The coordinated collection of different forms of personal data has made it possible for organisations to profile individuals using computer algorithms which can analyse, determine and even predict behaviour, interest and habits. As the volume of data collected on individuals (“data subjects”) continues to increase, due in large part to the proliferation of mobile devices, profiling is becoming an ever more pressing issue for data protection law to address especially as it often takes place without the individual’s knowledge.
On 13 May 2013, the Article 29 Working Party (“AWP”), an independent advisory body that represents data protection authorities in the European Union (“EU”), recommended that the EU’s proposed General Data Protection Regulation (the “Regulation”) should include a definition of ‘profiling’ together with additional provisions to protect data subjects, echoing the recommendations made by Rapporteur Jan Albrecht in the amendments he proposed to the Regulation in January 2013. The AWP’s new proposals re-iterate concerns raised in a previous opinion (Opinion 01/2012) on the issue published early last year
The definition of profiling
The AWP believes that the Regulation should include a definition of profiling, and proposes the following wording be inserted into Article 4 of the Regulation:
“Profiling” means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.”
Recommended new provisions relating to profiling
In addition to creating the above new definition, the AWP suggests that Article 20 of the Regulation (which addresses profiling and provides data subjects with the right not to be profiled) should be broadened to create greater certainty and increase the protection afforded to data subjects. The specific measures recommended by the AWP are as follows:
Greater transparency and control for data subjects: building on an existing recommendation from the Council of Europe (CoE Recommendation CM/Rec(2010)13, para B4), data controllers should provide data subjects with much more detailed information about how data will be used in the context of profiling.
The AWP also emphasises the importance of obtaining explicit user consent when processing data for profiling (a requirement already within the Regulation) and provides a reminder that data subjects should have rights of access and deletion, and the ability to refuse profiling.
- More responsibility and accountability of data controllers: suitable measures should be taken to safeguard data subjects, including through the use of data protection impact assessments, data protection friendly technologies and default settings, and greater obligations and incentives for data controllers to anonymise or pseudonymise data collection in order to minimise the amount of personal data collected.
- A balanced approach to profiling and the role of the EU Data Protection Board (“EDPB”): the Regulation should affect profiling measures only to the extent they significantly impact on a data subject’s rights, interests or freedoms. Measures relating to profiling should also consider the interests of data controllers, and involve an analysis of actual and potential impacts of profiling technology. All of this should be done by the EDPB (a single body which will oversee all EU national data protection authorities under the new regime), which should also be able to issue further guidance on the interpretation and application of Article 20.
The AWP’s proposals are advisory only and there is no guarantee that either the definition or the new provisions will be included in the final Regulation. However, because the AWP is made up of representatives of each EU national data protection authority its views are highly persuasive. The fact that the AWP’s proposals regarding profiling echo the recommendations made by Rapporteur Jan Albrecht also increases the likelihood that they will be incorporated into the final Regulation. Even if the proposals are not enacted, they indicate how seriously EU national data protection authorities regard the issue of profiling. Furthermore, the existing rights of data subjects under the Regulation, together with obligations of data controllers, should go some way towards allowing national authorities to enforce restrictions on profiling under the new regime.