A stricter regime for profiling
Profiling and Big Data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation.
When the Data Protection Directive was adopted, back in 1995, no one could imagine that people’s relentless use of technology would become the main source of personal data and that in turn this would lead to the current explosion of Big Data analytics. The approach of the Data Protection Directive is to say that data subjects have a general right ‘not to be subject to a decision which produces legal effect concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him.’ This is set to change under the Regulation, due to concerns over the emergence of Big Data and the perceived privacy intrusions attached to it.
The draft Regulation includes various restrictions on profiling, which is not defined in the Commission draft, but includes analysing personal preferences or behaviour. As a general rule, under the Regulation individuals should not be subject to decision-making measures based solely on profiling, when such measures produce ‘legal effects’ on them (e.g. a bank decides not to grant a mortgage on the basis of profiling information), or significantly affect them.
Profiling activities will only be permitted: (i) with the data subject’s explicit consent, (ii) if expressly authorised by EU or Member State law, or (iii) carried out in the course of entering into a contract or performing a contract between the data subject and the data controller. In addition, there will be a blanket prohibition on profiling based on sensitive personal data and an express obligation to inform upfront about profiling activities.
Profiling in practice
In many situations, the only lawful basis for profiling will be the explicit consent of the data subject. As the Regulation requires explicit consent to be a ‘freely given, specific and informed indication of his wishes by the data subject, either by a statement of by a clear affirmative action’, engaging in lawful profiling could become much more cumbersome.
For example, data subjects will need to be informed about the profiling and the consequences of profiling and consent will need to meet very high regulatory expectations. This could mean that Big Data analytics involving personal data may require businesses to obtain explicit consent before the analyses can be conducted, for example in relation to customer tracking, behavioural targeting and advertising.
In summary, businesses that regularly engage in data analytics activities will need to consider how they can implement appropriate transparency and consent mechanisms in order to continue profiling activities under the Regulation.
The impact on the digital economy
The potential consequences of the forthcoming legal regime dealing with profiling should not be underestimated. As the legislative process continues its course and the framework is finalised, it is crucial to understand that practical implications for businesses and the digital economy as a whole. It is quite likely that the Regulation will regard profiling as a high risk activity that will be subject to strict conditions and rigorous oversight.
Therefore, compliance with this new regime should form part of all businesses’ Big Data strategies. In many instances, this will involve setting up data collection processes that trigger an appropriate consent mechanism. This will often be determined by a preliminary assessment of the intended data activities that seeks to identify the impact on people’s privacy and the most suitable approach to legitimising those activities. Given the perceived risks of profiling, this simply must become a compliance priority.
What to do now
- Conduct an assessment of all data activities that may qualify as ‘profiling’ and determine the applicable legal basis.
- To the extent that consent is likely to be required, identify the most appropriate mechanism and how to deploy it in practice
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.