Applying the Purpose Limitation Principle in Smart-City Data-Processing Practices: A European Data Protection Law Perspective

Abstract Protection of privacy rights in the context of smart cities is novel, currently underdeveloped, and a hot topic worldwide. This article examines the purpose limitation of European data protection law in the context of smart cities. The “purpose limitation” principle of the General Data Protection Regulation (GDPR) outlines the ways and means of processing personal data to protect individuals’ fundamental right to personal data protection and related risks. The principle, which empowers controller(s) to process data in a controlled manner, requires that controller(s) process personal data only after meeting two fundamental requirements: they must act on the requirements of purpose specification, and they must perform an “incompatibility test” while processing personal data for further purposes. This article aims to outline the permissible limits of the purpose limitation principle to pursue different purposes in the context of smart cities. Indeed, the principle only applies when controllers process personal data in smart cities. With the authority provided by the principle, data controllers may process personal data for primary and secondary purposes. However, processing purposes cannot go beyond defined restrictions. The study, which is conducted within the European legal framework, deploys a multimethod approach to address different parts of the research question.

relevant information, such as names, addresses, e-mail addresses, personal identification numbers, payment information, location data, and others. For smooth and convenient functioning, the app has a feature of saving these items so that you do not have to give all your information every time you use public transport. Usually, you use the same route, and costs are fixed. One day, you suddenly receive hundreds of e-mails and post mails to your home address from different bus companies offering you bus tickets on your regular routes at a competitive price. The offer also mentions that you can make payments using the same payment gateway that you are using now in the city network. How would you feel about your data privacy? This situation gives rise to many logical questions. Do I have any control over my data once they are shared or collected in exchange for city services? The answer is yes, but what are the legal implications?
Everyone in the European Union has a right to protect their data. The right to "personal data" 1 protection has become a fundamental right, directly enforceable within the European Union (EU) legal system. In 2009, the Lisbon Treaty 2 gave the Charter of Fundamental Rights of the European Union (the Charter) 3 the status of a constitutional treaty of the European Union, meaning that the Charter became directly enforceable throughout the EU. 4 Article 8 of the Charter is concerned with the right to personal data protection. Under a provision of Article 8, the right to personal data protection became directly enforceable. Article 16(1) of the Treaty on the Functioning of the European Union also endorsed the right to personal data protection as a fundamental right. 5 Article 8 of the Charter further outlines the purpose limitation 6,7,8 principle as a tool for securing the right. Moreover, as far as personal "data processing" 9 is concerned, the EU General Data Protection Regulation (GDPR) applies generally. 10 Article 5(1) (b) GDPR addresses and holistically applies the principle. This means that no one is presidential election campaigns for Donald Trump and Ted Cruz and manipulated voters through targeted advertisements using their data. 24 Furthermore, lack of data protection incurs unnecessary costs related to cybercrime and causes damage to societal reputation. 25 What do privacy harms look like in smart cities at the individual level? Generally, harms incurred by privacy violations relate to physical, economic, reputational, psychological, autonomic, discriminatory, and related harms. 26 There is a growing fear around smart cities about potential abuse or unauthorized use of personal data 27 that the ecosystems collect while offering city-related services. 28 Technological processing of personal data can diminish human autonomy in informational self-determination. 29 Processing for uncontrolled purposes can create privileged classes within society. According to the special Eurobarometer 431 survey, two-thirds of 28,000 respondents are concerned about losing control over the information that they provide. Also, almost 70% are concerned with "functional creep." 30 Around 60% demonstrated a lack of trust in technology-providing actors such as telecom companies, service providers, and businesses. Once data are handed over, controllers 31 of smart cities may use data for different unauthorized purposes to pursue their unlawful interests, 32 such as de-risking smart-city investments, 33 to the detriment of residents' data protection rights. Examples of unauthorized purposes may relate to any purpose that is beyond smart-city services and detrimental to human privacy, such as various forms of unauthorized surveillance 34,35 using geo-tracking, video surveillance 36 using facial recognition technology (FRT), automatic number plate recognition technology, 37 analyzing digital footprints, profiling, predictive governance, and others. 38 Moreover, data compromise can damage the integrity and reputation of individuals and creates a lack of trust in e-services. 39 To attain the aims of this study, this article addresses a research question: To what extent can data controllers process data to pursue various purposes under the purpose 24 Id. at 125. 25 BARGH, supra note 18 at 14.  28 Vojkovic, supra note 17 at 1297. 29 Urquhart, supra note 27; Jiahong Chen, The Dangers of Accuracy: Exploring the Other Side of the Data Quality Principle, 4 EUR. DATA PROT. LAW REV. 36-52 (2018). 30 Functional creep refers to the phenomenon when data are collected for one purpose but are used for other irrelevant purposes, not related to the initial purpose. 31 The service-providing stakeholder(s) are referred to as the data controller(s). Article 4(7) GDPR states, "'Controller' refers to 'the natural and legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data."  34 Reuter, supra note 16 at 3. 35 Pali and Schuilenburg, supra note 33 at 779-780. 36 EUROPEAN DATA PROTECTION BOARD (EDPB), Guidelines 3/ 2019 on Processing of Personal Data Through Video Devices 1-33 62 (2020). 37 CHRISTOFI, supra note 11 at 4. 38 Reuter, supra note 16 at 7. 39 BARGH, supra note 18 at 14. limitation principle in a smart-city data-processing ecosystem? To meet the aim, this article sets different objectives. First, it analyzes purpose limitations in the context of a smart city. Second, it analyzes different types of data that are processed in smart cities. Third, it analyzes the various purposes that controllers process personal data for in smart cities. Fourth, the article discusses the findings and argues finally that the purpose limitation strictly delimits the purposes of processing personal data in a smart city's personal data processing ecosystem. The article introduces what is the permitted paradigm, not what can be done.
This study deploys a multimethod approach to address different parts. First, it uses pure doctrinal or traditional legal research methods to analyze and determine the purpose limitation principle in the context of smart cities. While doing so, it introduces three real-life smar-city data-processing cases that are used as vignettes throughout the article to test the results. Then it theorizes the purpose limitation principle of the GDPR in the context of smart-city data-processing purposes and analyzes the cases as the article proceeds. For data collection, I used relevant laws, case laws, authoritative opinions, and recommendations. In addition, I collected relevant literature from different databases and performed a normative analysis of data.
This first section has introduced the topic. The second section identifies the research gap after engaging with relevant works from the literature. The third section explains the principle in the context of a smart city. The fourth section analyzes the nature of processed data in a smart-city context and application of the principle in context. The fifth section examines the permeable purposes under the principle in the smart-city context. Discussions follow in the sixth section, which helps develop the argument, and conclusions follow in the seventh section.

