The EU data protection watchdog, Article 29 Working Party (Art. 29 WP), has issued the Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation. The document underlines the significance of creating profiles based on interlinked personal data, especially given the latest developments in geo location and Big Data. The Art. 29 WP argues that more must be done to explain and mitigate the various profiling risks, a sentiment expressed before in its Opinion from January 2012. The new advice paper suggests a number of amendments to the draft Data Protection Regulation (Regulation) in order to ensure it adequately deals with this issue.
The Working Party agreed with the Rapporteur Jan Albrecht that a comprehensive definition of profiling should be included in Article 4. Its proposed definition based on the Council of Europe Recommendation on profiling, covers “any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person.” The Art. 29 WP wants profiling tackled at a much earlier stage than that set out in the proposed Regulation, by regulating the collection of data for the purpose of profiling and the creation of profiles as such. It advocates introducing specific requirements for lawful profiling, such as requiring information to be provided about the context and purpose of profiling and the logic used for automatic processing. The Art. 29 WP also calls for individuals being entitled to modify or delete profile information and to refuse any measure or decision based on profiling, with special safeguards being adopted by data controllers such as use of protection friendly technologies and data minimization.
The proposed changes would impose additional burdens on many data controllers, especially those involved in credit rating, social networking, or targeted advertising. The Art. 29 WP suggested a balanced approach, where the requirements vary depending on the actual effects of profiling, for instance, applying the additional requirements only when profiling has a significant effect on the interests, rights or freedoms of an individual. Unless comprehensive guidelines are provided, such approach could result in significant uncertainty for data controllers.