One of the core principles of data processing set forth in Article 5(e) of the EU General Data Protection Regulation is that personal data shall be retained in a form that “permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Although this language is not complex, it raises critical questions not answered within the text, namely: What comprises a purpose and how does one determine whether the purpose is resolved? And, can purposes be tacked on to extend retention of personal data beyond the initial processing purpose?
Determining the purpose for processing
GDPR Article 5(e) states that personal data may be kept (1) no longer than what is necessary, for (2) the purpose behind processing. One place to begin understanding “purpose” is Article 5(b), which discusses purpose limitation. Article 5(b) indicates personal data shall be collected for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes.
WP29 guidance on purpose limitation under the Data Protection Directive stipulates that purposes must be specified before, or not later than, the time when the collection of personal data occurs. Moreover, any processing following collection, regardless if initially specified, must be considered "further processing."
Data retention is an example of further processing. The new purpose must not be incompatible with the purposes articulated for collection. Although there is not a specific definition of compatibility, the WP29 has indicated that a new or different use of the data may be considered compatible in certain circumstances.
Under the Directive, the WP29 has proposed two tests to determine compatibility: the purely formal test and the substantive compatibility test. The purely formal test compares the purposes that were initially provided with any additional uses to determine whether the new objective was explicitly or implicitly disclosed. The substantive compatibility assessment extends past formal statements to identify the new and original purpose. In addition, several factors used to ascertain the nexus between the purpose specified at collection and further processing aids in the assessment of compatibility. These include:
- The relationship between the purposes for which the data has been collected and the purpose of further processing.
- The context in which the data has been collected and the reasonable expectations of the data subjects as to their further use.
- The nature of the data and the impact of the further processing on the data subject.
- The safeguards applied by the controller to ensure fair processing and to prevent any undue impact on the data subjects.
The greater the divide between the purpose specified at collection and the additional processing, the more thorough and comprehensive the analysis must be. If the aim behind further processing is incompatible with the initial purpose, processing of personal data will likely conflict with GDPR Article 5
Tacking one purpose on to another
In light of WP29 guidance, the language in GDPR Article 5(b) does not foreclose the tacking on of one purpose to another to extend data retention; but the new purpose must be compatible with the original one. Purpose tacking is far more likely to conflict with Article 5 if the purpose of collection is not communicated at the time of data collection. Further processing, including retention of personal data, could be invalid because the objective behind further processing is measured against the purpose of collection. Thus, if the initial building block of collection purpose is never in place before collection begins, the scaffolding in which compatibility of further processing is determined will not be present.
To conclude, Article 5’s principles interrelate. In order to retain personal data for a period of time, the controller must first articulate the initial processing purpose at the time of collection, and retention must be compatible with that purpose.
PIPEDA, the GDPR’s fraternal twin
It may be reasonable to construe GDPR data retention through the lens of Canadian law. The language in Principle 5 of the Personal Information Protection and Electronic Documents Act closely mirrors that reflected in the GDPR. The tenor behind retention is established at the outset. Personal information shall only be retained as long as necessary for the fulfillment of those purposes behind data processing.
Section 4.5 of Principle 5 draws a strict boundary illustrating that personal information should only be kept to achieve a particular objective. This rule comprises two elements: ‘necessity' and 'purpose fulfillment' — the same elements reflected in GDPR Article 5(e). Note that under PIPEDA, like GDPR, having a purpose does not automatically translate into necessity. If other alternatives aside from the use of personal data are available, retention may be unnecessary and conflict with Principle 5.
PIPEDA section 4.5.2 is also similar to GDPR Recital 39, which accompanies Article 5. PIPEDA 4.5.2 suggests that organizations should develop and implement guidelines with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. There appears to be a heavy thumb on the scale against indefinite retention of personal information. The permissive nature of the language in section 4.5.2 accounts for industries where indefinite retention may be necessary to achieve the specified purpose. Moreover, in a best practices guide, "Personal Information Retention and Disposal: Principles and Best Practices," the Office of the Privacy Commissioner of Canada acknowledged that purpose is often a clear indicator of how long personal information should be retained.
The "reasonable person" perspective: Facebook Inc.
Canadian precedent interpreting PIPEDA provides additional guidance on the issue of data retention which may be useful in interpreting the GDPR. OPC opinions also reveal other broad overlapping themes between the laws, including that both regimes emphasize the individual’s control over his or her own personal information.