Literature Review
This study addresses the relevant literature on smart cities and the standpoint of the GDPR's purpose limitation principle.
It is established that, when processing personal data, 40 the purpose limitation principle is key in terms of data protection regulation under the EU, 41 which undoubtedly has a deep-rooted background within European law. 42 The reasoning is partly that the purpose limitation principle has the potential to authorize the processing of personal data 43 while considering the associated risks, 44 44 Vojkovic, supra note 17; Malgieri, supra note 32. processing via technologies. 45 In addition, it ensures legal certainty related to privacy, 46 privacy rights, 47 nondiscrimination, 48 democracy, 49 human autonomy, 50 and lawful 51 and proportionate 52 processing of personal data. 53 The principle allegedly provides ex ante protection 54 against unauthorized processing. However, some scholars disagree. For example, Benyahya, Bargh, and others claim that controllers have been violating the purpose limitation in smart cities from the outset. 55 The reasons may include a lack of multidisciplinary knowledge related to law and technology 56 and a tendency toward maximizing data. 57 Therefore, the principle itself requires further study in smart-city contexts.
It is historically unanimous that cities serve the interests of city residents. 58 So does smart urbanism, 59 and the data protection framework maximizes those interests by regulating innovation in smart cities 60 while minimizing the risk of data compromise. 61 However, smart cities show pervasive data-processing behavior as it represents the traditional tools of privacy harms such as undue surveillance and control as essential elements of governance within their infrastructure. 62 The emergence of certain privacyunfriendly processing technologies such as big data analytics, facial recognition, and the like is responsible for that. 63 They are always at odds with the principle, 64 so processing personal data using such technology may not be possible under the principle. However, processing nonpersonal data is possible, 65 as the principle does not apply. The purpose limitation principle of the GDPR applies to smart cities when smart-city data controllers process inhabitants' data. 66 49 Reuter, supra note 48 at 385. 50 Chen, supra note 29; CHRISTOFI, supra note 11. 51 Solove and Citron, supra note 26 at 862. 52 SECURITY RISK MANAGEMENT FOR THE INTERNET OF THINGS, 12 (John Soldatos ed., 2020). 53 EUROPEAN COUNCIL, supra note 7; Vogiatzoglou and Valcke, supra note 6. 54 Grafenstein, supra note 41 at 197. 55 Benyahya et al., supra note 27 at 7. 56 Birnhack, Toch, and Hadar, supra note 12 at 55. 57 information using communication technologies 67 among themselves, so the system must include purpose limitations 68 under GDPR requirements. 69 Controllers are responsible for demonstrating the application of the principle into their data-processing system, as they decide on the purposes of the processing. 70 It is possible. 71 Most studies mistakenly consider only private entities as controllers that pursue business, city, public, and legitimate purposes 72 in a smart city. Again, some scholars mistakenly understand smart cities as digital platform economies like Spotify, Netflix, Fitbit, and others. 73 However, the similarity only applies to the extent private companies act as data controllers, whereasaccording to the European Data Protection Board-a smart city comprises both public and private institutions as data controllers. 74 Since the principle applies to each processing activity 75 concerning smart-city services 76 such as providing smarter transportation, water management, and law enforcement, 77 and the law considers anyone who determines the purposes of processing data as controllers, assurance of holistic application of the principle will clarify the liability of controllers in general.
The norms of the purpose limitation principle have proved to be insufficient in outlining lawful data-processing grounds in smart-city infrastructure. 78 Problem solvers of smart cities tend to solve social, economic, and political problems using technologies, whereas social problems cannot be solved using technology alone. 79 Likewise, technology cannot solve legal problems alone. One way to solve legal problems is by analyzing discourses related to human rights. 80 Though many studies are available on purpose limitations and smart cities, none is available that holistically addresses the principle in the smart-city context. Most studies address the research topic in a very limited and scattered manner. Some focus on the meaning, and on weaknesses of the principle, and some on its importance. Almost nothing has been found that studied further processing for archival purposes through a purpose limitation lens in a smart-city context. Again, studies related to smart cities mostly focus on analyzing data protection technologies through privacy-restrictive lenses; very few use privacy-friendly lenses. Those that offer privacy-friendly theories do not address the principle in smart cities. This article holistically addresses the purpose limitation principle to determine how it facilitates processing of personal data for different purposes in a smart-city context. While doing so, it considers both public and private authorities as smart-city controllers, as they are alike responsible for complying with the principle.   79 Reuter, supra note 48. 80 Id.

Purpose Limitation Principle in the Context of a Smart City
The GDPR is not the first law to incorporate the purpose limitation principle, and its history is well established. The same principle can be found in other instruments. For instance, while outlining "purpose specification," the United Nations (UN) stated that personal data have to be processed for specified purposes, and those purposes have to be consistent with the mandates of the UN System Organization, and data must not to be processed for incompatible purposes. 81 The revised 2013 version of the Organization for Economic Cooperation and Development (OECD) guidelines iterates that initial and subsequent processing activities of personal data have to be limited to the purpose that is specified at the time of collecting the data and each time the purpose changes. 82 The Council of Europe, in its Treaty 108, Article 5, considers personal data processing while maintaining data quality principles. 83 Article 8(2) of the Treaty reaffirmed the fair and specified purpose-based processing of personal data. In this regard, the language of the repealed data protection Directive 84 and the GDPR are identical.
While outlining the principle, Article 5(1) (b) GDPR states: Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Art. 89 (1), not be considered to be incompatible with the initial purposes.
The principle incorporates certain terms, conditions, and elements within the provision that will help attain the aim and objectives of the study. First, by referring to personal data, the provision makes it clear that the principle applies only when data controllers process personal data. That means that while processing nonpersonal data, this principle does not apply. Second, the first processing activity that the principle concerns is data collection. Third, personal data collection must be done for "specified, explicit, and legitimate" purposes, which are referred to as initial purposes in the last line. Fourth, further processing of collected data is allowed unless incompatible with those initial purposes. Fifth, further processing for archiving purposes in the public interest, as scientific or historical research, or for statistical purposes will not be considered to be incompatible with the initial purposes.
Based on this dissection, purpose limitation comprises two core elements 85 : i. Purpose specification-The first processing activity must be done for initial specified, explicit, and legitimate purposes. ii. Compatibility-Collected data can be processed further unless it is incompatible with the initially declared and agreed purposes. What do these elements mean? What is their scope? How can data controllers know if certain processing is incompatible with the primary purposes? What are the elements of the compatibility test? These questions are discussed in this section in a smart-city context. In addition, data controllers may further process the collected data for archiving purposes in the public interest, as scientific or historical research, or for statistical purposes-here, processing will not be considered incompatible with the initial purposes. It appears that further processing for these purposes receives special status. Can personal data processing for these purposes always be considered compatible with initial purposes? If not, in what circumstances can personal data be processed for these purposes? I discuss this topic in the latter part of this section.
In smart cities, the principle applies in smart-city data-processing practices if data controllers process personal data only. Data controllers must apply the principle from the first personal data-processing activity: collecting it. Data controllers may collect personal data for city services, for example, offering smart mobility, smart grid services, enhanced public safety, and other services related to health and social welfare. 86 But do controllers process personal data only? What types of data do controllers usually process in a smartcity context? It is apparent from the previous discussion that the principle accommodates certain flexibilities through further processing provisions. Further processing of collected data is allowed until it becomes incompatible with the initial purposes. Again, this considers data processing for archival purposes in the public interest, as scientific or historical research, or for statistical purposes as not incompatible with initial purposes, even though it may concern purposes not related to smart cities at all. Using the double negation "not incompatible" instead of compatibility for prohibiting processing is a sign of providing flexibility while processing personal data. 87 It encourages further processing until it becomes incompatible either with the initial purposes or with other specified purposes. 88 This means that collected data can be processed for purposes related to initial purposes. 89 Utilizing this flexibility, data controllers may conduct further processing of collected data for purposes that may or may not be related to the initial purposes concerning a smart city. Nevertheless, purposes not related to smart cities must pass a compatibility test.
To illustrate real-life cases in terms of applying the principle, I choose and analyze vignettes from different regions. Examples from different territories are analyzed under this GDPR principle. Since not all regions address and provide a remedy for privacy harms at the same level, it helps to validate the results. For example, the EU GDPR provides the highest level of privacy protection. 90 The United States provides medium or moderate protection, 91 while China provides very weak or low protection in comparison with the EU and the United States. 92 86 Nokia, Smart City Services That Enrich Lives, https://www.nokia.com/networks/use-cases/smart-city-services-that-enrichlives/ (last visited Dec. 6, 2021). 87 ARTICLE 29 DATA PROTECTION WORKING PARTY, supra note 40. 88 Id.  Applying the meaning of the principle to the vignettes, city authorities in Italy, Germany, Atlanta, Chicago, and Chongqing must presumably outline to their residents all the purposes they plan to pursue at the time of collection. But the purposes must be specific, explicit, and legitimate. If they want to process to pursue further purposes, they can do so as long as this is compatible with the initial specific, explicit, and legitimate purpose(s).
Italy and Germany do not need to apply the principle, as they process anonymous aggregated data, which are nonpersonal data. Thus, the purpose limitation does not apply. However, if they had used personal data then they would have been responsible for outlining the purposes related to control of the COVID pandemic, creating consensus, and motivating residents.
In the case of Atlanta and Chicago, these cities must outline all the purposes related to projections of the time and location of crimes and intervention at the time of collection. Further processing must be compatible with the purposes outlined. In the case of China, Chongqing must outline the purpose of identifying criminals, and further processing also must correspond to the purpose of identifying criminals. Whether purposes are legitimate or not is discussed later in the relevant section. For all these cities, purposes can also relate to archiving in the public interest, scientific or historical research, or statistical purposes. Now the analysis turns to the two major components of the principles. 98

