Jump to content
The Principle of Purpose Limitation in Data Protection Laws / B. Conceptual definitions as a link for regulation
The Principle of Purpose Limitation in Data Protection Laws / B. Conceptual definitions as a link for regulation
Contents
Chapter
Expand
|
Collapse
Page
1–30
Titelei/Inhaltsverzeichnis
1–30
Details
31–60
A. Introduction
31–60
Details
I. Problem: Conflict between innovation and risk protection
Details
1. Innovation as an economic driver for public welfare
Details
2. Protection against the risks of innovation
Details
3. Uncertainty about the meaning and extent of the principle of purpose limitation
Details
4. Practical examples referring to two typical scenarios
Details
a) Coming from a practical observation: Startups and non-linear innovation processes
Details
b) First scenario: Purpose specification by the controller concerning the use of data of its users
Details
aa) The unpredictable outcome of entrepreneurial processes
Details
bb) Excursus: In which circumstances do data controllers actually need “old” data?
Details
c) Second scenario: The limitation of the later use of data collected by third parties
Details
aa) No foreseeable negative impact on individuals
Details
bb) Negative impact foreseeable on the individuals
Details
5. Interim conclusion: Uncertainty about the concept of protection and its legal effects
Details
II. Research questions and approach
Details
1. Legal research about innovation
Details
2. The regulator’s perspective
Details
3. Possible pitfalls taking the effects of regulation instruments into account
Details
III. Course of examination
Details
61–108
B. Conceptual definitions as a link for regulation
61–108
Details
I. Innovation and entrepreneurship
Details
1. Process of innovative entrepreneurship
Details
a) Key Elements for the entrepreneurial process
Details
b) Business Opportunities: Discovery and creation
Details
c) Strategic management: Causation and effectuation
Details
d) Entrepreneurial contexts: The Law as one influencing factor in innovation processes amongst others
Details
2. Regulation of innovative entrepreneurship
Details
a) Do laws simply shift societal costs either protecting against or being open to innovation?
Details
b) Principles between openness toward innovation and legal uncertainty
Details
aa) Legal (un)certainty as a factor that mediates the regulatory burden
Details
bb) Conditioning further legal certainty as a promoting factor for entrepreneurial activity
Details
c) Interim conclusion with respect to the principle of purpose limitation
Details
II. Data protection as a risk regulation
Details
1. Risk terminology oscillating between “prevention” and “precaution”
Details
2. Sociological approaches defining “dangers” and “risks”
Details
3. German legal perspectives: Different protection instruments for different types of threat
Details
a) Protection pursuant to the degree of probability
Details
b) Protection pursuant to the available knowledge in linear-causal and non-linear environments
Details
c) Interim conclusion: Fundamental rights determining the appropriateness of protection
Details
4. Searching for a scale in order to determine the potential impact of data protection risks
Details
III. Theories about the value of privacy and data protection
Details
1. The individual’s autonomy and the private/public dichotomy
Details
2. Criticism: From factual to conceptual changes
Details
3. Nissenbaum’s framework of “contextual integrity”
Details
4. Clarifying the relationship between “context” and “purpose”
Details
5. Values as a normative scale in order to determine the “contexts” and “purposes”
Details
109–596
C. The function of the principle of purpose limitation in light of Article 8 ECFR and further fundamental rights
109–596
Details
I. Constitutional framework
Details
1. Interplay and effects of fundamental rights regimes
Details
a) The interplay between European Convention for Human Rights, European Charter of Fundamental Rights and German Basic Rights
Details
b) The effects of fundamental rights on the private sector
Details
aa) Third-party effect, protection and defensive function
Details
(1) European Convention on Human Rights
Details
(a) Positive obligations with respect to Article 8 ECHR
Details
(b) Right to respect for private life under Article 8 ECHR
Details
(2) European Charter of Fundamental Rights
Details
(a) Market freedoms and fundamental rights
Details
(b) The right to data protection under Article 8 ECFR and/or the right to private life under Article 7 ECFR
Details
(3) German Basic Rights
Details
(a) Protection function of the right to informational self-determination
Details
(b) Priority of contractual agreements and the imbalance of powers
Details
(c) Balancing the colliding constitutional positions
Details
bb) Balance between defensive and protection function
Details
(1) The 3-Step-Test: Assessing the defensive and protection function
Details
(2) A first review: decomposing the object and concept of protection
Details
(a) Which instruments actually protect which object of protection?
