Profiling and automated individual decision-making in accordance with Regulation (EU) 2016/679 (Part 1)
Technologies, AI, social networks and generally the accessibility of personal data on the Internet have made it easier to establish correlations and connections, which would define and predict one’s personal and behavioural aspects, his/her interests and habits. Banking and finance, healthcare, insurance, marketing and advertisements are just a few examples of the areas, where profiling is increasingly conducted in support of decision-making.
Profiling and automated decision-making have plenty of commercial applications, however they can generate significant risks to the rights and freedoms of natural persons.
Profiling can “lock” an individual into a specific category and limit him to his predicted preferences. Thus, his freedom could be undermined, for example, the freedom to choose certain products or services such as books, music or information channels. In some cases, profiling may lead to inaccurate predictions. In other cases, it could lead to a refusal of services and goods, and to unjustified discrimination.
Regulation (EU) 2016/679 (GDPR) introduces new provisions to address the risks, following from profiling and automated decision-making. The current article aims to clarify these provisions, as it is entirely based on the guidelines, presented by the Data Protection Working Party as per Article 29, established in accordance with Article 29 of Directive 95/46/EC. The full text of the guidelines can be found at WP 251, rev.1
Article 4 (4) of the GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Profiling consists of three elements:
– it must be an automated form of processing;
– it must be conducted with personal data; and
– the purpose of profiling should be to evaluate personal aspects, related to a natural person;
The process of profiling functions by creating extracted or deducted data on individuals – “new” personal data, that is not provided directly from the data subjects. Profiling is frequently exploited to make predictions about people by using data from various sources with the aim of drawing a conclusion about an individual, based on the qualities of others, who look statistically similar.
As per GDPR profiling means automated processing of personal data to evaluate certain personal aspects, in particular to analyse or predict aspects relating to a natural person. The usage of the word “evaluate” implies that profiling includes some form of evaluation or assessment of an individual.
The simple classification of individuals, based on familiar characteristics such as age, gender and height does not necessarily lead to profiling. This would depend on the purpose of the classification. For example, an enterprise may wish to classify its customers by age or gender for statistical purposes and to gain a general idea of them, without making predictions or drawing conclusions regarding a particular person. In this case, the purpose is not to evaluate individual characteristics or to perform profiling.
In general terms, profiling means collecting information about an individual (or a group of individuals) and evaluating his characteristics or behavioural models, in order to be classified in a certain category or a group, more specifically with the aim of analysing and/or predicting for example:
– his capability to perform a specific task;
– his interests; or
– his likely behaviour.
- Automated decision-making
The application of the automated decision-making is different and could partially cover or result from profiling. The fully automated decision-making represents the ability of making decisions with technological tools without human interference.
Automated decisions can be made with or without profiling, profiling can be conducted without making automated decisions.
For example, imposing speeding fines solely based on evidence from speed cameras is an automated decision-making process, which does not necessarily involve profiling.
However, the decisions made would turn into decisions based on profiling if the driving habits of an individual are being monitored over time and if, for example, the amount of the imposed fine is determined due to an assessment, which includes other factors, such as whether the speeding represents a repeated infringement or whether the driver has recently committed other violations of traffic rules.
- How are the concepts presented in the GDPR
Profiling can be potentially used in three ways:
- general profiling;
- decision-making based profiling; and
- solely automated decision-making, including profiling, which produces legal effects or similarly significantly affects the data subject (Article 22 (1)).
The difference between points 2 and 3 can be demonstrated most appropriately by the two following examples where an individual applies for a loan online:
– a human decides whether to agree the loan based on a profile produced by purely automated means (point 2);
– an algorithm decides whether the loan is agreed and the decision is automatically delivered to the individual, without any prior and meaningful assessment by a human (point 3).
Controllers can carry out profiling and automated decision-making as long as they can meet all the principles and have a lawful basis for the processing. Below shall be discussed the GDPR provisions in cases of profiling and automated decision-making, which involve decision making processes, that are not fully automated. The specific provisions, which relate only to fully automated individual decision-making, including profiling as defined in Article 22 (1), provide for additional safeguards and restrictions and shall be discussed additionally in Part 2.
- General provisions regarding profiling and automated decision-making
1. Lawful bases for processing
Consent (Article 6 (1) (a))
Controllers seeking to rely upon consent as a basis for profiling will need to show that data subjects understand exactly what they are consenting to, and remember that consent is not always an appropriate basis for the processing. In all cases, data subjects should have enough relevant information about the envisaged use and consequences of the processing to ensure that any consent they provide represents an informed choice.
Contract (Article 6 (1) (b))
Controllers may wish to use profiling and automated decision-making for a number of reasons – related to optimization, for example. This itself is not sufficient in order to demonstrate that this type of processing is required for the execution of a contract as per Article 6 (1) (b).
In the example below – the profiling does not meet the ground for profiling as per Article 6 (1) (b).
A customer buys items from an online retailer. In order to execute the contract, the retailer must process the customer’s credit card data for payment purposes and his address information, in order to deliver the goods. The execution of the contract does not depend on the creation of a profile of the preferences and the choice of the customer regarding his lifestyle, based on his visits to the website. Even if the small font of the contract explicitly indicates profiling, this fact itself does not make profiling “necessary” for the execution of the contract.
