The Article 29 Data Protection Working Party has recently issued an advice paper on profiling prior to the implementation of the proposed EU General Data Protection Regulation (the “Proposed Regulation”).
Profiling is the practice of connecting and linking personal data so that aspects of the personality of users, such as behaviour, interests and habits, can be determined, analysed and predicted. Given the widespread availability of personal data on the internet and the increasing ability to link such data, profiling contains a threat to the rights and freedoms of users and the privacy of their personal data. For this reason, the Working Party believes that more can be done to explain and mitigate the various risks that profiling can pose.
Key elements of the proposals in the paper are:
- A definition of profiling to be included in the Proposed Regulation which is “any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements”
- Broadening the scope of Article 20 of the Proposed Regulations so that it covers processing of personal data for the purpose of profiling or measures based on profiling
- Including in Article 20 of the Proposed Regulation additional requirements for data controllers to disclose to users that personal data will be used by profiling, the purposes for which such profiling is carried out and the logic involved in automatic processing
- A higher degree of responsibility and accountability is envisaged for data controllers, including “obligations or incentives for data controllers for anonymization or pseudonymization in the context of profiling, and data security and human intervention in defined cases”
A copy of the advice paper can be accessed here.