Purpose Specification Related to the Smart City
According to purpose specification, initial purposes have to be "specific, explicit, and legitimate." The European Data Protection Supervisor (EDPS) opines that the law must ensure that data controllers process personal data for a well-defined, specific, and legitimate purpose. 99

Vignettes
First, in the EU, since the inception of the COVID pandemic, the city authorities of Italy and Germany have been using anonymous and aggregated data from mobile operators on the movement and assembly of residents in COVID-prevalent areas as a mechanism of control. 93 While doing so, cities focused on consensus, creating good behavior through information and motivation. 94 Second, in the United States, IBM deploys and uses artificial intelligence (AI) surveillance technologies to project the time and location of crimes, 95 and intervenes against suspects accordingly in the cities of Atlanta and Chicago. For this, cities analyze personal data related to interactions in social media, location, movement, video, automated license place recognition, and facial recognition. 96 Third, in China, the most surveilled city, Chongqing, uses FRT to identify criminals. 97 93 Kummitha, supra note 92 at 5. 94 Id. at 5. 95 Pali and Schuilenburg, supra note 33 at 779. 96 Id. at 779. "Specified purpose" means a sufficiently defined purpose, which limits the scope of processing activities. 100 The purpose must be specified before the first processing, that is, before the collection of personal data. In a smart city, personal data may be collected from the data subject, 101 while other sources such as groceries may be purchased using smart delivery services, but the purchase history may be attached to customer profiles from which other retailers may use the data to offer discounts on similar products. In any case, data controllers must separately notify the data subject of all the purposes of data collection, irrespective of whether data are collected directly from them or not. 102 Moreover, subsequent controllers will inherit the initial purposes and responsibilities defined and agreed upon by antecedent controllers. 103 The specification cannot be vague or general such as "improving user experience, future research, marketing, cyber security, etc.," which is too general and thus not acceptable. 104 Rather, the specification has to be highly focused and user-friendly, such as saving and storing user ID and passwords in the application so that the user does not have to key them in every time they log in for city services, or to use location data for notifying air pollution in a particular area, or researching the reasons behind the waning popularity of autonomous vehicles, and so on. If controllers collect data for more than one purpose, then they should mention all of them before collection. Conducting processing based on specified and informed purposes is an indicator of complying with lawful, fair, and transparent dataprocessing behavior. 105 Everything altogether denotes that those purposes have to be narrowly specified. The European Court of Human Rights (ECtHR) has also affirmed the specific nature of purposes. While applying this notion in a case, the ECtHR became deeply critical and ruled that even journalistic activity and journalistic purposes are not the same. 106 Applying the vignettes, European cities do not need to abide by the principles in this case as the principle does not apply. Atlanta and Chicago must outline the specific parts of projecting the time and location of crimes. A mere statement of law enforcement purposes is not enough. If the purposes involve identifying risks, previous crimes, gathering evidence, or identifying suspects, then controllers must outline all the purposes specified. The same applies to Chongqing. A mere statement about identifying criminals is not enough. If the purposes involve matchmaking, analysis of biometric traits, identification by a witness, or others, then controllers must outline all the purposes specified.
"Explicit purpose" denotes an unambiguously informed purpose, and the notion of "hidden purpose" may be used to understand the scope of explicit purpose. 107 The act 100 ARTICLE 29 DATA PROTECTION WORKING PARTY, supra note 40 at 12. 101 In this study, city dwellers or residents are referred to as data subjects (DS). Though the definition of "data subject" is not directly mentioned in the GDPR, it can be derived from Art. 4(1) GDPR. Data subject refers to "an identified or identifiable natural person" to whom any personal information is related directly or indirectly. of informing needs to be done in a clear and intelligible form such that all the relevant stakeholders-such as data subjects, data controllers, their instructed processors, and supervisory authorities-must perceive the same meaning, irrespective of their background and needs. 108 What this entails for a smart-city data controller is that they may communicate purposes through public declarations, and/or to data subjects in different official languages, and/or after being authorized by the local data-protection authorities. 109 This contributes to transparency, predictability, user control, 110 and trust. 111 Data controllers must understand that the responsibility for transparent processing rests entirely on them. To support that claim, changes in certain phenomena need to be realized. In the smart-city context, the web of flawless personal data collection networks through deployment of data collection sensors leaves almost no escape but to provide personal and nonpersonal data voluntarily and involuntarily to data controllers. 112 Data controllers can process personal data that are provided voluntarily by data subjects but are barred from processing personal data that are not provided by data subjects in the first place. However, what if data controllers purchase browsing history from Web browsers? Can they combine these data with their location data or grocery purchase history to offer the best customized products? Personal data are collected from public spaces, applications, and thousands of sensors deployed throughout city areas, over which data subjects have barely any control because data controllers may inform them that data may be processed for direct marketing purposes. However, data subjects can exercise their right to object under Article 21(1) in those situations, though data controllers may continue processing if their business interests are greater than the data subjects' privacy interests. 113 That shift indicates that data are not always collected directly from data subjects, which is why data controllers have to be explicit about informing data subjects about the purposes of processing.
Applying the vignettes, the explicit requirement forces all city authorities to communicate their purposes to data subjects as data are not always collected directly from data subjects but, rather, can be derived within the network. That is why it is important to effectively communicate the purposes of possessing data-if practicable, using public declarations, translating into different languages that data subjects understand, or any other manner that the local data-protection authorities authorize.
The last requirement, "legitimate purpose," refers to the lawful legal bases of personal data processing as outlined in Article 6(1) GDPR. Put differently, this means that data controllers must rely on one of the lawful data-processing grounds outlined in Article 6(1). Relying on at least one lawful ground is the minimum, as the meaning may go beyond the scope of the article as far as it qualifies the notion "in accordance with 108 Id. at 17. 109 Id. at 18. 110 Id. at 17. law." 114 This notion is discussed further in the next paragraph. Thus, this element brought two minimum cumulative requirements for processing personal data: i. the purpose limitation principle under Article 5(1), 115 and ii. one of the legal bases under Article 6(1), as outlined in its subparagraphs 6(1), (a) to (f). 116 For example, processing can be conducted based on: Article 6(1) (a), consent. Article 6(1) (b), contract. Article 6(1) (c), processing for legal obligation purposes. Article 6(1) (d), processing to protect the vital interests of others. Article 6(1) (e), processing for a public task for public interest purposes. Article 6(1) (f), processing for the legitimate interests of controllers and other third parties.
Additionally, in a broader sense, legitimate purposes may go beyond Article 6(1) GDPR and extend to all forms of written law within the EU and domestic legal systems. 117 That is why, in addition to Article 6(1), processing can be conducted based on: Article 6(4), namely, processing for purposes other than the initial purpose. Article 9(2) (g), processing sensitive personal data for purposes relating to substantial public interest. Article 9(2) (i), processing sensitive personal data in the public interest. Article 9(2) (j), processing sensitive data for archiving purposes. Article 10, processing personal data relating to criminal convictions and offenses, and Article 89, safeguards and derogations relating to the processing under the GDPR or any other primary or secondary law, bylaw, municipal law, or constitutional precedents as long as it qualifies under the notion "in accordance with law." 118 However, activities that are not under Article 6 or fall outside Article 5(1) are not the subject matter of this article.
In the smart-city context, it is a common practice for data controllers to collect personal data that have been directly or indirectly collected from data subjects, and process them for other legitimate purposes related to: the public interest, data subjects' interests, 114 ARTICLE 29 DATA PROTECTION WORKING PARTY, supra note 40 at 12. 115 Purpose specification is a pre-requisite for other data quality requirements, Id. at 12. 116 ARTICLE 29 DATA PROTECTION WORKING PARTY, supra note 40; HELLENIC DATA PROTECTION AUTHORITY, supra note 45. 117 ARTICLE 29 DATA PROTECTION WORKING PARTY, supra note 40 at 20. 118 Id. at 20. other natural persons' interests, data controllers' business interests, 119 research, study, statistical, historical, or archiving, and Big Data purposes.
Analyzing the vignettes, cities must rely on lawful bases before processing data for COVID monitoring, public consensus, projecting crime (time and location), and identifying criminals. Legal validity may derive from consent, contract, public interest, vital interests of others, public tasks, legitimate interests of controllers, and others. Each base can be analyzed in the context of smart cities, which again is not a matter for this article. However, it must be kept in mind that merely relying on consent might not be enough in smart cities, 120 as data subjects are not in a position to bargain or exercise consent management effectively. In these cases, additional bases are required.
Thus, what is meant by purpose specification is that it obliges smart-city data controllers to process personal data based on all the data-processing principles under Article 5(1), and at least one of the lawful grounds for processing under Articles 6(1), 9, 10, and 89 GDPR. This is the minimum requirement.

