Article 29 Working Party adopted on 13 May 2013 an advice paper on profiling. Aware of the increasing usage of profiling and of the power that the online world (Internet, technology, mobile apps, big data, etc.) have on enhancing it, the 29WP considers that is time to properly define profiling and set the limits for its use in order to “mitigate the various risks (as far as data protection and privacy is concerned) that profiling can pose”.
Definition of profiling
29 WP feels the need to include in the General Data Protection Regulation a definition of profiling and suggests the following:
“Profiling” means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.
Establishing boundaries on profiling
In the opinion of 29WP, article 20 of the Data Protection Regulation should be improved by including “additional elements in order to provide for a balanced approach on profiling and mitigate the risks for data subjects” by the following means:
- More transparency
Data subjects should be provided with further information, namely:
- Acknowledging that their data will be used for the purpose of profiling and the creation of profiles;
- Knowing the purposes for which the profiling is carried out;
- Understanding the underlying criterion in the automatic processing.
- Increase the data subject control
Explicit consent from the data subject should be the legal ground to legitimate the data processing for the purpose of profiling.
Additionally, the following rights should be given to data subjects:
- Right to access the profile;
- Right to modify or to delete the profile;
- Right to refuse any measure or decision based on the profile;
- Right to have any measure or decision reconsidered (with the safeguard of human intervention).
- Require more responsibility and accountability from the controllers
Profiling is considered by 29WP a risky processing operation (as far as the rights and freedoms of data subjects are concerned) and therefore the controller (or the processor) should, under the terms and conditions foreseen in article 33 of the European Data Protection Regulation, carry out a prior data protection impact assessment.
Within such impact assessment, Article 29 Working Party considers that safeguards should be taken by the controller, such as:
- data protection friendly technologies;
- standard default settings (particularly in the online world);
- specific measures for data minimization (comprising anonymization or pseudonymization);
- data security;
- human intervention (in defined cases).
- Balanced approach
Despite the above set of limits on profiling, the Article 29WP recognizes that profiling requires a balanced view, which opens the door to a case-by-case analyses, depending on the effects (which could be positive or negative and of different nature) “and the degree of intrusiveness of a specific processing type or measures on data subjects”.
Having this in mind, the 29WP holds that the data subject's right not to be subject to a measure based on profiling (in according to article 20 of the European Data Protection Regulation) should only apply when profiling “significantly affects” data subjects.
When does profiling significantly affect data subjects?
That is a question to be answered, under the 29WP opinion, “by the European Data Protection Board, which should be empowered to issue guidelines on the interpretation and application of article 20 in specific processing contexts”.
Profiling: a step forwards or backwards?
I would say that the European Data Protection Authorities are carefully taking a step-by-step approach as far as profiling is concerned. While it is not necessarily negative we still can’t say whether or not we are in the right direction because it is far from being clear and over. We will have to wait for the guidelines and see in which cases profiling will be considered to “significantly affect” data subjects.