When the European Union's data protection authorities last month released their draft guidelines interpreting the General Data Protection Regulation's sections on profiling and automated decision-making, one of their claims in particular raised some eyebrows.
According to the Article 29 Working Party, the body through which the regulators coordinate their approaches, the GDPR prohibits purely automated decision-making that includes profiling, with limited exceptions involving explicit consent or a contract between the data subject and controller.
The thing is, that doesn't seem to be what the GDPR itself says. And, according to at least two leading privacy lawyers, the WP29's interpretation could hit a variety of sectors — from education to housing — with problems that weren't envisaged by the legislators who came up with the regulation.
For one thing, the WP29's stated interpretation could effectively outlaw the practice of automated differential pricing in online commerce, said Eduardo Ustaran, the leader of Hogan Lovells' European privacy and information management practice.
"I think that regarding Article 22(1) as an outright prohibition is not entirely in line with the risk-based approach of the GDPR," said Ustaran, who warned of "considerable uncertainty" for industry in a recent article on the subject.
"The WP29 stance on this would appear to be different from that of the [U.K.] ICO who talk about it very much in the context of a right that may be exercised by a data subject and a right that doesn’t apply if certain exceptions are in place, as opposed to the data controller not being able to do the activity in the first place unless the exceptions are there," said Elle Todd, the head of digital and data at CMS London.
Here's what Article 22(1) says:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
And here's what the WP29 said in its draft guidelines:
Article 22(1) acts as a prohibition on solely automated individual decision-making, including profiling with legal or similarly significant effects. Instead of the data subject having to actively object to the processing, the controller can only carry out the processing if one of the three exceptions covered in Article 22(2) applies.
"The key issue is that the provisions dealing with automated decision-making are in 'Chapter III – Rights of the data subject.' All of the articles in that chapter are expressed as rights of individuals which can be exercised under certain circumstances and conditions," Ustaran told The Privacy Advisor. "This chapter is a key pillar of the GDPR, of course, but its overall aim is to give people control of their data, not to place prohibitions on what controllers or processors may do with such data."
Ustaran pointed out that there are parts of the GDPR that do provide flat-out prohibitions or restrictions, with language that leaves no doubt about that being the intent.
Article 6, for example, states that the processing of personal data "shall be lawful only if and to the extent that" certain conditions apply. Article 9, which deals with the processing of special categories of personal data, says that the processing of data "revealing racial or ethnic origin, political opinions" and so on, "shall be prohibited."
As the WP29 noted in its draft guidelines, the GDPR does not define the "legal" or "similarly significant" effects to which it refers in Article 22(1). The regulators said that a legal effect "suggests a processing activity that has an impact on someone’s legal rights, such as the freedom to associate with others, vote in an election, or take legal action," while a similarly significant effect would refer to situations where "the data subjects could still be impacted sufficiently to require the protections under this provision.
"The decision must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned," the working party said, before turning specifically to the issue of online advertising and marketing.
Even if advertisers' and marketers' processing of personal data wouldn't normally have much of an impact on most people, the WP29 suggested, it could have a "significant effect" on minority groups or vulnerable adults, thereby incurring the prohibition.
The guidelines raised the example of "someone in financial difficulties who is regularly shown adverts for online gambling" — if they sign up as a result and "potentially incur further debt," the prohibition may apply. "Automated decision-making that results in differential pricing could also have a significant effect if, for example, prohibitively high prices effectively bar someone from certain goods or services," the WP29 added.
Ustaran said, "If that is the case, such practices would be rendered unlawful by default and the only way to overcome that unlawfulness would be to obtain the prior explicit consent of the consumer — which is a very unrealistic proposition."
According to Ustaran and Todd, the WP29's guidelines on automated decision-making could have a broad impact as presently phrased.
"There is a fundamental difference between a right that can be exercised and a default prohibition. This has very wide-reaching consequences for companies in many different sectors and it is critical that this is clarified and addressed in the final guidance," said Todd.
"In my view, the key sectors affected by this will be those that are more significant to people's lives, such as education, finances, health or housing. Given the role of profiling in decision making for providers of these services, they will need to keep a close eye on their practices," Ustaran said. "I also think that this would affect differential pricing practices, which would effectively be prohibited."
Todd added that this wasn't the only area of concern in the WP29's draft guidelines. "The suggestion that all demographic segmentation constitutes profiling that an individual could object to will catch a huge number of activities and be extremely difficult for companies to apply a simple technical solution to in the context of existing database architecture," she said.
The Article 29 Working Party's interpretation of the article in question. The regulators took comments from the public until Nov. 28.
The Privacy Advisor repeatedly asked the working party for its response to the concerns over the last couple of weeks, but had not received any comment at the time of writing.