The purpose specification or limitation principle is often thought to offer significant (or some) protection to data subjects; and the provision of consent is, among other things, to specified processing. But what does it all amount to, on examination?
In the most general terms, meaningful human action must take place in a reason bound or purposive framework. It isn’t possible to act without a reason, purpose or intention. So the data protection requirement cannot be saying that organisations (to put it a bit crudely) must always act with a purpose or intention and avoid doing otherwise. But it seems to me that the principle as currently formulated derives its sense from the possibility of excluding a non-purpose.
It follows then, that one purpose is just as good as another, when it comes to specifying a purpose, and no purpose, narrow or wide, is excluded. Any purpose will do, as long as it isn’t a non-purpose. In other words, the principle doesn’t,as currently formulated, exclude anything; doesn’t provide fairness; and doesn’t make sense.
Of course, in practice it isn’t (or wasn’t) quite like that, because there was an approximate correspondence between what the principle appeared to be suggesting, in terms of fairness, and the contextual reality of the organisations that processed the data, and their (limited) purposes. But that was 1995.
This contextual reality has now changed radically, and not just because of innovations in Information Technology. Organisational processing now reflects a dominant mode of flexible, connected and innovative organisational structures providing multiple services, and with multiple purposes.
What is needed in 2010 is a clearer sense of what a context-independent value like fairness might mean when you are trying to formulate a context-dependent purpose specification principle in a context like that.
You could argue here that purpose specification is meant to restrict the organisational processing to those “limited” purposes for which consent had been provided, as a way of protecting the (weaker) data subject against the data processor; and that context on its own won’t provide that protection, won’t provide fairness. This aspiration applies whatever the context, and even if analytically the current principle doesn’t make much sense.
But I don’t think, if you do take that view, that purpose specification (and perhaps fairness claims as well) can protect the data subject against a data controller pursuing processing modes and multiple organisational purposes that are standard rather than aberrant. There has to be a fit between the legal/regulatory requirement and the contemporary organisational structure. Fairness can’t be made to work that strongly against reality. But fairness claims must be satisfied if the regulatory regime is to be credible and legitimate.
Resolving this tension is the key contemporary data protection challenge, I would suggest, rather than security considerations, or even the focus on the effects of innovative technology, important though both of these are.
Focusing on re-defining the purpose and fairness principles is important because it reflects not just the impact of new technology, but also the way in which you have (a) to draw in a much wider contemporary context than that, and (b) provide an account of how a context-independent value like fairness can be satisfied in that context.