The Article 29 Data Protection Working Party (WP29) has published draft guidelines on automated individual decision-making and profiling under the General Data Protection Regulation (GDPR).
What is automated decision-making and profiling?
Profiling is a form of automated processing of personal data used to evaluate individuals' personal aspects, such as analysing or predicting matters relating to individuals. WP29 clarifies that whilst profiling has to involve some form of automated processing, it does not necessarily preclude human involvement in the process.
Automated decision-making is the ability to make decisions by technological means without human involvement. Automated decisions can be based on any type of data, including:
- data provided directly by the individuals concerned;
- data observed about the individuals (such as location data collected via an application); and
- derived or inferred data, including information based on a profile which has already been created.
Profiling and automated decision-making often overlap, a simple automated decision-making process could become one based on profiling. For example, a speeding fine imposed on the basis of speed camera evidence has the ability to become a decision based on profiling where the individuals' driving habits were monitored.
Specific provisions: decisions based "solely" on automated processing
Article 22 of the GDPR provides that "the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".
- Decisions based "solely" on automated processing: Article 22 refers to decisions "based solely" on automated processing without involving human intervention in the decision process. The WP29 states in the guidelines that, in order for an activity to qualify as human intervention, this should be meaningful, meaning that it should be carried out by an individual who has the authority and competence to change the decision considering all the available input and output data.
- "Legal effects" or "similarly significant effects": "Legal effects" constitute processing activities that have an impact on an individual's legal rights or affect a person's legal status or their rights under a contract. An example includes the refusal of entry at a national border. A decision-making process producing an effect of equivalent magnitude or similar significance to a "legal effect" also falls within the scope of Article 22 (where, for example, an individual receives an automatic refusal of an online credit application).
Exceptions from the prohibition
Individuals should not be subjected to decisions based solely on automated decision-making processing unless:
- there is a necessity for the performance of a contract or for entering into a contract;
- it is authorised by EU or national law to which the data controller is subject and which lays down suitable measures to protect the data subjects' legitimate interests, rights and freedoms; or
- the automated decision-making processing is based on the explicit consent of the data subject.
The WP29 clarifies that necessity for the purpose of performing a contract or entering into a contract is interpreted narrowly, and organisations must show that it is not possible to use less intrusive means to achieve the same goal. "Explicit consent" is not defined in the GDPR, but will be addressed in further consent guidelines expected in due course. The GDPR, however, suggests that explicit consent must be confirmed by an express statement (rather than some other affirmative action).
Safeguards and transparency
The WP29 recommends that when assessing the risk and interference with data subjects' rights as a result of automated decision-making, based solely on automated processing, including profiling, data controllers should be mindful of their transparency obligations under Articles 13, 14 and 15 of the GDPR.
These include the need to inform data subjects of their engagement in this type of activity and explain the significance and consequences of such activity. Data subjects must have the right to request a review of the decision (including an analysis of all relevant data), which should be conducted by a person with significant authority and competence to change the decision.
General provisions for profiling and automated-decision making
The WP29 clarifies how the data protection principles apply to profiling and automated decision making. Controllers should take account of the following areas:
- Transparency, lawfulness and fairness: Controllers must provide concise, transparent, intelligible and easily accessible information about processing activities and ensure that they have a lawful basis for such processing (such as consent, legitimate interest or necessity for compliance with a legal obligation).
- Further processing and purpose limitation: Profiling which involves the use of personal data originally collected for other purposes should be compatible with those purposes. Compatibility will depend on the factors set out in Article 6(4) (including the nature of the data and the impact of the data processing on the data subjects).
- Data minimisation and storage limitation: The business opportunities created by profiling can encourage organisations to collect more data and store this data for lengthy periods of time. Controllers should be able to clearly explain and justify the need for doing so and implement clear retention periods for profiles created.
- Accuracy and individuals' rights: Controllers should ensure that data used in automated decision making and/or profiling is accurate and put in place robust measures to verify on an ongoing basis that such data is up to date. Individuals' rights under the GDPR also apply within the context of profiling and automated decision-making (such as the right to data access).
Children and profiling
Solely automated decision-making, including profiling, should not apply to children (Recital 71 of the GDPR), but the WP29 does not consider this an absolute prohibition as it is not included in the main text of the GDPR. There may be circumstances where controllers need to carry out processing involving children (such as to protect their welfare). In those circumstances, controllers should comply with Article 22 and implement safeguards appropriate to children.
Data Protection Impact Assessments (DPIAs)
The GDPR highlights the need for controllers to assess and address the risks involved in profiling and decisions that are based on automated decision-making through carrying out DPIAs (Article 35(3)). The WP29 considers that this provision extends to decisions not wholly taken by automated means which have legal or similarly significant effects. For more information on the WP29's draft guidelines on DPIAs, see our update.
The guidelines provide helpful clarification on automated decision-making and profiling under the GDPR and offer practical guidance on the new requirements in different scenarios. Organisations can submit comments on the guidelines until 28 November 2017 and should act early to ensure compliance with the GDPR by the time it comes into force.