Compatibility Test Under the GDPR Related to the Smart City
The second element is "compatibility." This concerns the phenomenon when personal data are collected for one purpose but the controllers intend to use them for another purpose in a lawful manner. This means the "compatibility principle" applies to further processing after collection. According to the Article 29 Working Party, any processing following collection, whether for the purposes initially specified or for any additional purposes, must be considered 'further processing' and must thus meet the requirement of compatibility. 121 Compatibility within the GDPR can be tested under several provisions. First, whether further processing is incompatible with the initial purposes can be tested under Article 6(4) GDPR. 122 Second, whether further processing for archiving in the public interest, historical, scientific, or statistical purposes (Article 5(1)) is incompatible with the initial purposes can be tested in collaboration with Article 89.
Further Processing for Testing Incompatibility Under Article 6(4) GDPR Under Article 6(4), data controllers should consider the following 123 : First, the "link" between the initial purpose and the intended purpose should be considered. 124 The relationship between initial and further processing or new intended purposes is analyzed here. The greater the distance, the less this is compatible with the initial purposes. 125 For example, if personal location data are collected to suggest a travel route within a city, and a restaurant situated in the destination area sends its marketing offer, then this may be incompatible.
Article 6(4) (b) says to consider the "context" of data collection regarding the relationship between data subjects and controllers. The principle of reasonable expectation may be applied here. 126 Depending on the intensity of surprises, the more surprised the data subject is about further processing activity, the more likely it is that particular further processing will be incompatible. To put it differently, the more unexpected processing will affect a data subject, the more likely it is that processing will be incompatible. If data controllers collect payment data in exchange for delivery services and later charge automatically for public transport usage, then this may be incompatible.
Article 6(4) (c) entails seeing the "category" of personal data that is subject to processing, since special categories of personal data or sensitive data require additional bases as provided in the GDPR as well as other laws for processing. 127 For instance, personal video data may be collected from the front cameras of automated vehicles (AVs) for operational purposes, but if personal data revealing health conditions or criminal offenses related to traffic or other violations are collected with personal identifiers, this is incompatible.
Article 6(4) (d) iterates assessing "possible consequences" on data subjects. Data controllers must assess both positive and negative impacts of certain data-processing activities on data subjects' rights and freedoms. 128 Data controllers must assess possible harmful "impacts" on data subjects' rights and freedoms concerning personal data processing. According to Alessandro Mantelero, data controllers in smart-city environments must conduct a broad data protection impact assessment (DPIA) based on human rights and social values which is acceptable even outside the EU. 129 A DPIA is necessary to identify (a) the direction of data flow and (b) its purposes. 130 Joint DPIAs in a smart city can reduce costs and solve problems early. 131 I suggest that data controllers conduct separate DPIAs on the IoT, artificial intelligence, and Big Data apprehensions. If one data controller processes health-related data while providing smart-city health services based on the data subject's consent, and the controller later discloses the data to other controllers and processes for reuse, subsequent reuses can be incompatible. To illustrate, a smart-city controller sells data to a pharmacy without obtaining further consent from the data subjects. Later on, the pharmacy utilizes the personal health data and offers those same data subjects relevant medicines at a competitive price, and is alleged also to have sold the health data to local insurance companies. Eventually, from those revelations, the health insurance company uncovers certain phenomena based on health 125 ARTICLE 29 DATA PROTECTION WORKING PARTY, supra note 40 at 24. 126 Id. at 24. conditions of data subjects who have a health insurance policy with the insurance company, resulting in the company increasing the annual premium. This use is incompatible.
Article 6(4) (e) suggests investigating whether data controllers provide appropriate "safeguards" to prevent negative impacts on data subjects and foster fair processing principles. 132 This may aid in making further processing compatible with the initial purposes. Data controllers must provide technical safeguards to a required extension for all personal data collected and further processed using technical means within the smartcity data-processing ecosystem, for instance, data minimization, privacy-enhancing technologies, prevention of profile-based discrimination, and others.
Analyzing the vignettes, if Atlanta, Chicago, or Chongqing city controllers collect data while providing smart-city services-such as public transport, video surveillance of public spaces, or audio recording from public places-and use the data for projecting crime, or for identifying criminal records, then the purposes are incompatible and therefore prohibited, as the purposes fail to meet with the compatibility requirements. No link exists between the purposes related to providing public transport, on the one hand, and projecting crimes or identifying criminal records, on the other. The context is also surprising. Moreover, under the GDPR, criminal records receive additional protection under Article 10, and cannot be processed without the permission of lawful authorities. Negative consequences on the data subject are also high, as this interferes with related rights and freedoms such as the right to freedom of expression. Moreover, controllers also do not seem to provide safeguards to protect residents' data, but, rather, process these for incompatible purposes.
Further Processing for Testing Incompatibility Under Articles 5(1)(b) and 89 GDPR Determining whether further processing for archiving in the public interest, historical, scientific, or statistical purposes is compatible with the initial purposes is tested in conjunction with Article 89, which outlines the conditions of processing for archiving purposes. Data controllers may compensate for further processing for these purposes by providing technical and organizational measures. 133 Article 89 (1) provides two technical measures scenarios for processing data for these purposes.
First, the measures may concern data minimization principles 134 -for example, pseudonymization and other minimization tools such as anonymization, partial anonymization, key coding, encryption, injecting noise, and so on. If the purpose can be achieved after minimizing the data, then data controllers must do it in that manner. 135 Second, if a personal data processing activity does not allow processing for achieving purposes without identifying data subjects, then data controllers must process in that manner or process nonpersonal data while pursuing public interest, scientific, historical research, or statistical purposes. In any case, identification is not allowed. However, data controllers may process heritage data with or without personal identifiers for historical research purposes or public interest purposes 136 since historical data usually have little impact on data subjects. This is a matter of case-by-case analysis. In addition, safeguards to data for these purposes may be provided by applying the so-called "functional separation" 137 principle.
Summing up, the application of data minimization tools depends on the required level of safeguards, and data controllers may process unidentified, partially identified, or identified personal data, 138 as necessary for complying with data-processing principles. 139 However, for processing data for archival purposes, controllers must adopt safeguards to minimize data.
Data controllers may process quantitative data from traffic video streaming to establish the number of accidents at a particular time for research or statistical purposes. Data controllers may encrypt and send personal data related to criminal offenses directly to law enforcement authorities, for public interest purposes. They may blur the number plates of vehicles while counting the number of vehicles plying the roads at a specific time to pursue statistical purposes, or detect a particular number plate for public interest purposes, and focus on a specific plate only when it is found from blurry analysis. Furthermore, they may apply all these purposes to Big Data purposes on the condition that no personal data are involved.
Because this provision of processing personal data for the public interest, historical, scientific, or statistical purposes is never a general authorization to process personal data, the requirements of purpose specification and processing personal data, based on all the data-processing principles and at least one legal ground, must be applied while carrying out further processing for any of these purposes. 140 Analyzing the vignettes once again, for archiving in the public interest, scientific, historical research, or statistical purposes, Italian and German cities are processing anonymous and aggregated data according to the rules. They are processing statistical data for controlling the COVID pandemic for public interest purposes. Application of appropriate safeguards forced the city controllers to process anonymous statistical data. Similarly, Atlanta, Chicago, and Chongqing may process data after providing the required level of technical and organizational measures to protect personal data-which includes deploying tools such as minimization and pseudonymization. They must eliminate personal identifiers or replace them with unidentifiable equivalents such as irrelevant names before processing for archival purposes. That brings their processing activities into contradiction with the principle. Nevertheless, city controllers are certainly allowed to count the total number of crimes and look into related statistics-but not before providing technical safeguards to protect the fundamental right of data protection under EU law without specific authorization from legitimate authorities. The notion "functional seperation" refers to the phenomenon when data are used without any "support measures or decisions" taken against data subjects unless authorized by them. Art. 29 DATA PROTECTION WORKING PARTY, supra note 15 at 30. 138 Id. at 30. The further processing principle analyzes personal data-processing activities from a permissive approach under Article 8 (2)-(3) of the Charter. 141 Processing activities must be adhered to using transparent and fair data-processing practices. However, processing activities by data controllers can be controlled by exercising the data protection right under Article 8(1). 142 This allows smart-city data controllers to process only personal data that are necessary. Also, data controllers are accountable for ensuring compliance with the purpose limitation principle under Article 5(2).

