Applying the Purpose Limitation Principle in Smart-City Data-Processing Practices: A European Data Protection Law Perspective

Abstract

Protection of privacy rights in the context of smart cities is novel, currently underdeveloped, and a hot topic worldwide. This article examines the purpose limitation of European data protection law in the context of smart cities. The “purpose limitation” principle of the General Data Protection Regulation (GDPR) outlines the ways and means of processing personal data to protect individuals’ fundamental right to personal data protection and related risks. The principle, which empowers controller(s) to process data in a controlled manner, requires that controller(s) process personal data only after meeting two fundamental requirements: they must act on the requirements of purpose specification, and they must perform an “incompatibility test” while processing personal data for further purposes. This article aims to outline the permissible limits of the purpose limitation principle to pursue different purposes in the context of smart cities. Indeed, the principle only applies when controllers process personal data in smart cities. With the authority provided by the principle, data controllers may process personal data for primary and secondary purposes. However, processing purposes cannot go beyond defined restrictions. The study, which is conducted within the European legal framework, deploys a multimethod approach to address different parts of the research question.