Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Guidelines on Profiling and Automated Individual Decision Making
Article 29 Working Party issues much anticipated guidance on automated decision making under the GDPR.
The Article 29 Working Party (WP29) has published draft guidance on the activities of profiling and automated individual decision-making (Guidance) in light of the incoming General Data Protection Regulation (GDPR).
The Guidance clarifies the differences between profiling and automated individual decision-making, and highlights the WP29’s view that such activities have the potential to have a significant impact on individuals.
The Guidance sets out that an activity constitutes profiling when personal data is processed in an autonomous manner with the ultimate objective of evaluating personal aspects of an individual.
In other words, profiling will occur when information about an individual or group (e.g. behavioural patterns) is analysed or processed in such a way that it allows them to be placed in certain categories which serve as the basis for judgements or predictions to be made about them, such as their personal preferences or interests.
Profiling has the potential to work as a powerful tool benefiting both organisations – by increasing efficiencies and saving costs – and individual data subjects – who gain access to more bespoke services as a result of the deeper insights gained about them as a result of the profiling process.
Nevertheless, the WP29 emphasise the high-risk nature of profiling activities on the rights of the data subject, especially in regard to having their sensitive data unknowingly exposed or revealed as a consequence of the profiling process.
Automated decision-making is distinct from profiling in that it is not restricted to purely personal data. Furthermore, automated decision-making must be solely autonomous – any and all decisions or conclusions must be reached without human involvement.
The Guidance acknowledges that automated decision-making has the potential to overlap with profiling in respect of the data-sets processed but also states that an activity which starts as automated decision-making may convert into profiling depending ultimately on the use of the data gathered.
Article 22 prohibition?
The Guidance claims that the right given to individuals in the GDPR not to be subject to automated decision making is a complete prohibition and should therefore only take place under one of the available exceptions: performance of a contract, authorised under law or explicit consent.
The Article 22 “prohibition” only applies to automated decision-making and profiling which “produces legal effects concerning an individual or similarly significantly affects the individual.” If adopting the view taken in the Guidance that Article 22 is indeed a prohibition, data controllers will find themselves having to try to determine whether the decision produces such “significant” effects.
The Guidance explains such significant effects as being “more than trivial”, “worthy of attention” and “have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned”.
Best practice for Profiling and Automated Decision-Making
The final part of the Guidance contains provisions for best practice when processing personal data using automated decision-making or profiling techniques.
In addition to upholding the rights set out under the GDPR, WP29 prescribes that data controllers adopt a system of transparency and fairness, ensuring that they are open with data-subjects as to how and why their personal data will be processed. Any information or results gleaned from the profiling or automated decision-making should not be used to jeopardise their rights.
The distinction between automated decision-making and profiling can be unclear and the Guidance only goes some way in applying the GDPR to practical examples.
Furthermore, interpreting Article 22 as a prohibition leaves the data controllers with few practical options in which to carry out these activities without explicit consent. The Guidance, however, remains in draft form and further clarifications may be made before it is adopted.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.