iapp-privacycore
PrivacyCore_ad_300x250-01
CS17_Banner_300x250-COPY
Top 10 operational impacts of the GDPR: Part 5 - Profiling

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.

This is the fifth in a series of articles addressing the top 10 operational impacts of the GDPR.

The GDPR restricts “profiling” and gives data subjects significant rights to avoid profiling-based decisions

Since the Directive was implemented nearly 20 years ago, technologies have proliferated that allow data controllers to gather personal data and analyze it for a variety of purposes, including drawing conclusions about data subjects and potentially taking action in response to those conclusions such as target marketing, price differentiation, and the like. Although the concepts of “profiling” or “target marketing” appear in the Directive, the precise terms do not. In its sweeping efforts to define and enhance data subjects’ rights to control their personal data, the GDPR contains many restrictions on automated data processing – and decisions based upon such processing – to the extent they can be characterized as profiling.

Definition of profiling

A hotly contested provision of the GDPR, the “profiling” restrictions ultimately adopted were narrower than initially proposed.

Under Article 4(4), data processing may be characterized as “profiling” when it involves (a) automated processing of personal data; and (b) using that personal data to evaluate certain personal aspects relating to a natural person. Specific examples include analyzing or predicting “aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

This definition implicitly excludes data processing that is not “automated.”

Further elaboration of this definition may be found in the Recitals, where the GDPR establishes its jurisdiction over non-EU controllers provided they are “monitoring the behaviour of [EU] data subjects as far as their behaviour takes places within the European Union.” Processing activity involves data subject “monitoring” when “individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” This definition suggests that profiling is not equivalent to tracking, but instead is something more, involving the intention to take decisions regarding a data subject or predict the subject’s behaviors and preferences.

That “profiling” requires some sort of an outcome or action resulting from the data processing is underscored by the data subject’s rights to be informed of the “consequences” of profiling decisions as discussed in Recitals 60 and 63. Articles 13 and 15, which address information to be provided a data subject upon personal data collection and upon the data subject’s request, both require disclosure of “the existence of automated decision making including profiling” along with “the significance and the envisaged consequences of such processing for the data subject.”

Elsewhere in the Recitals, data subjects are given the right to object to processing for direct marketing as well as to “profiling to the extent it is related to direct marketing,” further underscoring that profiling is not direct marketing per se but instead is something more.

Finally, Recital 91 describes the obligation to conduct a data impact assessment and characterizes the “profiling of data” as follows: “A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data.”

Accordingly, taking all of the definitions and discussions of “profiling” together, they seem to consistently require not simply the gathering of personal data involving personal aspects of natural persons, but the automated processing of such data for the purpose of making decisions about the data subjects.

Controllers must honor data subjects’ rights regarding profiling

Data subjects are entitled under the GDPR to a number of rights with regard to profiling, some of which – like notice and access – require procedures similar to non-profiling data processing, but others of which – like the right to object, halt the profiling, and avoid profiling-based decisions – will require special attention and processes for compliance.

Restrictions on profiling-based decisions producing legal effects

Pursuant to Article 22(1) of the GDPR, data subjects have a right not necessarily to avoid profiling itself (e.g. automated processing of personal data for the purpose of making a decision), but rather to avoid being “subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Recital 58 provides as examples the “automatic refusal of an on-line credit application or e-recruiting practices without any human intervention.”

Article 22(2) clarifies that the decision may nonetheless be made provided it is (a) necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) authorized by Union or member state law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) based on the data subject's explicit consent. Suitable safeguards may include anonymization or pseudonymization as components of profiling-based activities.

In the case of a decision made pursuant to a contract with the data subject or his explicit consent, the controller must still allow the data subject to contest the decision under Article 22(3).

When data is transferred pursuant to Binding Corporate Rules, such BCRs must specify “the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22.”

Article 22(4) provides that profiling-based decisions shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where prohibited by Union law or member state law; or (b) processing is necessary for reasons of substantial public interest, on the basis of Union or member state law. Even in these circumstances, described more fully in Article 9(2)(a) and (g), the controller must still ensure “suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.” Presumably the European Data Protection Board will provide additional guidance on the circumstances under which profiling-based decisions are permissible for special categories of personal data.

For all permissible profiling, Recital 71 compels a controller to use appropriate mathematical or statistical procedures, implement technical and organisational measures to correct personal data inaccuracies and avoid errors, secure all personal data, and minimize the risk of “discriminatory effects against natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation.”

Notice and access

In the case of profiling decisions subject to Article 22, Article 13 provides that the controller must inform a data subject at the time data is collected not only of the fact that profiling will occur, but as well “the logic involved” and “the envisaged consequences of such processing.” Under Article 14, a data subject may also inquire of a controller and receive confirmation of any such processing, including profiling and its consequences, at any time.

Processing must cease upon data subject’s objection

Even when profiling is otherwise lawful, a data subject has the right to object at any time. Pursuant to Article 19, upon the data subject’s objection to profiling that is otherwise authorized under Article 6, the processing must cease unless the controller demonstrates “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.”

When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.

Data impact assessments for controllers engaged in profiling

One of the triggers requiring a data impact assessment is when a controller engages in “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual.” Parsing this language once again demonstrates that “profiling” involves more than merely automated processing, and that profiling may or may not involve decisions that produce legal effects or significantly affect an individual, but, when it does, the data subject is entitled to many additional rights and remedies.

Conclusion

Controllers will undoubtedly be seeking additional guidance from the European Data Protection Board to determine what automated data processing activities fall within the definition of profiling, and what profiling activities may fall outside the purview of Article 22. Data subjects, on the other hand, will benefit from a broader interpretation of profiling activities in order to be able to avoid profiling-based decisions – even those to which they have given prior explicit consent.

Photo credit: Egyptian via photopin (license)

Written By

Rita Heimes, CIPP/US

2 Comments

If you want to comment on this post, you need to login.

  • Lewis Barr Jan 22, 2016

    Excellent article, Rita. Thank you.
  • Lifan Shiu Apr 18, 2016

    How will companies comply to the right to object to profiling? Do you need to give the visitor a clear and noticable option on your website to object to profiling? Or is it enough to describe it in the privacy statement that the visitor can object for profiling by filling out a contact form or send an email?
    
    Even if you, as business, complies how would we make this technically possible? 
     - Is Google Analytics data categorized as profiling? I would assume not if you mask the IP address of all the visitors.
     - How would you delete certain data from FaceBook retargetting, Google retargetting, etc.? Since I'm almost certain that it is now not possible to delete/ block certain records from FaceBook, Google, etc.
     - How would the right to forget even work  with the above situation. That would be even harder to make it happen.
     - What if you have multiple website (corporate, business and several retail branch websites) and a visitor makes use of his/ her right to object to profiling/ erasure of one of the sites. Do you need to not profile them of / delete their records from all of your websites?
    
    I'm sorry that I have a lot of questions even though the rules/ law/ regulation/ directive is quite clear, the "how" is very unclear.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»