Profiling and big data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation.
When the Data Protection Directive was adopted, back in 1995, no one could imagine that people’s relentless use of technology would become the main source of personal data and that in turn this would lead to the current explosion of Big Data analytics. The approach of the Data Protection Directive is to say that data subjects have a general right ‘not to be subject to a decision which produces legal effect concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him.’ This is set to change under the Regulation, due to concerns over the emergence of Big Data and the perceived privacy intrusions attached to it.
The Regulation includes various restrictions on profiling, including analysing personal preferences or behaviour, although they have been watered down from the stricter approach seen in early drafts of the Regulation. In practice the data subject’s right to object to profiling will be of great importance.
The data subject may object to profiling, at any time, on grounds relating to his or her particular situation, where the basis of such processing is that it is necessary for the purposes of legitimate interests pursued by the data controller. In such cases, the data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. When the profiling is related to direct marketing, the data subject has an absolute right to object. In this case, the processing must stop and the controller cannot continue under any circumstances.
The data subject will not be able to object to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, if the decision: (i) is based on the data subject’s explicit consent, (ii) is expressly authorised by EU or Member State law, or (iii) is necessary for entering into, or performance of a contract between the data subject and a data controller.
Profiling-based decisions must not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless (i) the data subject has given explicit consent for one or more specified purposes, except where prohibited by European law or member state law; or (ii) processing is necessary for reasons of substantial public interest, on the basis of European or member state law.
It is of paramount importance to inform the data subject who is subject to a decision based solely on automated processing, including profiling, at the first communication of his or her right to object to profiling. It must be explicitly brought to his or her attention and must be presented clearly and separately from any other information. The controller must inform a data subject at the time data is collected not only of the fact that profiling will occur, but also of “the logic involved” and “the envisaged consequences of such processing”.
Profiling in practice
In many situations, the only lawful basis for profiling will be the explicit consent of the data subject. As the Regulation requires explicit consent to be a ‘freely given, specific and informed indication of his or her wishes by the data subject, either by a statement or by a clear affirmative action’, engaging in lawful profiling could become much more cumbersome.
For example, data subjects will need to be informed about the profiling and the consequences of profiling and consent will need to meet very high regulatory expectations. This could mean that Big Data analytics involving personal data may require businesses to obtain explicit consent before the analyses can be conducted, for example in relation to customer tracking, behavioural targeting and advertising. In summary, businesses that regularly engage in data analytics activities will need to consider how they can implement appropriate transparency and consent mechanisms in order to continue profiling activities under the Regulation.
The impact on the digital economy
The potential consequences of the forthcoming legal regime dealing with profiling should not be underestimated. As the legislative framework is now finalised, it is crucial to understand the practical implications for businesses and the digital economy as a whole. The Regulation regards profiling as a high risk activity and it is subject to strict conditions and rigorous oversight.
Therefore, compliance with this new regime should form part of all businesses’ Big Data strategies. In many instances, this will involve setting up data collection processes that trigger an appropriate consent mechanism. This will often be determined by a preliminary assessment of the intended data activities that seeks to identify the impact on people’s privacy and the most suitable approach to legitimizing those activities. Given the perceived risks of profiling, this must become a compliance priority.
What to do now
- Conduct an assessment of all data activities that may qualify as ‘profiling’ and determine the applicable legal basis: (i) consent, (ii) required for the entry into or performance of a contract or (iii) authorisation by law.
- Identify any decision which relates to sensitive data or children, in both case further scrutiny will have to be applied
- To the extent that consent is likely to be required, identify the most appropriate mechanism for obtaining this and how to deploy it in practice
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.