The Data Protection Working Party (WP 29) adopted an advice paper on the essential elements of a definition and a provision on profiling within the upcoming EU General Data Protection Regulation (Regulation) on 13 May 2013.
According to the paper, the act of ‘profiling’ refers to the connecting and linking of personal data with the aim of creating a broader and more predictable understanding – a platform – of one’s personality, with a specific emphasis on behaviour, preferences, and habits. Profiling might often be done without data subjects’ knowledge and with insufficient transparency, while both the Internet and a range of new technical devices continue to expand the already widespread and ever more versatile possibilities for linking personal data.
In light of the potential uncertainty that profiling can cast upon the basic right to data protection, WP 29 calls for increasing measures necessary to mitigate possible risks. WP 29, therefore, proposes the anticipated Regulation to include the following essential elements for a definition and provision on profiling.
First, WP 29 perceives that the Regulation should include a definition of profiling in its Article 4, and propose the following definition:
‘Profiling’ means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.’
Second, WP 29 has taken the view that Article 20 of the Regulation, which addresses measures based on profiling, should be improved to better protect the rights of data subjects and increase legal certainty in the context of profiling.
Article 20 should, in addition to its current wording and its resulting concentration on the mere outcome of profiling, such as usage and further processing of personal data, focus and establish legal requirements for the actual collecting of data for profiling purposes, i.e. the creation of profiles as such.
In view of WP 29, Article 20 should also provide greater transparency and more individual control for data subjects. This could be achieved by setting further information requirements for data controllers, underlining the importance of data subjects’ explicit consent as a legal basis for the processing of data in profiling, and providing data subjects with the right to access, modify, and delete any profile information related to them. Data subjects should also have the right to refuse any decision made on the basis of such information and request reconsideration with the safeguard of human intervention. Data controllers, for their part, should comply with a greater degree of responsibility and accountability determined by the assessed impact of their data processing.