Limitations of the Purpose Limitation Principle in a Smart City
The scope and application of Article 5 may be restricted through legislative acts by Union or Member State law to which concerned data controllers or processors are subject. 143 Such measures must safeguard the fundamental rights and freedoms of others and must be regarded as a necessary and proportionate measure in a democratic society to protect greater interests related to national security, defense, public security, and so on. 144 However, the formulators of such legislative measures must perform and incorporate all data controller responsibilities first. 145

Data That Are Processed in Smart-City Data-Processing Practices and Purpose Limitation
Both personal and nonpersonal data are processed in a smart-city data-processing infrastructure. The purpose limitation applies to smart-city data-processing practices as long as personal data processing takes place. 146 Article 4(1) GDPR refers to "personal data" as any information relating to identified or identifiable natural persons (data subjects). In clarifying the concept of an identifiable natural person, the Article outlines certain identifiers, that is, name, personal identification number, location data, and online identifier, as well as unique physical, physiological, generic, mental, economic, cultural, or social identity factors that may be responsible for identifying natural persons. In addition, personal data includes "special categories of personal data," 147 which are often referred to as "sensitive data," 148 and other specially protected data related to "criminal offenses." 149 If a natural person is not identifiable directly or indirectly, then these are nonpersonal data.
A smart-city data-processing context may contain all the personal identifiers to qualify data as personal data according to the law. While providing city services, certain end-user applications process personal data related to name, online identifier, and other unique identification numbers. Sometimes giving an identification number can automatically retrieve a name and address. Again, autonomous vehicles and related transportation  services use the location data of a particular user to operate. There are numerous ways to identify devices through identifying online identifiers, such as IP addresses of devices, network access points, global positioning navigation systems (GPNS), and others.
The GDPR outlines "special categories of personal data" or sensitive personal data. Sensitive personal data are those data that reveal "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, biometric data, health data, sex life or sexual orientation." 150 Providing health services to the elderly and other vulnerable groups using video-enabled services and their recording may constitute sensitive personal data. Also, enormous cameras and other sensors embedded in lighting poles, 151 drones, 152 and automated vehicles 153 may process sensitive personal data related to sexual orientation and particular health situations. Since smart-city technology advancement is rapidly moving toward impeccable identifiability, 154 datafication, and advanced data analytics, 155 it is possible to embed sensitive data identifiers, including biometric technologies such as facial recognition, into cameras to process biometric data, as they are becoming popular. 156 In addition, smart-city data controller(s) may process other sensitive personal data related to a "criminal offense." 157 Since data processing involves sensitive personal data such as health data recorded from end-user health applications, video streaming indicating health conditions, or criminal offenses recorded by drones, data controllers may need to rely on additional rules to be consistent with the initial purpose(s) that may go outside the GDPR. 158 For example, if data controllers process data for purposes relating to law enforcement, processing may attract the relevant provisions of the Law Enforcement Directive 159 to determine whether it is lawful or not. Similarly, if transparency in processing activity needs to be examined, then Article 29 Working Party guidelines on transparency under the GDPR apply 160 ; if guidelines on relevant aspects of automated vehicles and drones are needed, then Article 29 Working Party opinions on the cooperative intelligent transportation system 161 and the opinion on privacy and data protection issues relating to utilization of drones 162 consecutively may apply as additional rules. Furthermore, case law from the Court of Justice of the European Union (CJEU) and the ECtHR may be relevant.
If data subject identifiers are removed from personal data, sensitive personal data, or criminal offense data, then these may no longer be personal data, which the GDPR requires through its data minimization principle, a tool for providing appropriate safeguards. In addition, data controllers may prima facie collect and process nonpersonal data such as permanently fully minimized human data, nonpersonal video data, location data of vehicles and goods connected to the network, data related to a probable security breach, quantified metadata, and so on. However, minimized data may often be combined with a data profile based on personal identifiers, in which case it may become personal data again-for instance, for purposes relating to creating personalized profiles.
Thus, in short, smart-city data-processing practices may comprise personal and nonpersonal data. Personal data may comprise special categories of personal data and criminal offense data to which the principle applies only. After filtering personal identifiers from all types of personal data using data minimization mechanisms, personal data may become nonpersonal data, in which case the principle and the GDPR do not apply. 163 However, if nonpersonal data are combined with a personal identifier using any automatic decisionmaking mechanism such as profiling, 164 then this becomes a case of personal data, and the principle applies again (Figure 1).
Applying knowledge to the cases, German and Italian cities are processing anonymous data that lie in the nonpersonal category of data within the city infrastructure. The purpose limitation principle does not apply here. However, if the anonymity of data is removed and personal identifiers are joined to the data, then the purpose limitation, as well as the GDPR, will apply again. In the cases of Atlanta and Chicago, they are processing personal data related to interactions on social media, location data, movement of individuals, and video data using technologies such as automatic number plate recognition, facial recognition, and others. Chongqing is also processing video data using FRT. Identifying different data types within the United States and China, the data belong to personal data, that is, data related to social media, video, and location; special categories of personal data, such as biometric data using FRT; and sensitive data, for example, related to criminal convictions and offenses. The purpose limitation applies in full in these situations. By applying data minimization mechanisms, controllers can make them nonpersonal data, when the principle does not apply, and vice versa. It must be noted that under the EU purpose limitation, processing special categories of data and sensitive data may require application of other specific laws that define norms in cooperation with the GDPR as mentioned earlier.
