Getting to know the GDPR, Part 5: Your big data analytics and profiling activities may be seriously curtailed
Profiling is one of the provisions of the General Data Protection Regulation (the “GDPR“) that will have the most significant impact on businesses. Given the broad scope of the law (both geographically and materially) and the definition it gives to ‘profiling’, most businesses will be concerned by these provisions.
What does the law require today?
Currently, there is no legal definition of ‘profiling’ under European data protection law. The Directive 95/46/EC refers to ‘automated individual decisions’ without explicitly mentioning the word ‘profiling’.
Article 15 of the Directive grants “the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.”., unless such decision is:
– taken in the course of entering into or performance of a contract; or
– authorized by a law.
What will the General Data Protection Regulation (GDPR) require?
Definition of ‘profiling’:
‘Profiling’ is now clearly defined under article 4 of the GDPR as ” any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
‘Profiling’ is composed of three elements:
- it has to be an automated form of processing;
- it has to be carried out on personal data; and
- the purpose of the profiling must be to evaluate personal aspects about a natural person.
The “monitoring of an individual’s behaviour” is further explained under Recital 21 of the GDPR:
“In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet with data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” [Emphasis added]
Territorial scope of the GDPR:
The scope of the GDRP is broader than the current Directive 95/46/EC because it will apply not only to controllers who are established in the EU, but also to controllers who are not established in the EU “where the processing activities are related to (…) the monitoring of their behaviour as far as their behaviour takes place within the European Union.” [Emphasis added] (Article 3 of the GDPR).
As a result, companies that are based outside the EU but are nonetheless processing personal data about EU residents in the context of profiling activities, will be subject to the GDPR, and consequently, will have to comply with the rules on automated decision-making. This will have the effect of levelling the scope of the GDPR to most companies that carry out marketing activities in Europe, regardless of whether they are established within or outside Europe.
Material scope of the GDPR:
Article 20 of the GDPR sets out three criteria which may trigger the provisions on automated processing of personal data, namely:
- a decision has to be made about an individual;
- which has a legal effect for that individual or significantly affects him or her; and
- this decision must be based solely on automated processing.
If those three criteria are met, “the data subject shall have the right not to be subject to a decision (…) based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her” (article 20, GDPR). The right “not to be subject” to automated decisions is generally interpreted as the right to object to such processing.
Where a decision is made about one or several individuals which either produces a legal effect for those individuals, or significantly affects them, such automated processing is nonetheless permitted if such decision is:
- authorized by a law or regulation within a Member State to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights; or
- necessary for entering into (or performing) a contract between the data subject and the controller; or
- based on the data subject’s explicit consent.
Where the profiling is based on a contractual relationship with the data subject or the data subject’s explicit consent, the controller must implement “suitable measures” to safeguard the rights of the individuals. In particular, the controller must allow for a human intervention and the right for individuals to express their point of view, to obtain further information about the decision that has been reached on the basis of this automated processing, and the right to contest this decision.
Data controllers must also inform individuals specifically about “the existence of automated decision making including profiling and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject” (Article 14(a) of the GDPR).
Finally, the GDPR prohibits explicitly the use of an individual’s sensitive personal data for automated decision-making purposes, unless:
- that individual has given his/her explicit consent (except where a law provides that such prohibition cannot be lifted by the individual’s consent); or
- such automated decsisions are necessary for reasons of public interest
and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
What are the practical implications?
Article 20 of the GDPR lays out similar restrictions on automated decision-making to those that currently exist under article 15 of the Directive 95/46/EC. However, the GDPR does make several important changes, including:
- a specific definition for the term ‘profiling’;
- explicit consent as a new legal basis for profiling activities;
- a prohibition to profile individuals based on their sensitive data (unless explicit consent is obtained); and
- an obligation to inform the data subjects specifically about any profiling activities.
Companies will therefore have to assess whether their intended profiling activities produce any legal effects or significantly affect the individuals concerned as this will determine whether such activities are subject to article 20 of the GDPR. Regrettably, the GDPR does not explain what constitutes a “legal effect” or “significantly affects” the individual, and therefore, the interpretation of these concepts is likely to vary between EU Member States, depending on the national data protection authority or the national court reviewing the controller’s profiling activities.
Companies will then need to ensure that their profiling activities have a legal basis: 1/ the existence of a law authorizing such processing; 2/ the necessity of such processing to execute or perform a contract with the data subject; or 3/ the data subject’s prior consent.
Once companies have assessed whether their profiling activities are lawful, they must ensure that they have implemented appropriate measures to guarantee that individuals can exercise their rights (in particular, the right not to be subject to a decision based solely on automated processing). This may be done, for example, by applying data minimisation and pseudonymisation techniques that are aimed at minimizing the risk of affecting the privacy of individuals, and by carrying out privacy impact assessments prior to conducting their profiling activities, particularly if there is a risk of discrimination, identity theft or fraud, financial loss, damage to reputation, or other adverse effects for individuals.
Non-compliance with the provisions of the GDPR on individuals’ rights, the basic data protection principles and the lawfulness of the processing (including consent) is punishable by a fine of up to EUR 20,000,000 , or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
By Olivier Proust, Of Counsel (firstname.lastname@example.org)