Details
(b) Example: “Commercialized” consent threatening the object of protection including…
Details
(c) … individuality?
Details
(d) … solidarity?
Details
(e) … democracy?
Details
cc) Equal or equivalent level of protection compared to state data processing?
Details
c) Interim conclusion: Interdisciplinary research on the precise object and concept of protection
Details
2. The object and concept of protection of the German right to informational self-determination
Details
a) Genesis and interplay with co-related basic rights
Details
b) Autonomous substantial guarantee
Details
c) Right to control disclosure and usage of personal data as protection instrument?
Details
d) Infringement by ‘insight into personality’ and ‘particularity of state interest’
Details
e) Purpose specification as the essential link for legal evaluation
Details
aa) In the public sector: Interplay between the three principles clarity of law, proportionality, and purpose limitation
Details
(1) Principles of clarity of law and purpose limitation referring to the moment when data is collected
Details
(2) The proportionality test also takes the use of data at a later stage into account
Details
bb) In the private sector: The contract as an essential link for legal evaluation
Details
f) Interim conclusion: Conceptual link between ‘privacy’ and ‘data processing’
Details
3. Different approach of Article 7 and 8 ECFR with respect to Article 8 ECHR
Details
a) Genesis and interplay of both rights
Details
b) Concept of Article 8 ECHR: Purpose specification as a mechanism for determining the scope of application (i.e. the individual’s ‘reasonable expectation’)
Details
aa) Substantial guarantee of “private life”: Trust in confidentiality and unbiased behavior
Details
bb) Criteria established for certain cases: Context of collection, nature of data, way of usage, and results obtained
Details
cc) Particular reference to the individual’s “reasonable expectations”
Details
(1) ‘Intrusion into privacy’
Details
(2) Public situations: ‘Systematic or permanent storage’ vs. ‘passer-by situations’
Details
(3) ‘Data relating to private or public matters’, ‘limited use’ and/or ‘made available to the general public’
Details
(4) ‘Unexpected use’ pursuant to the purpose perceptible by the individual concerned
Details
dd) Consent: Are individuals given a choice to avoid the processing altogether?
Details
ee) Conclusion: Assessment of ‘reasonable expectations’ on a case-by-case basis
Details
c) Concept of Articles 7 and 8 ECFR: Ambiguous interplay of scopes going beyond Article 8 ECHR
Details
aa) Comparing the decisions of the European Court of Justice with the principles developed by the European Court of Human Rights
Details
(1) General definition of the term ‘personal data’ under Article 7 and 8 ECFR instead of case-by-case approach
Details
(2) Differences between private life and data protection under Articles 7 and 8 ECFR
Details
(a) Protection against first publication and profiles based on public data
Details
(b) Protection against collection, storage, and subsequent risk of abuse
Details
(3) Reference to further fundamental rights under Article 7 and/or 8 ECFR
Details
(a) Which right is used to discuss other fundamental rights?
Details
(b) The answer depends on the type of threat posed
Details
(4) Protection in (semi)-public spheres irrespective of ‘reasonable expectations’?
Details
(5) Going beyond the requirement of consent provided for under Article 8 ECHR
Details
bb) Interim conclusion: Article 8 ECFR as a regulation instrument?
Details
(1) Location of protection instruments under Article 8 ECFR
Details
(2) Protection going beyond Article 8 ECHR
Details
(3) Remaining uncertainty about the interplay between Article 7 and 8 ECFR
Details
cc) Referring to substantial guarantees as method of interpreting fundamental rights in order to avoid a scope of protection that is too broad and/or too vague
Details
(1) The reason for why the scope is too vague: Difference between data and information
Details
(2) The reason for why the scope is too broad: Increasing digitization in society
Details
(3) Advantages and challenges: ‘Personal data’ as legal link for a subjective right
Details
(4) Possible consequence: A legal scale provided for by all fundamental rights which determine the regulation instruments under Art. 8 ECFR
Details
II. The requirement of purpose specification and its legal scale
Details
1. Main problem: Precision of purpose specification
Details
a) ECtHR and ECJ: Almost no criteria
Details
b) Requirements provided for by European secondary law
Details
aa) Central role of purpose specification within the legal system
Details
(1) Scope of protection: ‘Personal data’
Details
(a) ‘All the means reasonably likely to be used’
Details
(b) Example: IP addresses as ‘personal data’?
