Answer given by Ms Jourová on behalf of the Commission
The Privacy Principles forming part of the EU-US Privacy Shield (Annex II to the draft adequacy decision made public by the Commission on 29 February 2016) in point II.5 expressly prohibit incompatible processing (‘An organisation may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by the individual’). This prohibition is not put into question by the obligation for Privacy Shield organisations to offer individuals the opportunity to choose whether their personal information may be used for a purpose that is ‘materially different’ from the purpose for which it was originally collected or subsequently authorised by the individual, as provided for in point II.2a. The opt-out right only concerns cases in which the new purpose is materially different, but still compatible with the original one.
As regards the General Data Protection Regulation (GDPR), in Recital 50 it is stated that the processing of personal data for another purpose than the initial purpose, but compatible with that initial purpose, does not require a separate legal basis. In such a scenario, therefore, the question of consent (and the applicable requirements for such consent) does not arise. In any event, the General Data Protection Regulation will only be applicable two years after its entry into force. As suggested by the article 29 Working Party (which brings together the EU Data Protection Authorities) in its Opinion 01/2016 on the Privacy Shield, the Commission will assess the need for any adaptations of that framework as part of the upcoming annual joint reviews as referred to in Recital 120 of the draft adequacy decision and Annex I of the Privacy Shield.