recent work

Data Profiling to be regulated

The Article 29 working party, the independent European advisory body on data protection and privacy set up under Article 29 of the Data Protection Directive has adopted an advice note entitled, “Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation” which seeks to find a practical middle ground between the European Commission’s current proposal for a Data Protection Regulation and the proposals of the European Parliament. The advice note sets out the following:
1. Data Profiling is to be defined – the following definition is suggested:
“Profiling” means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.”

2. Profiling per-se rather than the outcome of the profiling activity is to be regulated i.e. the very act of profiling regardless of whether the results of the profile has any impact on a data subject will fall within the regulatory scope.

3. Data subjects to be given greater control over profiling activities including:

  • The granting of explicit consent being the legitimate grounds for processing by a data controller;
  • A data controller having to describe what information is used for profiling, the purposes of profiling activities, and the logic involved in automated profiling;
  • The data subject having the right to access, modify, and delete any profile information attributed to them;
  • The data subject having the right to refuse any decision based on profiling information and/or have any such decisions reviewed by human intervention.

4. Data Controllers will be required to take more responsibility and accountability for profiling and to ensure suitable measures are in place to safeguard the data subject’s rights and freedoms such as the use of data protection friendly technologies, structured privacy impact assessments, appropriate default values, data minimization, data security, and where appropriate anonymization or pseudonymization.
The advice note finishes suggesting that a balanced view needs to be taken in respect of regulating profiling activities: a balance between upholding the rights of individuals, and the interests of data controllers, and suggests that there are both positive and negative impacts of data profiling.

Tags: , ,