Who: Information Commissioner’s Office (“ICO“)
Where: UK
When: 28 April 2017
Law stated as at: 7 May 2017
What happened:
The period for responding to the ICO’s feedback request on the new profiling provisions in the GDPR closed on 28 April 2017.
The feedback request included the ICO’s initial thoughts on some of the aspects of profiling under the GDPR that it considered required further debate (the ICO was at pains to emphasise that those initial thoughts should not be construed as guidance). The purpose of the request was to enable the ICO (and, indeed, the UK) to contribute to the Article 29 Working Party’s guidelines on profiling (which are due to be published later this year).
Profiling was one of the most hotly-contested topics during the four (rather long) years it took to negotiate the GDPR. An initially very strict approach to profiling in the early drafts of the GDPR was subsequently watered down, recognising the pivotal role that profiling and big data analytics are set to take in the growth of the digital economy. This is particularly the case in the advertising and marketing sectors.
Profiling is defined as:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
Therefore, profiling is more than just the collection of personal data; it is the use of that personal data to evaluate certain personal aspects relating to an individual. As an illustration, tracking an individual’s movements on a website would not be profiling; but using that data to determine their personal preferences and interests (for example, to deliver targeted advertising) would be.
The GDPR draws a distinction between:
- profiling for the purposes of making decisions which produce “legal effects” concerning a data subject (an individual) or “similarly significantly affect” the individual (under Article 22); and
- profiling for any other purpose.
The former (profiling under Article 22) is subject to more stringent provisions than the latter. In particular, the former must only be undertaken where it is:
- necessary for entering into, or performance of, a contract between the individual and the data controller;
- authorised by EU or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the individual’s rights and freedoms and legitimate interests; or
- based on the data subject’s explicit consent.
It is not possible to rely on the so-called “legitimate interests condition” (or, indeed, ordinary (non-explicit) consent) when undertaking profiling for the purposes of making decisions falling within Article 22. It may be possible to do so for other forms of profiling (the ICO explicitly refers to this possibility in its feedback request). Further, there are additional transparency requirements and data subjects’ rights in relation to profiling falling within Article 22.
The important question then, is the interpretation of Article 22. When might decisions based on profiling produce “legal effects” concerning an individual, or which “similar[ly] significantly effect” an individual?
In its Recitals, the GDPR refers to automated processing (including profiling) which is undertaken in the context of credit applications and e-recruiting practices as falling within Article 22. Those are two clear examples which most would agree ought to be subject to more stringent regulation.
The ICO (in its feedback request) adds to that list of examples, profiling which:
- causes damage, loss or distress to individuals;
- affects individuals’ health, well-being or peace of mind;
- causes individuals to change their behaviour in a significant way; or
- has unlikely, unanticipated or unwanted consequences for individuals.
These examples from the ICO are quite a lot harder to define than those which are given in the GDPR. The ICO itself recognises this when it suggests that:
“It may be useful to establish an external recognised standard to measure such effects, instead of simply relying upon the subjective view of the controller or the data subject.”
Why this matters:
The ability to undertake profiling is fundamental to many organisations in the advertising and marketing sectors. Not only can profiling deliver benefits to the organisations undertaking it; done correctly, it can also deliver benefits to consumers by tailoring offers of goods, services and prices to align with the consumers’ particular interests.
The interpretation of Article 22 is imperative. Defined broadly, it will place significant burdens on organisations undertaking profiling for advertising and marketing purposes; defined narrowly, there is less cause for concern. We can expect guidance from the Article 29 Working Party later this year. In due course, we might also expect a common standard for measuring the effects of profiling.
In any case, with a year to go, organisations should be reviewing their profiling activities in light of the GDPR, and ensuring that they are taking the necessary steps to ensure compliance from (no later than) 25 May 2018.