Compliance with a legal obligation (Article 6 (1)(c))
This may be the case, when there is a legal obligation to conduct profiling – for example, with the aim of preventing fraud or money laundering.
Vital interests (Article 6 (1) (d))
This concerns situations, where processing is a must in order to protect an interest of paramount importance to the data subject’s life or of another individual. Such examples may include profiling, which is required for the development of models for predicting the spread of life-threatening diseases or in cases of urgent humanitarian situations.
The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (1) (e))
Article 6(1) (e) might be an appropriate basis for public sector profiling in certain circumstances. The task or function must have a clear basis in law.
For the purposes of the legitimate interests pursued by the controller or by a third party (Article 6 (1) (f))
Profiling is allowed if it is necessary for the purposes of the legitimate interests, pursued by the controller or by a third party. Despite that, Article 6 (1) (f) does not automatically apply just because there is a present legitimate interest of the controller or of a third party. The controller should carry out balancing exercise, in order to evaluate whether the interests or fundamental rights and freedoms of the data subject have precedence over his interests.
Special categories of personal data (Article 9)
Profiling can create special category data by inference from data which is not special category data in its own right but becomes so when combined with other data. For example, it may be possible to infer someone’s state of health from the records of their food shopping combined with data on the quality and energy content of foods.
If sensitive preferences and characteristics can be derived from profiling, the controller should ensure that:
– the processing is not incompatible with the original purpose;
– has identified a lawful basis for the processing of the special category data; and
– has informed the data subject of the processing.
2. Rights of the data subject
The GDPR introduces stronger rights for data subjects and creates new obligations for controllers.
Right of information (Articles 13 and 14)
In accordance with the general principle of transparency, enshrined in the GDPR, the controllers should ensure that they explain clearly and simply to the natural persons how the process of profiling or automated decision-making is carried out.
More specifically, when the processing includes decision-making, based on profiling ( whether or not it is in the scope of the provisions of Article 22), the data subject must be clearly indicated the fact that the processing is for the purposes of both (a) profiling and (b) making a decision based on the profile generated.
The data subject has the right to be informed by the controller and in some circumstances has the right to object to the “profiling”, despite that a fully automated decision-making, based on profiling, is being conducted.
Right of access (Article 15)
The data subject has the right to receive details for the personal data used for profiling, including the categories of personal data, which are used to create an profile. In addition to the general processing information, as per Article 15 (3) the controller is obliged to provide the personal data, used for the creation of the profile, as well as to provide access to profile information and details in what segments is the data subject placed.
Right to rectification, right to erasure and right to restriction of processing (Article 16, Article 17 and Article 18)
Profiling may include a prediction element, which increases the risk of inaccuracies. It is possible that the data used is inaccurate or inappropriate, or it is taken out of its context. It is possible that there is a problem with the algorithm, which is used to establishing correlations.
The right to rectification must be applied, for example, when a natural person is placed in a category, that indicates something about his capability to perform a specific task and this profile is based on incorrect information. Natural persons may want to dispute the accuracy of the personal data used and any groups or categories, in which they are placed.
The right to rectification and the right to erasure should apply to both the “input personal data” (personal data used to create the profile) and the “output” data (the profile itself or the “points”, which the individual has received).
Article 16 also features the right of the data subject to have his personal data completed with additional information.
The computer system of a local surgery clinic places an individual in the group most likely to suffer from a heart disease. This ‘’profile’’ is not necessarily inaccurate, even if the individual himself never develops a heart disease. The profile simply indicates that the individual is more likely to develop such a disease. This may be factually true from a statistical point of view. However, keeping in mind the purpose of the processing, the data subject is entitled to provide additional information. In the above scenario, this additional information may be based, for example, on a more sophisticated medical computer system (and statistical model), while taking into account additional reported data and the implementation of a more detailed overview in comparison with the already conducted one in the local clinic, which has more limited opportunities.
The right to restriction of processing (Article 18) applies to every stage of the profiling process.
The right to object (Article 21)
The controller shall explicitly bring to the attention of the data subject their right to object in accordance with Article 21 (1) and (2) and shall present it clearly and separately from any other information (Article 21 (4)).
As per Article 21 (1) the data subject shall have the right to object to the processing of personal data, on grounds relating to his or her particular situation. The controllers are explicitly obliged to ensure this right in any cases, in which the processing is based on Article 6 (1) (e) or (f).
Article 21 (2) provides the unconditional right of the data subject to object to processing of personal data concerning him or her for the purposes of direct marketing, which includes profiling as long as it is connected to direct marketing. This means that there is no need to balance interests; the controller shall respect the wishes of the individual without questioning the reasons for the objection. Recital 70 provides an additional context for this right, as it states that it may be exercised free of charge at any time.
The current article presents a summarized and synthesized version the guidelines, presented by the Data Protection Working Party as per Article 29 – an independent European advisory body on the protection of personal data and individuals’ privacy, regarding the profiling and the automated decision-making in accordance with Regulation (EU) 2016/679.
Without pretending to be all exhaustive, we hope that the current article will be of use to you.
190 total views, 2 views today