Details
(c) The case of “Breyer vs. Germany”
Details
(2) Liability for ‘data processing’: ‘Controller’ and ‘processor’
Details
(3) Further legal provisions referring to the purpose
Details
bb) Criteria discussed for purpose specification
Details
(1) Preliminary note: Clarifying conceptual (mis)understandings
Details
(2) Legal opinion on the function of the specification of a purpose
Details
(3) Legal opinion on the function of ‘making a specified purpose explicit’
Details
(4) Legal opinion on the reconstruction of a purpose and its legitimacy
Details
cc) Purposes of processing specified when consent is given
Details
dd) Purposes of data processing authorized by legal provisions
Details
(1) ePrivacy Directive
Details
(2) Data Protection Directive and General Data Protection Regulation
Details
(a) Preliminary note: Clarifying conceptual (mis)understandings
Details
(b) Legal opinion on ‘performance of a contract’
Details
(c) Legal opinion on ‘legal obligation’, ‘vital interests’, and ‘public task’
Details
(d) Legal opinion on ‘legitimate interests’
Details
c) Transposition of the requirement of purpose specification into German law
Details
aa) Purposes of processing authorized by the Telecommunication Law
Details
bb) Purposes of processing authorized by the Telemedia Law
Details
cc) Purposes of processing authorized by the Federal Data Protection Law
Details
(1) Three basic legitimate grounds
Details
(2) ‘Performance of a contract’, Article 28 sect. 1 sent. 1 no. 1 BDSG
Details
(3) ‘Justified interests of the controller’, Art. 28 sect. 1 sent. 1 no. 2 BDSG
Details
(4) ‘Generally accessible data’, Art. 28 sect. 1 sent. 1 no. 3 BDSG
Details
(5) Privileges and restrictions pursuant to the purpose
Details
dd) Purposes of processing specified when consent is given
Details
(1) Not a waiver but execution of right to informational self-determination
Details
(2) Requirements for consent and consequences of its failure
Details
(3) Discussion on the degree of precision of a specified purpose
Details
ee) Comparison with principles developed by the German Constitutional Court
Details
(1) Public sector: Purpose specification as a result of the principle of clarity of law
Details
(a) Function of purpose specification (basic conditions)
Details
(b) Examples for specific purposes: Certain areas of life or explicitly listed crimes
Details
(c) Examples for unspecific purposes: Abstract dangers or unknown purposes
Details
(d) Liberalization of the strict requirement by referring to the object of protection
Details
(2) Private sector: ‘Self-control of legitimacy’
Details
2. Criticism: Stricter effects on the private than the public sector
Details
a) Difference in precision of purposes specified by legislator and data controllers
Details
aa) Data processing for undisputed ‘marketing purposes’ authorized by law
Details
bb) Disputed ‘marketing purposes’ specified by data controllers
Details
cc) Further examples for different scales applied in order to specify the purpose
Details
dd) Can the context help interpret a specified purpose?
Details
ee) A different scale for ‘purpose specification’ pursuant to the German concept of protection
Details
ff) Interim conclusion: Do regulation instruments dictate the scale for ‘purpose specification’?
Details
b) Further ambiguities and possible reasons behind the same
Details
aa) Common understanding about the function of ‘purpose specification’
Details
bb) Ambiguous understanding regarding the functions of ‘making specified purpose explicit’
Details
cc) Arguable focus on data collection for legal evaluation in the private sector
Details
dd) Arguable legal consequences surrounding the validity of the consent
Details
c) The lack of a legal scale for ‘purpose specification’ in the private sector
Details
aa) No legal system providing for ‘objectives’ of data processing in the private sector
Details
bb) Differentiating between the terms ‘purpose’, ‘means’ and ‘interest’
Details
(1) ‘Interests’ protected by the controller’s fundamental rights
Details
(2) Is the ‘purpose’ determined by the individual’s fundamental rights?
