“Personal data is the new oil of the Internet and the new currency of the digital world.”

- Meglena Kuneva, European Consumer Commissioner, March 2009

Personal data reserves play an increasingly significant role in modern businesses; it has even been suggested that personal data has developed into a new asset class. (World Economic Forum, 2011).

In consumer businesses the use of personal data for profiling purposes has become increasingly popular. Although in ideal situations both the consumer and the marketer benefit from profiling, privacy concerns related to the practice have spurred discussion. The main concern centers on consumers’ ignorance of the use of their personal data for profiling purposes.

What is profiling?

In the context of marketing, profiling usually involves an automatic data processing technique that applies a “profile” to an individual, specifically for analyzing or predicting her /his personal preferences, behaviors and attitudes.

Companies may profile consumers with the aim of targeting marketing messages and services ever more precisely to buyer preferences. Profiling is especially easily facilitated in the online environment, where consumers may be tracked and categorized based on factors such as browsing behavior (cookies, “likes” and clicks) or purchasing habits.

How is profiling regulated in EU countries?

In cases where profiling is conducted using identifiable personal information, general legislation governing the processing of personal data applies (e.g. national legislation implementing EU Data Protection Directive 95/46/EC). However, no specific rules regarding the profiling of personal data have yet been introduced at the EU level.

Profiling has however been subject to national regulatory guidelines, domestic and international recommendations, and self-regulation guidelines. However the aforementioned regulations and guidelines may lead to contradictory interpretations of the prerequisites for profiling and practices may consequently vary among different European Union Member States. Moreover EU harmonization has yet to be effectively achieved. For example, the so-called EU ‘Cookie Directive’ (2009/136/EC) has in practice not unified cookie usage requirements in EU Member States.

For profiling to be implemented for marketing purposes, EU legislation may require the consumer’s consent (i) for the use of cookies, (ii) the processing of personal data used in profiling and (iii) for (electronic) direct marketing. The minimum requirement involves informing consumers about the profiling.

EU Regulation Proposal – restrictions on profiling and increased demand for privacy compliance?

The rules regarding profiling may, in the near future, become subject to harmonization in the EU if the European Commission’s proposal for the new General Data Protection Regulation (Brussels 25.1.2012 COM (2012) 11 final 2012/0011(COD)) is promulgated. In its current form the proposal contains a separate article on profiling, which may, if enacted, impose additional conditions on companies wishing to profile customers.

Businesses are attentively tracking the progress of the regulation – especially since the current proposal encompasses new concepts such as the “right to be forgotten”, the duty to appoint Data Privacy Officers as well as a significant tightening of the sanctions for privacy breaches. The fines for non-compliance may increase to up to 2 percent of a company’s annual worldwide turnover.

Balancing competing interests

Harmonization is especially important for companies which provide transnational consumer services. On the other hand, one model of regulation may not be equally applicable across the board. For example, the rules suitable for social media will not necessarily be relevant to other services and areas such as insurance and credit services. An excessively inflexible Regulation may impede the online operations of companies in Europe.

Additionally, from a consumer’s perspective, the Regulation should not hamper the user’s experience of online services by introducing disruptions such as continuous consent requests. This would run counter to the aims of the proposed Regulation, which include facilitating company operations and enhancing consumer trust in electronic services.

It remains to be seen how these interests will be reconciled in the new General Data Protection Regulation and how companies will re-evaluate their data processing practices to comply with the new Regulation. The current proposal is that the Data Protection Regulation would enter into force in May 2014, followed by a two-year transition period.