Who: Article 29 Working Party
When: 13 May 2013
Where: Brussels
Law stated as at: 13 May 2013
What happened:
The Article 29 Working Party adopted an Advice Paper providing specific comments on the proposed changes in the draft Data Protection Regulation ( the Regulation ) relating to profiling of individuals (Article 20) and providing comments on suggested changes proposed by the Albrecht report which includes comments from the LIBE Committee. The Paper proposes the following:
(a) a clear definition on profiling to be defined as “any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements “;
(b) additional rules should only apply where profiling significantly affects the interests , rights or freedoms of individuals. If Article 20 does not apply then the lawfulness of processing should be accessed under other provisions of the Regulation;
(c) the European Protection Board should issue guidance on the meaning of Article 20 and the term “significantly effects”;
(d) Controllers should notify individuals of profiling, the logic involved in any automated processing and the purposes of the profiling;
(e) Controllers should anonymise or pseudonymise data when profiling;
(f) Controllers should adopt “the usage of privacy friendly technologies and standard default settings”;
(g) additional requirements to “provide for a balanced approach to profiling and mitigate the risks for data subjects”; and
(h) individuals should be able to delete, modify or access the profile information.
Background
Regulators have become increasingly concerned by the use of profiling by organisations over recent years and particularly online.
Such concerns prompted the changes to the “cookies law” and the requirements for consent. The Working Party states in the Advice its concerns that profiling may challenge individuals rights and freedoms and many people do not understand the extent to which profiling takes place. Article 20 of the draft Regulation stated that profiling would not be permitted unless an individual has given consent, which, under the new Regulation, must be explicit.
The LIBE Report by Albrecht was issued in January 2013 and proposed a definition of profiling as “any form of automated processing of personal data, intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular the person’s health, economic situation, performance at work, personal preferences interests, reliability or behaviour and proposed further limitations on profiling.
Why this matters:
For any organisation looking at profiling the proposed changes to the Regulation (particularly with the amendments in the Albrecht report) would have imposed considerable limitations on the use of profiling even where there was limited personal information e.g. analytics on web page access.
The comments from the Article 29 Working Party at least recognise that a risk based approach is of value by distinguishing between types of profiling and stating that additional requirements should only apply where profiling “significantly affects the interests, rights and freedoms of individuals”.
The key question is of course how this will be defined but at least this appears to be a step in the right direction. In addition what is still unclear is whether or not consent for profiling will be required and if so in what form.
