GDPR – Profiling – A Quick Overview

Although the 1995 Data Protection Directive included the right for people not to be subject to decisions based solely on automatic processing of data, the term “Profiling” was not legally defined.

“Profiling” makes an appearance twenty three times in the new General Data Protection Regulation (GDPR) and its importance is no doubt a response to the advances in Big Data Predictive Analysis.

Article 4 defines “profiling” thusly:

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Three key elements are contained herein:

1) Automated processing.

2) Personal data.

3) Evaluation.

Recital 24 fleshes out for us the notion of ‘Evaluation”:

(24) In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

We can note from this profiling is more than simply tracking, as the data is used to “take decisions” based on predictive behavioral analysis.

But what sort of decisions are of concern to us?

Article 22 (Paragraph 2):

1.   The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Decisions leading to “legal effects” or “significant affect” are pertinent here. For example: “such as automatic refusal of an online credit application or e-recruiting practices” (Recital 71).

We can also deduce from this there is not necessarily a right to opt-out of profiling itself, but only to avoid decisions based on the same. There is however the “right to object” as specified in other areas of the regulation. This right is particularly enshrined in the realm of direct marketing:

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. (Recital 70).

There are circumstances in which profiling is acceptable as laid out in Article 22:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) is based on the data subject’s explicit consent.

The Data Subject has rights in this regard, such as the right to be informed of – and the consequences of – profiling (Recital 60). Interestingly, also: “the logic involved in any automatic personal data processing”. (Recital 63).

The Data subject also has the right to: “obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.” (Recital 71)

It’s worth noting Article 22 prohibits profiling based on special categories of personal data referred to in Article 9(1) except in special circumstances.

There are also obligations on the Data Controller – Including:

In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions. (Recital 71).

Recital 91 advises carrying out data protection impact assessments for: large-scale processing operations, new technologies, sensitive and special categories of personal data (Biometric, criminal convictions) or when “the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract”.

Obviously I haven’t covered every nuance, but hope this gives you a general flavour of profiling in the GDPR.