The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the fifth in a series of articles addressing the top 10 operational impacts of the GDPR.
The GDPR restricts “profiling” and gives data subjects significant rights to avoid profiling-based decisions
Since the Directive was implemented nearly 20 years ago, technologies have proliferated that allow data controllers to gather personal data and analyze it for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions such as target marketing, price differentiation, and the like. Although the concepts of “profiling” or “target marketing” appear in the Directive, the precise terms do not. In its sweeping efforts to define and enhance data subjects’ rights to control their personal data, the GDPR contains many restrictions on automated data processing – and decisions based upon such processing – to the extent they can be characterized as profiling.
Definition of profiling
A hotly contested provision of the GDPR, the “profiling” restrictions ultimately adopted were narrower than initially proposed.
Under Article 4(4), data processing may be characterized as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
This definition implicitly excludes data processing that is not “automated.”
Further elaboration of this definition may be found in the Recitals, where the GDPR establishes its jurisdiction over non-EU controllers provided they are “monitoring the behaviour of [EU] data subjects as far as their behaviour takes places within the European Union.” Processing activity involves data subject “monitoring” when “individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” This definition suggests that profiling is not equivalent to tracking, but instead is something more, involving the intention to take decisions regarding a data subject or predict the subject’s behaviors and preferences.
That “profiling” requires some sort of an outcome or action resulting from the data processing is underscored by the data subject’s rights to be informed of the “consequences” of profiling decisions as discussed in Recitals 60 and 63. Articles 13 and 15, which address information to be provided a data subject upon personal data collection and upon the data subject’s request, both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”
Elsewhere in the Recitals, data subjects are given the right to object to processing for direct marketing as well as to “profiling to the extent it is related to direct marketing,” further underscoring that profiling is not direct marketing per se but instead is something more.
Finally, Recital 91 describes the obligation to conduct a data impact assessment and characterizes the “profiling of data” as follows: “A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data.”
Accordingly, taking all of the definitions and discussions of “profiling” together, they seem to consistently require not simply the gathering of personal data involving personal aspects of natural persons, but the automated processing of such data for the purpose of making decisions about the data subjects.
Controllers must honor data subjects’ rights regarding profiling
Data subjects are entitled under the GDPR to a number of rights with regard to profiling, some of which – like notice and access – require procedures similar to non-profiling data processing, but others of which – like the right to object, halt the profiling, and avoid profiling-based decisions – will require special attention and processes for compliance.
Restrictions on profiling-based decisions producing legal effects
Pursuant to Article 22(1) of the GDPR, data subjects have a right not necessarily to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Recital 58 provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention.”
Article 22(2) clarifies that the decision may nonetheless be made provided it is (a) necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) authorized by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) based on the data subject's explicit consent. Suitable safeguards may include anonymization or pseudonymization as components of profiling-based activities.
In the case of a decision made pursuant to a contract with the data subject or his explicit consent, the controller must still allow the data subject to contest the decision under Article 22(3).
When data is transferred pursuant to Binding Corporate Rules, such BCRs must specify “the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22.”
Article 22(4) provides that profiling-based decisions shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where prohibited by Union law or member state law; or (b) processing is necessary for reasons of substantial public interest, on the basis of Union or member state law. Even in these circumstances, described more fully in Article 9(2)(a) and (g), the controller must still ensure “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.” Presumably the European Data Protection Board will provide additional guidance on the circumstances under which profiling-based decisions are permissible for special categories of personal data.
For all permissible profiling, Recital 71 compels a controller to use appropriate mathematical or statistical procedures, implement technical and organisational measures to correct personal data inaccuracies and avoid errors, secure all personal data, and minimize the risk of “discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation.”
Notice and access
In the case of profiling decisions subject to Article 22, Article 13 provides that the controller must inform a data subject at the time data is collected not only of the fact that profiling will occur, but as well “the logic involved” and “the envisaged consequences of such processing.” Under Article 14, a data subject may also inquire of a controller and receive confirmation of any such processing, including profiling and its consequences, at any time.
Processing must cease upon data subject’s objection
Even when profiling is otherwise lawful, a data subject has the right to object at any time. Pursuant to Article 19, upon the data subject’s objection to profiling that is otherwise authorized under Article 6, the processing must cease unless the controller demonstrates “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”
When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.
Data impact assessments for controllers engaged in profiling
One of the triggers requiring a data impact assessment is when a controller engages in “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual.” Parsing this language once again demonstrates that “profiling” involves more than merely automated processing, and that profiling may or may not involve decisions that produce legal effects or significantly affect an individual, but, when it does, the data subject is entitled to many additional rights and remedies.
Controllers will undoubtedly be seeking additional guidance from the European Data Protection Board to determine what automated data processing activities fall within the definition of profiling, and what profiling activities may fall outside the purview of Article 22. Data subjects, on the other hand, will benefit from a broader interpretation of profiling activities in order to be able to avoid profiling-based decisions – even those to which they have given prior explicit consent.
If you want to comment on this post, you need to login.