Details
bb) Inclusion or exclusion of future ‘purposes’ and ‘interests’
Details
(1) Present interests vs. future interests
Details
(2) Purpose specification pursuant to the type of threat?
Details
d) Summary of conceptual ambiguities
Details
3. Solution approach: Purpose specification as a risk-discovery process
Details
a) Regulative aim: Data protection for the individual’s autonomy
Details
aa) Intermediate function of data protection
Details
(1) Different functions of rights (opacity and transparency)
Details
(2) Disconnecting the exclusive link between data protection to privacy
Details
(3) Data protection for all rights to privacy, freedom, and equality
Details
bb) Purpose specification as a risk regulation instrument
Details
(1) ‘A risk to a right’: Quantitative vs. qualitative evaluation?
Details
(a) Challenges of bridging risks to rights
Details
(b) Example: German White Paper on DPIA
Details
(c) Criticism: Incoherence of current risk criteria
Details
(2) Purpose specification discovering risks posed to all fundamental rights
Details
(a) Pooling different actions together in order to create meaning
Details
(b) Separating unspecific from specific risks (first reason why data protection is indispensable)
Details
(c) Central function with respect to all fundamental rights (second reason why data protection is indispensable of data protection)
Details
(3) Function of making specified purposes explicit
Details
cc) Interim conclusion: Refining the concept of protection
Details
(1) Tying into the Courts’ decisions and European legislation
Details
(2) Advantages compared to existing (unclear) concepts of protection
Details
(a) Effectiveness and efficiency of protection instruments
Details
(b) Appropriate concept for innovation processes
Details
(c) Excursus: Objective vs. subjective risks
Details
b) Fundamental rights which determine purpose requirements
Details
aa) Right to privacy (aka ‘being left alone’)
Details
(1) Unfolding specific guarantees of privacy
Details
(a) At home: Protection of ‘haven of retreat’
Details
(b) Using communications: Protection against ‘filtering opinions’
Details
(c) “Privacy in (semi)-public spheres”: Protection against the risks of later usage of data
Details
(2) Necessity requirement, irrespective of inconvenience
Details
(3) ‘Framing’ privacy expectations
Details
(a) Research on the individual’s decision making process (consent)
Details
(b) First example: The legislature’s considerations on the use of ‘cookies’
Details
(c) Second example: Considerations surrounding ‘unsolicited communications’
Details
bb) Right to self-determination in public
Details
(1) Clarification of substantial guarantees
Details
(2) First publication: Strict requirements
Details
(a) Necessity of publication
Details
(b) Strict requirements for consent
Details
(3) Re-publication: Weighing ‘interests’ against ‘old and new purposes’
Details
(a) Misconceptions in the decision of “Mr. González vs. Google Spain”
Details
(b) Excursus: Case law provided for by the German Constitutional Court
Details
(c) Conclusion in regards to the decision of “Mr. González vs. Google Spain”
Details
cc) Internal freedom of development
Details
(1) Does the German right to informational self-determination provide for such a guarantee?
Details
(2) Discussion on such a substantial guarantee
Details
(3) Articles 7 and/or 8 ECFR: Information pursuant to insights into personality and possibilities of manipulation
Details
dd) Specific rights to freedom
Details
(1) Focus on the collection of data: Omission by the individual of exercising their rights out of fear
Details
(a) Considerations of the Courts with respect to the freedom of expression and the individuals risk of being unreasonably suspected by the State
Details
(b) Considerations on further rights of freedom
Details
(2) Focus on the later usage of data or information: Restriction or hindrance of exercise of rights of freedom through usage of data or information
Details
(3) Interim conclusion: How “privacy in public” can be further determined
Details
(a) Specific contexts of collection of personal data
Details
(b) Later use of personal data in the same context
Details
(c) Protection instruments enabling the individual to adapt to or protect him or herself against the informational measure
Details
ee) Rights to equality and non-discrimination
Details
(1) In the public sector: Criteria for intensity of infringement
Details
(2) In the private sector: ‘Tool of opacity’ vs. private autonomy?