In a multifaceted complaint instituted by Canadian Internet Policy and Public Interest Clinic, the petitioner challenged the retention practices of Facebook, specifically the retention of data associated with deactivated Facebook accounts. The commissioner articulated concerns surrounding Facebook’s deactivation policy because personal information of former users was retained indefinitely. Under Canadian law, indefinite retention contravenes Principle 5.
In addition, the commissioner evaluated the indefinite retention from the perspective of a “reasonable person.” A reasonable person would not consider indefinite retention of personal information appropriate when it is connected to a deactivated account which has not been reactivated for a long time. The longer an account remains deactivated and the associated information goes unused, the more difficult it is to argue that retention of the user’s personal information is reasonable for the social network's purposes.
The OPC recognized how "pure" storage separates retention practices from the original purpose. The further away the purpose becomes, retention of personal data may no longer be necessary. The reasonable person perspective also provides a helpful test when evaluating indefinite retention. As applied by OPC, the reasonable person perception is similar to the second factor considered in the substantive compatibility assessment described above.
When retention creates risk: TJX Companies Inc./Winners Merchant International LP
The OPC evaluated enhanced liability associated with indefinite data retention in TJX Companies Inc./Winners Merchant International LP In TJX/WMI, the respondent suffered a network data breach. Driver’s license numbers indefinitely retained were exposed. The commissioner interpreted Principle 5 to require personal information be retained only as long as necessary. Consequently, organizations must limit the retention of personal information. Since the intrusions took place over an extended period, hackers were able to take full advantage by downloading information that should not have been retained.
OPC concluded the collection of personal data was unreasonable, thus the retention of such data was unreasonable as well. The indefinite retention of driver’s license numbers violated PIPEDA. In response to the Commission’s conclusion, TJX decided to limit data retention periods to reduce the risks and vulnerabilities exposed in the breach.
As illustrated above, retention period directly corresponds with the purpose of collection. However, regardless of initial purpose, a key risk discussed in TJX/WMI remains. Maintaining custody of sensitive information can be a liability, particularly, if the information does not meet any legitimate purpose or if the retention period is longer than necessary.
Play by your rules: Insurance provider revises retention period and practices for insurance quotes
Even if an organization establishes a retention period, extension past the set maximum may result in a violation of Principle 5. For example, a purpose may be valid and continuous, yet specific information may no longer be necessary to achieve the objective. In a report analyzing the retention practices of an insurance provider, OPC observed the practices of the provider fell outside the boundaries of its internal retention schedule, as well as sections 4.5 and 4.5.3 of Principle 5. Upon the request by an individual for their personal data, the insurance provider delivered information including personal information provided by the petitioner eight years earlier when they had requested insurance quotes but did not become a customer. The provider’s policy was to retain data for seven years. The commissioner concluded retention in excess of the seven years conflicted with Principle 5 sections 4.5 and 4.5.3.
The question lingered of whether the provider retained the information for longer than necessary to fulfill its identified purpose. The OPC decided the insurance provider retained data longer than necessary because the provider did not explain how the reasoning behind the storage period contributed toward the retention time frame.
In accordance with OPC analysis, organizations will be bound to their time frames and excess retention could result in a violation of privacy laws. However, the is still a degree of plasticity. If there is adequate explanation of the rationale for the retention period, maintenance beyond the initial processing timeframe may be permitted provided the risk to data subjects is low.
Conflicts of law and retention
Conflicts of law must be considered when assessing data retention, because a mandatory retention requirement of a federal or national statute may alter the storage time frame. For example, Section 8 of the Sarbanes-Oxley Act stipulates audit documentation must be kept for seven years. The time limitation applies to the financial statements of insurers and all registered investment companies. Additionally, the act does not exempt auditors of foreign issuers. Here, even if specified documentation contains personal data, the documents must be retained despite not being necessary to achieve the articulated purpose. Privacy professionals are likely to face many conflict-of-law issues relating to data retention practices and will have to address them one by one.
When evaluating retention under the GDPR, the question of purpose must be answered. Purpose is comprised of two layers. First, the purpose for data collection and second, whether further processing is compatible. This multistep process creates the foundation necessary to answer the questions of how one knows when the purpose is resolved and what happens when new objectives arise. Despite the lack of clarity or guidance in the GDPR, Canadian cases evaluating retention practices under PIPEDA Principle 5 may be helpful to those trying to make sense of the retention language of the GDPR.
If you want to comment on this post, you need to login.