of the legislator’s approach, comes as an addition to a series of case law that denotes a lack of sufficient attention to fundamental questions regarding the implementation of the purpose limitation principle under primary and secondary law, and further opens the door to a future where its role is undermined.
Original language | English |
---|---|
Pages (from-to) | 469-479 |
Number of pages | 11 |
Journal | European Law Review |
Volume | 48 |
Issue number | 4 |
Publication status | Published - 18 Aug 2023 |