Details
(3) Interim conclusion: Additional legitimacy requirement for the data-based decision-making process
Details
c) Conclusion: Purpose specification during innovation processes
Details
III. Requirement of purpose limitation in light of the range of protection
Details
1. Different models of purpose limitation and change of purpose
Details
a) European models: ‘Reasonable expectations’ and purpose compatibility
Details
aa) Change of purpose pursuant to ECtHR and ECJ
Details
(1) ECtHR: ‘Reasonable expectations’ as a main criteria
Details
(2) ECJ: Reference to data protection instruments instead of ‘reasonable expectations’
Details
(a) Are the terms ‘necessity’, ‘adequacy’ and ‘relevance’ used as objective criteria for the compatibility assessment?
Details
(b) Purpose identity for the consent
Details
bb) Compatibility assessment required by the Data Protection Directive with respect to the opinion of the Art. 29 Data Protection Working Party
Details
(1) Preliminary analysis: Pre-conditions and consequences
Details
(2) Example: The expectations of a customer purchasing a vegetable box online
Details
(3) Criteria for the substantive compatibility assessment
Details
(a) First criteria: ‘Distance between purposes’
Details
(b) Second criteria: ‘Context and reasonable expectations’
Details
(c) Third criteria: ‘Nature of data and impact on data subjects’
Details
(d) Fourth criteria: ‘Safeguards ensuring fairness and preventing undue impact’
Details
(4) Excursus: Compatibility of ‘historical, statistical or scientific purposes’
Details
(a) Specification of the compatibility assessment (even prohibiting positive effects)
Details
(b) Safeguards corresponding to the characteristics of the purposes
Details
(c) Hierarchy of safeguards: From anonymization to functional separation
Details
cc) Purpose identity required by the ePrivacy Directive
Details
(1) Strict purpose identity for the processing of ‘communication data’, ‘traffic data’ and ‘location data other than traffic data’
Details
(2) The individual’s consent as an exclusive legal basis for a change of purpose
Details
dd) Interim conclusion: A lack in the legal scale for compatibility assessment
Details
b) German model: Purpose identity and proportionate change of purpose
Details
aa) Change of purpose in the private sector pursuant to ordinary law
Details
(1) Strict purpose identity required by Telemedia Law and Telecommunication Law
Details
(2) The more nuanced approach established by the Federal Data Protection Law
Details
bb) Comparison with the principles developed by the German Constitutional Court for the public sector
Details
(1) Strict requirement of purpose identity limiting the intensity of the infringement
Details
(2) Proportionate change of purpose
Details
(3) Identification marks as a control-enhancing mechanism
Details
cc) Alternative concepts provided for in German legal literature
Details
(1) Purpose identity and informational separation of powers
Details
(a) Purpose specification by the individual instead of the controller
Details
(b) Principle of purpose limitation and informational separation of powers
Details
(c) Example of re-registration: Collection and transfer of data on the citizen’s request
Details
(2) Compatibility of purposes
Details
(a) Criticism of the “subjective” purpose approach
Details
(b) Compatibility instead of identity of purposes
Details
(c) Supplementing protection instruments
Details
(3) Purpose identity and change of purpose as ‘a threshold for duty of control‘
Details
(a) Criticism of purpose compatibility
Details
(b) Specification, identity and change of purpose as equivalent regulation instruments
Details
(c) The opposing fundamental rights providing for the objective legal scale
Details
dd) Interim conclusion: Right to control data causing a ‘flood of regulation’
Details
2. Solution approach: Controlling risks that add to those specified previously
Details
a) Conceptual shift: From the exclusion of unspecific risks to the control of specific risks
Details
aa) Different types of changes of purpose in light of different types of risks
Details
(1) Purpose compatibility as an “umbrella assessment”
Details
(2) Custer’s and Ursic’s taxonomy: “Data recycling, repurposing, and recontextualization”
Details
(3) Clarification of an objective scale: “Same risk, higher risk, and another risk”
Details
bb) Refinement of current concepts of protection
Details
