Profiling: what does the GDPR say?

If you’re a Facebook-user and you sometimes check early bird flight deals, you’ll know the feeling. That suspicious feeling you get when you notice your social media account knows you a little better than you’d like it to. That moment when, on a grim Monday morning, you type ‘cheap flights Maldives’ and next thing you know, your Facebook newsfeed is overflowing with ads about sunny flight destinations. Coincidence? Of course not. It shouldn’t come as a surprise that Facebook has a lot more information about you than you ever consciously gave. But how does this mechanism –also known as profiling– work, and where’s the limit?

What is profiling?

The notion of profiling is defined in the new EU privacy regulation or GDPR as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person”. Via profiling, companies use personal data to analyse or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of the (potential) users of their services.

In other words, profiling is the act of creating a profile based on your personal data and using that profile to market or personalise services, without any human intervention. This profile is based on personal information, such as your online purchases, what you like and whom you befriend on Facebook, or the websites that you visit.

Since there is a clear processing of personal data when profiling, the GDPR is fully applicable to such activities. A company that wishes to use profiling will therefore have to show a legitimate ground for the processing and respect the rights of data subjects, as for any personal data processing. But the GDPR goes a little further as well.

Special rules for profiling

The GDPR does not literally prohibit profiling. Instead, it explicitly states that people have the right not to be subject to a decision based solely on profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This means that decisions that have important consequences for you, cannot be based on profiling alone. Such decisions can be the automatic refusal of a credit application submitted online or the processing of job applications without any kind of human intervention.   

There are two different ways to see the practical implementation of such a right not to be subject to a decision based solely on profiling. It can either mean that automated decision-making is prohibited altogether. Or it can be interpreted as being allowed, as long as data subjects have the right to oppose it. The latter implies that you, as data subject, have to actively exercise your right and oppose such decisions. Needless to say, the second option is weaker than the first, and only the future can tell us what interpretation will be applied by authorities.

Moreover, there are several exceptions to this right not to be subject to decisions based solely on profiling. This is for example the case when the decision is necessary for entering into, or performance of, a contract between you and the company using your data.

Another exception is when you have given your explicit, informed consent with the automated decision-making process. This consent must be given through affirmative action, which means that you have to do something to express your consent: signing a statement, ticking a box, clicking on ‘accept’… It is therefore a strong form of consent, and cannot be merely implied from your actions. Think of those companies that state that by surfing on their website, you implicitly agree to them using your data: that is not possible under the GDPR.

Right to object to profiling

The GDPR provides that when a company uses profiling, users should always have the right to oppose this. The processor, as the person responsible for the processing, should immediately cease when explicitly requested by the data subject. This request can only be refused if profiling happens for reasons that outweigh the rights and freedoms of the data subject, such as reasons of public security.

Where personal data are processed for the purposes of direct marketing, the situation is of course very different. The GDPR clearly states that the data subject should have the right to object to such processing “at any time and free of charge.” There is no exception to this rule and when asked, profiling for that person should be stopped.

Moreover, this right “should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.” So data subject should always have the right to be informed about the processing of their personal data for profiling. They can ask exactly which data is being used, and what for.

Conclusion

If the business model of your company is based on profiling, you should definitely take the time to review data processing and check whether it is GDPR compliant. Even with Brexit coming up, British authorities have made it clear that the principles enshrined in the GDPR will still be upheld in the UK, whatever the outcome of the negotiations. Make sure legal documents are in order. A good privacy policy, which sets out the profiling purpose of the processing and the rights of users, is absolutely indispensable.

Internet giants like Facebook, who rely on profiling for a large part of their services, should monitor the European Data Protection Board closely for its interpretation of the GDPR regarding profiling. But for data subjects like you and me, it’s a positive thing to have a certain measure of control over our personal data being used for profiling and decisions based on profiling.

 

This blogpost was written by Gauthier Masco and Morgane Van Ermengem .