Profiling – The hidden Bombshell!20th March 2015
Following my recent briefings about the EU proposed Data Protection Regulations I received a number of questions about a particular proposal from the EU which seems to have been overlooked – the issue of profiling.
Below I have expanded on this area, as it could have a potentially major impact on any company which relies on this process
Can I firstly take this opportunity to once again say that although all 28 member states and the EU Commission have agreed, at least in principle, to the proposed regulations there are still some enthusiastic debates over some of the finer points. One such example is the One-Stop-Shop.
The three institutions of the European Union (the Commission, Parliament and Council of Minsters) are broadly agreed on the final draft, and it is believed that the regulations will be passed in 2015 with full implementation within 2 years. However, on the issue of ‘profiling’ many differences remain.
Article 58 of the ‘Proposed’ EU Data Protection Regulations states:-Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent.
In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
Taking Article 58 at face value, companies who use profiling to identify new customers, or those online companies who personalise adverts depending on the profile of the user they have identified, will be prevented from doing so unless they have received prior consent from the data subject.
I am not sure about you but would you give your consent to an unknown commercial operation to profile you?
This issue is intrinsically linked to whether or not IP Addresses and Cookies will be classified as Personal Data. This is one of those contentious issues which has been holding up the regulations. Germany, being a mainly ‘opt-in’ society, wants profiling included in the legislation. The UK, who operate a mainly ‘opt-out’ methodology want it excluded.
Looking at the bigger picture, one of the key concerns for me is that in the past you were aware, more or less, exactly what personal information a company knew about you. Now with the explosion in Big Data and data-sharing, organisations with neither the need, or right to know about you, hold intimate details of your life. Let me give you an example which I heard of recently:-
An insurance company was buying data from online clothes retailers on items purchased. If you think about this, if in 2010 I had a waist size of 32″ (I wish!), in 2012 it was 34″ and in 2014 38″ you could reasonably assume that I was putting on weight. If the company then made a decision on this assumption, perhaps they decided to increase the policy fee as my risk of heart-attack had increased, it would be making a decision on me which would have an adverse effect, or be disadvantages to me. This would be unfair and contrary to both Principles 1 and 2 of the DPA.
In this example the assumption was based on facts, however, consider how many companies, for example Facebook, using their like/dislike facility, make decisions based on more subjective guesswork. You can therefore see that profiling has the potential to adversely affect an individual without their knowledge or consent. However, the flip side is that many companies use profiling to personalise and enhance the service that they offer exactly because of the profiling they perform.
I am sure that profiling is one of the elements of the regulations which will be fought over until the very end, and probably neither party will be happy. I shall bring the latest news to you as soon as we are made aware of it, but in the meantime, prepare for alternatives – organisations who are forewarned, are forearmed.
If you found this information useful sign up for our free eBulletin with more information, updates and useful tips.
Paul Adams LLB (Hons)
Data Protection & Information Governance Consultant & Trainer