Out-Law / Your Daily Need-To-Know

GDPR: scope of rules on profiling not confined to solely automated processing, data watchdog says

Out-Law News | 20 Oct 2017 | 4:45 pm | 2 min. read

Laws that place restrictions on the 'profiling' of individuals do not just apply to data processing completed entirely automatically, EU data protection authorities have said.

Those laws, which will apply under the General Data Protection Regulation (GDPR) when it begins to apply on 25 May 2018, could also apply to cases where humans, as well as machines, are involved in the processing, they said.

The Article 29 Working Party clarified the scope of the rules in draft new guidelines it published on automated individual decision-making and profiling under the new Regulation.

Under the GDPR, profiling is defined as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements".

Article 22 of the Regulation provides people with a qualified right "not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".

The UK's Information Commissioner's Office (ICO) previously identified an anomaly between the definition of profiling in the GDPR and how profiling is described in other parts of the Regulation. The ICO said it was "debatable … whether 'automated processing' means purely automated, or whether human involvement at any stage takes the processing out of the definition".

Now the Article 29 Working Party, a group of data protection watchdogs from across the EU of which the ICO is a part, has confirmed that the profiling rules could apply to cases where there is human intervention in the data processing.

"Profiling has to involve some form of automated processing – although human involvement does not necessarily take the activity out of the definition," the Working Party said.

The watchdog also confirmed that businesses can be considered to be engaging in profiling where they are simply analysing sets of data about individuals. It said they do not have to be making predictions on the back of that analysis for the profiling rules to apply to them.

"The GDPR says that profiling is automated processing of personal data for evaluating personal aspects, in particular to analyse or make predictions about individuals," the Working Party said. "Therefore simply assessing or classifying individuals based on characteristics such as their age, sex, and height could be considered profiling, regardless of any predictive purpose."

In its draft guidance, the Working Party recommended that data controllers who are considering profiling activities conduct "algorithmic auditing". This would involve "testing the algorithms used and developed by machine learning systems to prove that they are actually performing as intended, and not producing discriminatory, erroneous or unjustified results", it said.

The Working Party also highlighted the potential for processing operations that concern profiling to benefit from certification under the GDPR, and for auditing processes involving machine learning to be governed by codes of conduct. The GDPR provides that certification and compliance with codes of conduct can help businesses demonstrate their compliance with the Regulation.

Proposed new guidance to help businesses meet their obligations to report certain data breaches under the GDPR has also been published by the Working Party.