(1) Article 8 ECFR and European secondary law
Details
(a) “Purpose identity” forbidding additional risks (than specified before)
Details
(b) Further protection instruments that can avoid purpose incompatibility
Details
(c) Systemizing the criteria for the compatibility assessment
Details
(2) Right to private life under Article 8 ECHR and the right to informational self-determination
Details
cc) Applying a ‘non-linear perspective’
Details
b) Substantial guarantees: Providing criteria for a compatibility assessment
Details
aa) Right of ‘being left alone’: ‘Reasonable expectations’ determined by risks
Details
bb) Self-representation in the public: A balancing exercise instead of purpose determination
Details
cc) Internal freedom of development: Specific instead of preliminary information
Details
dd) External freedoms of behavior: Purpose identity as one potential element amongst several protection instruments
Details
ee) Equality and non-discrimination: Specifying incompatible purposes in the course of social life
Details
c) Conclusion: Purpose limitation in decentralized data networks
Details
IV. Data protection instruments in non-linear environments
Details
1. Scope of application and responsibility (Article 8 sect. 1 ECFR)
Details
a) Problems in practice: A balance between too much and too little protection
Details
aa) How data may be related to an individual
Details
bb) Anonymization of personal data
Details
cc) Again: The problem of a “yes-or-no-protection” solution
Details
b) Alternative solution: Scope(s) pursuant to the type of risk
Details
aa) Theoretical starting point: Different levels of protection
Details
(1) Pro and cons for precautionary protection against abstract dangers
Details
(2) Abstract precautionary protection only in cases of special danger
Details
(3) Advantages of a nuanced approach
Details
bb) Differentiating between the general scope of protection and the application of specific protection instruments
Details
(1) General scope of protection enabling specification of purpose (aka risk)
Details
(2) Application of protection instruments determined by specific risks
Details
(a) Rights to privacy
Details
(b) Right of self-representation in the public
Details
(c) Internal freedom of behavior
Details
(d) Rights to freedom and non-discrimination
Details
(3) Again: General scope of protection requiring data security (against unspecific risks)
Details
c) Excursus: Responsibility (“controller” and “processor”)
Details
(1) Cumulative responsibility for precautionary protection
Details
(2) Cooperative responsibility for preventative protection
Details
2. Legitimacy of processing of personal data (Article 8 sect. 2 ECFR)
Details
a) Same measures but differently applied in the public and private sector
Details
aa) Different risks in the public and private sector
Details
bb) Example: Requirements to specify the purpose and limit the processing at a later stage
Details
cc) Legal-technical constraints surrounding the prohibition rule
Details
b) Possible approaches of regulation in the private sector
Details
aa) Classic instruments: Specific legal provisions, broad legal provisions, and/or consent
Details
bb) Conceptual shift: From a legal basis to ‘legitimacy assessment’
Details
cc) Side note: State regulated self-regulation increasing legal certainty
Details
dd) Interplay of consent and legal provisions
Details
c) Interim conclusion: Balancing the colliding fundamental rights
Details
3. The individual’s “decision-making process” (in light of the GDPR)
Details
a) Static perspective: Opt-in or opt-out procedure for consent?
Details
aa) Classic discussion regarding current data protection laws
Details
bb) Further approaches considered by the legislator and Constitutional Courts
Details
cc) Requirements illustrated so far, with respect to different guarantees
Details
b) Dynamic perspective: Interplay of several protection instruments
Details
aa) Consent: “Later processing covered by specified purpose?”
Details
(1) Risks as object of consent (not data)
Details
(2) Extent of consent limiting the later use of data (instead of being illegal as a whole)
Details
(3) Change of purpose: Opt-out procedures for higher and opt-in procedures for other risk
Details
bb) Clarifying recital 50 GDPR: “Separate legal basis if purpose not compatible”
Details
(1) Arg. ex contrario: Is an incompatible purpose legal on a separate legal basis?