The preceding discussion helps us understand all the data types that may be involved in a smart-city data-processing ecosystem.

Different Purposes for Processing Personal Data Under the Purpose Limitation Principle in a Smart City
Based on legal provisions and previous studies, it can undoubtedly be said that data-processing purposes on behalf of data controller(s) are not limited to initial or primary purposes only, but further processing is allowed for other purposes in the smart-city ecosystem that allows personal data to be processed. In addition, further processing not related to the initial purposes of the principle allows data processing for other purposes: archival purposes in the public interest, scientific or historical research, or statistical purposes. 165 Personal data processing activities that fail to comply with the purpose limitation principle are impossible. That is why any exception in terms of not complying also has to be in line with the principle. Based on initial and subsequent data-processing practices, purposes are described by dividing them into two categories: i. primary purposes: when personal data are processed for initial purposes that are directly related to smart-city services, and ii. secondary purposes: when personal data are further processed to provide smartcity services indirectly and for pursuing purposes not related to smart-city services.

Primary Processing Purposes and The Purpose Limitation Principle in a Smart City
Primary processing purposes are those purposes that are directly related to smart-city services or data collection purposes. Smart cities are created to solve city-related problems more efficiently, and with that in mind, a city offers certain services based on processing personal data. Generally, the specified purposes related to the primary functions of the city or city services are easy to identify and personal data processing is conducted based on consent and contract, as availing of city services is one of the reasons why residents live in smart urbanized areas and supposedly already know the initial and further purposes of processing their data. City services that are related broadly to the areas of a smart city may include simplified transportation services, real-time available parking status, public place crowd monitoring, smart electricity supply, consumption tools for private and commercial usage, sophisticated law enforcement apprehensions through video-surveillance analytics, and health care and social services using remote 165 Christofi, Wauters, & Valcke, supra note 66.
services such as end-user applications. 166 To understand the types of data that are collected by data controllers and provided by data subjects, narrow consultation of primary purposes needs to be adhered to.
In smart cities, it is common to have a mobile application through which city services, websites, public communications, and other relevant activities may be accessed. A user of that end-user application can book certain appointments and avail themselves of those services. The identification mechanism of data subjects may often involve using strong identification methods such as banking credentials, social security number, name, and address, or at least name and e-mail address for accessing the services embedded in the application.
In addition, while using smart transportation systems, parking facilities, and law enforcement services, 167 location data are highly relevant for detecting the position of the service seeker. 168 Using location data, residents' locations are identified. The enduser application for public transportation facilities may define routes automatically-like Google Maps-and even may receive pickup and drop-off commands from a user of autonomous vehicles. 169 Car drivers looking for parking places may search for vacant spots using the same or a similar application based on their location data. 170 Furthermore, people in vulnerable positions may request law-enforcement support by transmitting their location. Thus, location data, travel behavior, travel time, usual places of visit, frequency of visit, information about being victims, and related information may have been revealed that may be processed for secondary purposes. In addition, a user of smart electricity grids 171 may see real-time consumption rates and optimize consumption according to electricity prices. This may reveal the rate of consumption of a particular household, time of consumption, financial abilities, and related analysis that can be used further.
In a smart traffic management system, data are collected through video-surveillance cameras installed on automated vehicles, 172 lighting poles, and other public places. 173 Video data can contain specially protected personal data such as data from public places; lighting poles or AVs may record criminal offense data in a minimized or actual form-for instance, traffic law violations, public attacks, or anonymized sensitive data such as for wheelchair users and others. This trend may also apply when health services are provided using end-user applications: either by city application or by a different application connected to a smart city. Relevant health-sensitive data may be stored for future reference, complying with the purpose limitation principle to process for secondary purposes. Processing personal data for primary purposes is related to providing smart-city services. That is why I argue that the purpose of personal data processing for primary purposes is achieved immediately when a service is provided in exchange for personal data. The life cycle begins with residents' authorization for processing personal data each time they receive city services and the city network processes data. But upon achievement of purpose, the service demand is fulfilled, and controllers do not process personal data for primary purposes until service is sought again. However, the network or data controllers may not delete data to process data for further or secondary purposes. Figure 2 represents one personal data processing cycle for primary purposes.
Atlanta and Chicago are processing residents' location, movement, video, and vehicle number plates for different purposes, whereas Chongqing processes video data. In these cities, these data are relevant for purposes related to public transport and public security. The primary processing purpose is achieved at the moment the required services are delivered, and then city authorities may decide to preserve the data under the further processing doctrine of the principle for achieving secondary purposes, which may or may not relate to smart-city services. I analyze this next in context.

