Purpose limitation principle could create the power for citizens to break cascading monopolies

In a riveting talk, Brave Software’s Johnny Ryan explained why the purpose limitation principle could give power to citizens to break cascading monopolies.

There is power in data. This power could become almost suffocating, as companies that collect data for one purpose find that data can enable them to carve out a business in another sector. It’s what Johnny Ryan describes as cascading monopolies.

It one of those dystopian type predictions for the digital age, power begets power, data becomes the weapon used by monopolies to grow their monopoly across sectors. But purpose limitation could thwart their seeming invincibility.

It’s not a new concept, according to Mr Ryan, purpose limitation, was enshrined in US privacy law from the 1970s and the GDPR gives the concept more force and strength.

Indeed GDPR Article 5 (1) (b), states it clearly enough: “personal data shall be…collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’.)”

As Johnny Ryan summarised “you’re going to collect my data for a particular reason, you cannot then go and use my data for some other reason that is not compatible.”

He was speaking as part of Last Thursday, an online all daily selection of privacy-related live talks and seminars organised by the Data Protection World Forum. And on April 30, 2020, Johnny Ryan gave a compelling talk to make privacy advocates and concerned non-experts alike sit up.

Thanks to purpose limitation, “a company (like) Google, Facebook or anyone else, cannot automatically opt you into all of its services, all of its businesses that will become an impossibility,” he said.

He continued: “An awful lot of the data being used, special category data, which could reveal your ethnicity, political beliefs, sexuality and so on” requires consent for it to be used, “it’s the only lawful basis that could be used.”

Under GDPR data subjects can withdraw consent. Since this is the case, argued Mr Ryan, “then data subjects are in a position where the company is actually at their mercy.

“The next time we have a controversy and a delete Facebook moment, we won’t have to have this binary decision, do I want to live with or without out Facebook. Instead, the data subject will essentially be able to lobotomise these companies.”

So that’s some power. Can that be right? Is it correct that thanks to regulations such as GDPR which confers the right to withdraw consent, data subjects can lobotomise companies and strip them of the ability to form cascading monopolies?

In his talk, Johnny Ryan then turned to another issue, what he called the greatest data breach of all time. To find out what he said, read on.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.