Personal Data and the Analytics Industry
The advent of high-volume data analytics technologies, AI, and machine learning has led to a booming data analytics industry. In addition, the general availability of large amounts of personal data on the internet and on “Internet of Things” devices has created the ability for firms operating in nearly all sectors, including advertising, banking and insurance, to create profiles about individuals; profiles which can then be used to make automated decisions about those individuals.
Automated Processing of Personal Data
Profiling, in non-legal jargon, is defined in the GDPR as the automated processing of personal data with the aim of evaluating the “personal aspects” of an individual, in particular, to analyse or make a prediction about that individual.
The reference to “automated” processing, as opposed to “solely automated processing” in this description means that the GDPR definition of profiling will include decisions based on profiling that is NOT solely automated i.e. human intervention is involved.
Further, the activity of simply assessing or classifying an individual in, for instance, a CRM database, based on their age and sex would also qualify as profiling even if no intention exists to predict that individual’s behaviour.
Rights and Freedom of Individuals
The problem is that whilst profiling can deliver commercial and societal benefits (think of personalised services or personalised medicines and healthcare) automated decision making can create very real risks to the rights and freedoms of individuals, whose classification following an automated decision, could prevent them from accessing credit or securing employment.
For this reason, the GDPR introduced a provision which prohibits data controllers from making decisions based solely on automated decision-making, including profiling.
There are three important exceptions to this prohibition under the GDPR and these are where the decision is made:
- for the purposes of performing or entering into a contract
- subject to member state law or
- with the individual’s explicit consent.
However, to rely on any of these exceptions the GDPR requires that the data controller implement a number of safeguards to protect the rights, freedoms and legitimate interests of data subjects, including the right for the individual to obtain human intervention by the data controller.
Automated Decision Making
It is important to note also that solely automated decision-making may or may not include profiling. A frequently cited example of a type of automated decision-making process which does not involve profiling is the imposition of speeding fines based on the evidence from speeding cameras.
The decision to issue the fine is made without considering other factors such as a pre-compiled profile of the driver’s driving habits.
There is an interplay of course between the Privacy and Electronic Communications Regulations 2003 (PECR 2003) and the GDPR with respect to profiling and automated decision-making, specifically the need for online advertisers to obtain a GDPR standard of “consent” before placing a cookie on an individual website user’s device. For more information, please refer to our recent article on online behavioural advertising here.
Further, if you are a data controller engaged in profiling, whether it is conducted solely or not by automated means, it must be conducted in compliance with GDPR principles and the data subject access rights.
As an example, the principle that data should be processed in a “lawful, fair and transparent” manner, is backed up by a number of specific information provision obligations in the GDPR, which in the context of automated decision-making, including profiling, requires controllers to provide data subjects with the following information:
- the existence of automated decision-making;
- meaningful information about the logic involved (e.g. that a credit check by a mortgage company will involve an evaluation of the applicant’s “score”); and
- the significance and envisaged consequences of such processing for the data subject
The provision of the above information is particularly critical where the data controller is relying on the data subject’s explicit consent as the lawful basis for the automated decision-making.
This is because a failure to provide the above information could invalidate the individual’s consent on the basis that such consent was not “informed” as is required under the GDPR.
Data Protection Impact Assessment (“DPIA”)
In the case of point 3 in the section above, “the significance and envisaged consequences of such processing for the data subject” the completion of a Data Protection Impact Assessment (“DPIA”) will assist the controller to identify when a serious risk to the rights and freedoms of data subjects is likely to arise as a result of the automated decision-making process.
A DPIA is an important tool for demonstrating compliance with the newly introduced GDPR principles of accountability and transparency, so it is always prudent to conduct and continue to conduct DPIAs against any process or set of processes which involve solely automated decisions or decisions based on profiling which are not solely automated.
- Decision-making can be either: solely automated (“the computer says no”), or based on profiling that is not solely automated (“human makes the decision”).
The GDPR introduces provisions which, subject to the exceptions discussed above, prohibits solely automated decision-making.
Profiling can occur even if the controller has no intention of using the results to predict the behaviour of an individual or group of individuals.
The GDPR principles continue to apply.
There must be a lawful basis for the profiling operations.
It is prudent to conduct a DPIA before beginning any form of profiling operation.
Should you require further advice and information regarding the application of the GDPR and PECR 2003 to profiling and automated decision-making in your organisation, or how to conduct a Data Protection Impact Assessment, please contact us