Secondary Processing Purposes and the Purpose Limitation Principle in a Smart City
Further Processing for Secondary Purposes May or May Not Be Related to Smart-City Processing Purposes Data controllers in smart-city data-processing practices process personal data for further purposes, which I regard as being secondary purposes of processing (Figure 3). According to the principle, further processing may or may not be related to the initial purposes 174 for which the data are prima facie collected. This means secondary purposes include purposes indirectly related to or not related to primary purposes.

Secondary Processing Purposes and the Purpose Limitation Principle in a Smart City
Examples of secondary purposes or further processing activities that are not incompatible with the primary purposes can be derived from the primary purposes themselves. Login credentials, daily travel routes, and payment information of a city user may be stored in the city public transport app for a certain time so that the user does not have to enter it multiple times every day, or the same login credentials may be used to log in to other related apps. Even after receiving an update of the app, the data may be processed automatically and stay the same until that period elapses. Again, based on someone's overall travel history, the app may offer discounts, day trips, or special services on a particular route. Moreover, the location data and travel time revealed may be used to provide public interest information, that is, information on probable air pollution situations in a particular area. Travel behavior data may be used to offer discounts on similar routes. Electricity consumption behavior may be used for suggesting off-peak times for consuming additional power to reduce the electricity bill. Health data may be stored for different doctors to understand the history of a patient, subject to restricted access, and so on. Moreover, knowing statistical records on how many passengers are commuting, accidents, energy optimization by electricity distributors, empirical data gathered on identifying the reasons for success and failure of certain services, market insights, and others are also examples of processing personal data for secondary purposes related to smart-city services.
In addition, personal data processing for purposes not related to city services may comprise processing personal data for pursuing the lawful business interests of data controllers 175 since benefits of inhabitants and businesses are a feature of a smart city. 176 But to what extent does business purpose limitation mandate business interests to pursue? Since purpose limitation is a permissive provision of the GDPR, businesses are allowed to process until processing is incompatible with the primary purposes. 177 That is why processing purposes not related to city services do not become incompatible with the initial purposes immediately. Certain factors such as link, context, nature, consequence, and so on, which were discussed earlier, need to be analyzed before determining whether the processing in question is incompatible or not. Thus, this is a matter of case-by-case analysis. 178 Furthermore, processing personal data for archiving purposes in the public interest, scientific research, historical research, or statistical purposes is not regarded as being incompatible with the initial purposes. 179 These purposes may start from city services, but these purposes may no longer be directly connected with primary or smart-city purposes. Rather, the purposes are considered to be not incompatible with city services on the condition that controllers provide appropriate safeguards through the data minimization principle. To illustrate, in a data marketplace, large-scale data and dynamic trade are carried out in exchange for the business value of data. 180 Data controllers perform profiling for selecting primary and personalized content and advertisements. 181 However, to what extent purpose limitation allows profiling in a smart-city context is the subject matter for another article.
Personal data processing for secondary purposes also has a life cycle (Figure 4). This means that there is a beginning and an end to processing while data controllers pursue secondary purposes in a smart-city context. The difference from primary purposes is that upon achievement of all secondary purposes, the personal identifier from the data must be deleted 182 to make this nonpersonal data to which the GDPR does not apply.
Analyzing the vignettes, after achieving their primary purposes, Atlanta, Chicago, and Chongqing can process personal data for achieving secondary purposes under the principle. The purposes may or may not be related to the primary city purposes for which the data was prima facie collected. Atlanta, Chicago, and Chongqing process data that once were collected for providing city-related services for projecting the time and place of crimes and identifying criminals. The cities can process the data initially collected for pursuing secondary purposes related to a city, that is, providing the same services again, or related services such as storing login data, using the same payment gateway for another city service, or providing updates to apps. But using data for secondary purposes not related to a smart city-such as using data for projecting crimes and identifying criminals-requires providing safeguards through data minimization mechanisms first, and allows the processing of nonpersonal data only. This makes processing of data by American and Chinese cities for crime-related purposes inconsistent with the principle.
"Purpose Limitation" and Primary and Secondary Processing Purposes Equilibrium in a Smart City The "purpose limitation" principle allows the data controllers of a smart city to process personal data for primary and secondary purposes. Processing for secondary purposes may not be delimited with achievement of primary purposes that are related solely to smart-city services; instead, processing continues over time until secondary lawful purposes are achieved. Figure 5 depicts the equilibrium among the "purpose-limitation principle," and primary and secondary processing purposes: Overall, personal data processing for primary and secondary purposes is distinct and can begin at the same time. Both processing activities can stop upon achievement of purposes of concern. Though processing based on primary or secondary purposes can begin at any time, it may not end at the same time. Personal data are deleted or identifiers are eliminated after secondary purposes have been achieved.
For a better understanding, hypothetically, each time fragment is considered to be the smallest time unit that can accommodate a single personal data processing activity. In Figure 5 the row with lighter color processing circles represents processing of personal data for primary purposes, and the darker colored row represents processing activities for secondary processing purposes. In this demonstration, processing personal data for both primary and secondary purposes can begin at the same time with separate life cycles since processing stops at its own pace; after the purposes are achieved, data are finally deleted or deidentified permanently by data controllers after fulfillment of secondary purposes. In the case of primary processing purposes, personal data are processed three times until "time 3," and then processing activity supposedly stops. For secondary processing purposes, processing may continue until "time 5" and beyond if lawful further secondary purposes are yet to be achieved. Secondary processing can even stop at an earlier time than primary purposes. For example, secondary purposes can be achieved and data may be deleted at "time 2" or "time 1" in a smart city's data-processing practice. In any case, in a smart city, purpose limitation does not allow repurposing or reusing personal data for unrestricted purposes. Rather, it allows restricted reuse of personal data within the limit of primary and secondary processing purposes.
Again analyzing the vignettes, the EU, the United States, and Chinese cities can begin processing personal data for primary and secondary purposes at the same time when data are processed for the first time in providing smart-city-related services. Pursuing secondary purposes no longer depends on the primary purposes until it is consistent with the purpose limitation principle, since they are separate. However, processing for primary or secondary purposes can end at any time after the beginning of the first processing, which-as we have seen-is a collection. All cities process data for primary purposes while providing smart-city-related services, and for secondary purposes while providing smartcity-related services or not. Italian and German cities process nonpersonal data for creating public awareness, public consensus, and motivation to control the COVID pandemic. The purpose limitation and theories related to primary and secondary purposes do not apply here. U.S. cities process ordinary, sensitive, and special categories of personal data to pursue primary purposes related to smart-city services. They also process personal data for secondary purposes to project the time and place of crimes, which the purpose limitation principle does not allow within its ambit. The same goes for the Chinese city of Chongqing. If we apply the GDPR principle to U.S. and Chinese practices, then such processing is only allowed after data are minimized, in the same manner as Italian and German cities are processing, where the GDPR does not apply.

