The Article 29 Working Party (WP29) has issued draft guidelines (Guidelines) to clarify the provisions of Article 22 of the General Data Protection Regulation (GDPR) which deals with automated decision-making and profiling of personal data relating to individuals.
The Guidelines seek to breakdown the meaning of Article 22 of the GDPR and provide a set of best practice recommendations for organisations to consider when using these types of processing on the personal data of individuals.
Article 22 of the GDPR provides that individuals have a "right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
Some key insights and best practice recommendations from the Guidelines are the following:
The WP29 considers that the GDPR imposes a general prohibition on fully auto-mated decision-making (including profiling) which either: (a) produces "legal effects"; or (b) "similarly significantly affects" on individuals. The WP29 provides that this prohibition exists to reflect the potentially adverse effects of these types of processing on data subjects and acknowledges that there are exceptions to this general rule under the GDPR. It is worth noting that while the WP29 considers there to be a general prohibition on fully automated decision-making, there is some debate as to whether this is a correct interpretation. Nonetheless, this is the WP29's view at this time.
There are three ways in which an individual's personal data can be profiled by organisations: (a) general profiling; (b) decision-making based on profiling (i.e. a presence of human intervention/involvement); and (c) solely automated decision-making including profiling (i.e. use of an algorithm and no presence of human intervention/involvement).
"Legal Effects" or "Similarly Significant Affects":
For processing to produce "legal effects" concerning an individual, it must impact an individual by affecting his/her rights (e.g. under a contract) or his/her legal status. For processing to "similarly significantly affect" an individual, the processing does not necessarily need to produce a legal effect but it may greatly influence an individual's circumstances, behaviour or choices and/or exclude or discriminate against an individual.
Individuals have a right to request human intervention where a decision is made solely by automated means. The WP29 provides that "human intervention" must be meaningful to an individual and carried out by someone with authority to actually change or influence the decision made solely by automated means.
Organisations should clearly inform individuals about the rationale for (or the criteria behind) carrying out automated decision-making (including profiling). The WP29 states that information provided does not have to go as far as giving details of the algorithm used (if any), rather it must simply be meaningful to individuals to help them understand the logic.
The WP29 recommends that organisations should not rely on the exceptions to the general rule to justify the processing of personal data relating to children and states that if it is necessary to make automated decisions in relation to children’s personal data in order to protect their welfare for example, then organisations must ensure that appropriate safeguards are in place to protect the rights, freedoms, and legitimate interests of children and their personal data.
While each type of profiling may potentially give organisations an opportunity to offer tailored products, services and experiences to individuals and/or increase business processes, the WP29 highlights that there is a risk that these types of processing may produce unintended results for individuals (e.g. a restriction on the choices available to an individual).
On this basis, the WP29 highlights that it is key for organisations using these methods of processing to implement appropriate safeguards to protect the rights, freedoms and legitimate interests of individuals. The WP29 reiterates the mandatory requirement for organisations to comply with the GDPR's principle of accountability, to conduct data protection impact assessments and protect against the processing of personal data which results in any unjustified treatment or consequences for individuals.