Details
(2) Differentiating between “not compatible” and “incompatible” purposes
Details
(3) Assessment of safeguards that ensure that purposes do not (definitely) become incompatible
Details
cc) Legal basis and opt-out: Change of purpose
Details
(1) Opt-out: A risk-reducing protection instrument
Details
(2) Examples: New risks not covered by consent (in light of the specified purpose)
Details
(3) Examples: New risks not covered by a former applicable provision
Details
dd) Information duties and further participation rights
Details
(1) Controller’s duties of information
Details
(a) Data collection: Customizing information in relation to daily decision-making processes
Details
(b) Change of purpose: Interpreting information duties regarding specific risks
Details
(c) Profiling and automated decision-making
Details
(2) Individual’s right to rectification
Details
c) Conclusion: Specifying the decision-making process (Art. 24 and 25 GDPR)
Details
597–648
D. Empirical approach in order to assist answering open legal questions
597–648
Details
I. Clarifying different risk assessment methodologies
Details
1. Different objects of risk assessments
Details
a) Risk-based approach of purpose specification and limitation (Art. 5 sect. 1 lit. b GDPR)
Details
b) Data Protection Impact Assessment (Art. 35 GDPR)
Details
c) Further methodologies (technology assessment and surveillance impact assessment)
Details
2. Different assessment methods
Details
a) Examining abstract constitutional positions from a social science perspective
Details
b) Pre-structuring interests through multiple-stakeholder and expert participation
Details
c) Specifying ‘decision-making process’ by user-centered development of data protection-by-design
Details
3. Interim conclusion: Unfolding complexity
Details
II. Multiple-case-studies: Combining research on risks with research on innovation processes
Details
1. Reason for the case study approach
Details
2. Generalizing the non-representative cases
Details
3. Designing the case studies
Details
III. Researching the effects of data protection instruments in regards to innovation processes
Details
1. Enabling innovation: Contexts, purposes, and specifying standards
Details
a) Enabling data controllers to increase legal certainty
Details
b) Enhancing competition on the “data protection” market
Details
c) Remaining questions in relation to the effects of legal standards
Details
2. Demonstration on the basis of the examples provided for in the introduction
Details
a) Example of “personalized advertising”
Details
aa) Preliminary legal analysis
Details
(1) Initial product and business model: Internal freedom of development
Details
(2) Change of product and business model: No substantive change of purpose
Details
bb) Open legal questions (‘propositions’)
Details
(1) Standardization of “personalized marketing” purpose
Details
(2) Competitive advantage
Details
b) Example of “anonymized data for statistic/research purposes”
Details
aa) Preliminary legal analysis
Details
(1) Processing of public personal data: Self-determination in public
Details
(2) The taxi driver: Attributing anonymized data to passengers
Details
bb) Open legal questions (‘propositions’)
Details
(1) Standardization of “statistical” or “scientific” purposes
Details
(2) Competitive advantage
Details
c) Example of “scoring in the employment context”
Details
aa) Preliminary legal analysis
Details
(1) Re-publication of personal data: fair balance instead of a priority rule
Details
(2) Freedom to find an occupation: Participation instruments
Details
bb) Open legal questions (‘propositions’)
Details
(1) Standardization of “profiling potential employees”
Details
(2) Signaling legal certainty (to the “workers’ council”)
Details
5. Summary: Standardizing “purposes” of data processing
Details
649–654
E. Final conclusion: The principle of purpose limitation can not only be open towards but also enhancing innovation
649–654
Details
655–676
Bibliography
655–676
Details
Durchsuchen Sie das Werk
Geben Sie ein Keyword in die Suchleiste ein
CC-BY
Access
The Principle of Purpose Limitation in Data Protection Laws , page 61 - 108
B. Conceptual definitions as a link for regulation
Autoren
Maximilian von Grafenstein
DOI
doi.org/10.5771/9783845290843-61
ISBN print: 978-3-8487-4897-6
ISBN online: 978-3-8452-9084-3
Chapter Preview
Chapter Preview
Share
Download PDF
Download citation
RIS
BibTeX
Copy DOI link
doi.org/10.5771/9783845290843-61
Share by email
Video schließen
Share by email Nomos eLibrary
Recipient*
Sender*
Message*
Your name
Send message
This site is protected by reCAPTCHA and the Google
Privacy Policy
and
Terms of Service
apply.