Discussion
Purpose limitation strictly delimits the purposes of processing personal data in a smartcity ecosystem, thus protecting the fundamental right to personal data protection. It is a permissive provision of the GDPR. The flexibility offered within the law empowers data controllers of smart cities to process personal data and does not restrict the power of processing. Relying on this principle, data controllers in smart cities process personal data for different purposes. If controllers cannot rely on any purposes that the principle mandates for processing personal data, then they must refrain from that processing.
To understand the purpose limitation properly, it is important to understand its relationship with the right to personal data protection. Since that right is a fundamental right, directly enforceable by the law, everyone is bound to respect the right to personal data protection in the EU. No one is allowed to do anything that can violate a natural person's right to the protection of their data. The purpose limitation serves as one of the most powerful tools for ensuring the protection of the right. It is the most important data-processing principle of all. That is why processing personal data without compliance with the principle is impossible.
The principle outlines the ways and means relying on which controllers can process personal data. Specific components such as purpose specification and compatibility enhance the elasticity of the principle, which accommodates certain authorizations, or flexibilities in terms of processing personal data. These purposes may start from city services, but they may no longer directly be connected with city services. The componential elasticity empowers and defines the limit of processing. Beyond that limit, processing is inconsistent with the GDPR, and so attracts hefty fines and other redresses accordingly.
The principle applies to smart-city processing activities when controllers process residents' data. The principle even may bring in other sector-specific laws under its minimum requirement of relying on all the principles and at least one of the legal bases. For example, while applying to special categories of personal data, or sensitive data related to criminal offenses, the principle can bring in other relevant laws under Articles 9(4) and 10 GDPR, which respectively provide special protection in such cases. The principle encourages controllers to minimize data using minimization tools. If controllers minimize data in compliance with it, the principle ceases to apply as it does not apply to nonpersonal data. However, if controllers add personal identifiers to nonpersonal data, then the principle applies again in full.
The principle offers greater flexibility to maintain the interests of data subjects as well as controllers. Cities usually protect the interests of their residents. But smart cities are more complicated than traditional cities because-unlike traditional city authoritiessmart cities involve private and public authorities who process personal data. Public municipal authorities usually depend on private companies to conduct and maintain technology-based data-processing infrastructures. That is why the principle applies to any authority that processes inhabitants' data. This phenomenon raises some valid questions. For example, in the case of privacy violations, can city authorities be made solely responsible as they are the ones who authorize and facilitate private companies to process personal data in response to city services? Also, since private companies are profit driven, can they use their legitimate interests of doing business as a lawful basis for processing data under Article 6(1) (f) GDPR in a smart-city infrastructure? To illustrate, in a data marketplace, large-scale data and dynamic trade are carried out in exchange for the business value of data. 183 Data controllers perform profiling in selecting primary and personalized content and advertisements. 184 But to what extent does purpose limitation allow profiling in a smart-city context? To what extent are private controllers free to formulate purposes under the principle? Is additional authorization required from the municipal authorities? These are subject matters for future research. For now, it is relevant that under the principle, controllers do not enjoy "carte blanche" to do anything they like or to deploy any technologies they choose in the smart-city environment.
Certain technologies-such as FRT-are banned from smart-city environments. Deployment of FRT or biometrics may be subject to special legal regulation by default in addition to purpose limitation, as this violates the international privacy standards outlined in the International Covenant on Civil and Political Rights (ICCPR) disproportionately. 185 London banned FRT following public outrage and data protection authority 183 Van Landuyt et al., supra note 103 at 284. 184 De and Imine, supra note 181. 185 Keegan, supra note 97.
intervention, 186 and San Francisco banned FRT 187 for building trust within communities, 188 arguing that FRT fosters unauthorized disclosure, identifies anonymized data, and reduces human autonomy in general. 189 All these factors violate purpose limitation.
Overall, the purpose limitation principle has created what is a permitted paradigm, not what can be done in the context of a smart city. It empowers data processing while protecting privacy in a controlled manner. It authorizes city controllers to process residents' data in the first instance. There is no problem in processing data for primary and secondary purposes as long as the purposes serve residents' interests. Processing must comply with purpose specification and compatibility requirements. If the purpose does not meet compatibility requirements, then controllers must minimize the data to make it nonpersonal data before processing it. Then the principle does not apply, and vice versa. Though the principle needs to develop more, its existing status protects privacy in the context of smart cities.
Analyzing the vignettes, the principle allows cities in the EU to process personal data under the GDPR. Analyzing the U.S. and Chinese cities from the same perspective, the principle allows Atlanta, Chicago, and Chongqing to process data for providing smartcity-related services. It further allows German and Italian cities to process anonymized data, as it does not apply there. However, it does not permit Atlanta and Chicago to process data for AI-based projections about the time and place of crimes or Chongqing to process data for identifying criminals or criminal records, as these are not compatible with the initial purposes. However, the U.S. and Chinese cities can pursue related purposes after minimizing the data, when the principle does not apply.

Conclusions
A smart-city data-processing ecosystem may deploy advanced technologies related to the Internet of Things, artificial intelligence, high-speed communication technologies, Big Data analytics, and others. To make technologies functional, data controllers of a smart city may process a huge amount of personal and nonpersonal data. The processing of personal data applies data protection regulatory frameworks that protect natural persons' right to protect their data.
Personal data involve human data subjects whose personal data are protected as a fundamental right by Article 8 of the Charter and the GDPR. Data controllers must process data according to all the data-processing principles outlined in Article 5(1) GDPR. Being supposedly the most important principle, the purpose limitation requires that the data controllers of a smart city must process personal data after maintaining two building blocks: i. data controllers must specify the initial purposes for processing personal data; ii. data controllers must conduct the "incompatibility test" with the specified initial purposes if they process personal data further. 186 Id. Gandy and Nemorin, supra note 187 at 1247. 189 Id. at 1247.
While complying with purpose specification requirements, the principle further obliges data controllers to apply all the data-processing principles outlined in Article 5(1) GDPR and rely on one of the lawful grounds "in accordance with law" before collecting or starting personal data processing.
The purpose limitation principle derived from European data protection law-the GDPR-serves as a tool for controlling unauthorized processing of personal data. 190 It imposes certain obligations 191 on smart-city controllers to respect privacy rights and freedoms 192 before processing personal data 193 backed by hefty fines. 194 The permissive provision of further processing mandates data controllers to continue further processing as long as further processing purposes are not incompatible with the initial data collection purposes. Moreover, the principle only applies to personal data processing activities in a smart city when personal data can be identified directly or indirectly. Smart-city data controllers may process personal data related to smart-city services directly for primary purposes, and they may process personal data for secondary purposes that may have an indirect relation or no relation to primary purposes.
The principle applies to all processing activities that involve processing personal data. Processing nonpersonal data presents no problem since it is free from the human data subject. Different components of the principle explain the different purposes that city controllers are permitted to pursue and achieve. The purposes may or may not be directly related to smart-city services. Controllers cannot pursue any purpose beyond the limit.
Protection is important, as data compromise can inflict considerable harm on individuals and societies. That is why it is important in every democracy to protect personal data, which will eventually eradicate uncertainties concerning present and future human opportunities. Protecting personal data aids public safety 195 by preserving privacy from harm, 196 the new human right to the city and rights in the city, 197 human dignity, 198 legal certainty, 199 nondiscrimination, sustainability, democracy, proportionality, 200 and social justice. 201 It saves unnecessary costs concerning cybercrime, prevents damage to the integrity and reputation of humans, and restores trust in e-services. 202 To conclude, several future research options suggest themselves. Future research may focus on researching data controller freedom for formulating purposes, controller interests that the principle approves, and liabilities of public and private controllers in smart cities, as well as purposes that require additional authorization in the context of smart cities.