Technology has recently enabled private companies to monitor and cross reference information on data subjects’ personal preferences on a large scale and create more accurate customers’ “profiles”. (Big Data, connected objects, mobile apps with geolocalisation tracking devices etc…)
Based on these profiles, computer based programs used by businesses/institutions can generate automatic actions/decisions based on their analysis without any human intervention.
Hence this created new opportunities (efficient decision making, gains in time and resources) but also new threats for data subjects’ rights as the decisions excluded any human intervention and thus a new legal framework was needed.
The GDPR defines profiling as ‘any form of automated processing of personal data consisting of the use of personal data to evaluate personal aspects relating to the natural person, in particular to analyse or predict certain aspects concerning that natural persons performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location and movement‘.
- Profiling as such is not forbidden in the GDPR but the data collected for profiling purposes will be subject to conformity with other GDPR requirements (Existence of a legal basis, loyalty and transparency of processing, limitation of purpose, minimization of data, etc.)
- General right of objection (to the processing including profiling) based on the data subject’s particular situation. The controller may justify the processing on compelling legitimate grounds.
- For such processing (including profiling) conducted for direct marketing purposes the data subject may object to the processing without having to raise any justification and the controller has to comply (opt-out)
Automated decision-making is described as “the ability to make decisions by technological means without human involvement.” Automated decision-making can take place with or without profiling, and can be based on any type of data.
Article 22 of the GDPR creates a general right for data subject not to be subjected to solely automated decision making (including profiling) with legal or significant impact with a set of limited derogations, as well as an absolute prohibition in case where minors are concerned. (recital 71) Exceptions (with adequate safeguards implemented) to the general prohibition include:
a) Data is necessary for entering/performance of a contract between data subject and controller;
b) Explicit authorisation by Union or Member State law to which the controller is subject
c) Explicit consent of DS;
However it remained unclear from the terms of the GDPR what type of automated decision making may fall under the scope of article 22 (especially with regard to direct marketing/targeted advertising).
In October 2017, the Article 29 Working Party (A29WP) published its much awaited draft guidance on automated decision making and profiling under GDPR which clarifies the application of the GDPR:
Automated decision making….
The WP29 explains that only profiling activities based on solely automated decision-making process, may fall under the scope of article 22 of the GDPR.
(Notice: WP29 explains that the controller cannot avoid the article 22 provisions by fabricating human involvement. For example, if someone routinely applies automatically generated profiles to individuals without any actual influence on the result, this would still be a decision based solely on automated processing.)
….with a legal or significant impact
WP29 gives a series of examples of decisions with may have a legal effect on data subjects (for example decision concerning housing opportunities, right to social welfare or action based on breach of a contract etc.)
Automated decision making with a legal effect is pretty straightforward but even if an automated decision-making process does not have an effect on people’s legal rights it could still fall within the scope of Article 22 if it produces an effect that is equivalent or similarly significant in its impact.
For data processing to significantly affect someone the effects of the processing must be more than trivial and must be sufficiently great or important to be worthy of attention. In other words, the decision must have the potential to significantly influence the circumstances, behavior or choices of the individuals concerned. At its most extreme, the decision may lead to the exclusion or discrimination of individuals.
Automated decision making including profiling and targeted advertising
WP29 explains that in many cases targeted advertising does not have a significant effect on individuals, for example an advertisement for a mainstream online fashion outlet based on a simple demographic profile: ‘women in the Brussels region’.
However, WP29 explains that Processing that might have little impact on individuals generally may in fact have a significant effect on certain groups of society, such as minority groups or vulnerable adults. For example, someone in financial difficulties who is regularly shown adverts for on-line gambling may sign up for these offers and potentially incur further debt.
Criteria which must be taken into account to determine if targeted advertising is subject to article 22 prohibition:
- the intrusiveness of the profiling process;
- the expectations and wishes of the individuals concerned;
- the way the advert is delivered; or
- the particular vulnerabilities of the data subjects targeted.
Exceptions to article 22 (excluding legitimate interest)
WP29, explicitly explains that in case the processing falls in one of the exceptions (consent, legal provision, performance of a contract) sufficient justification/information and with safeguards are needed. (Clear information on the functioning of the processing and access to “at least the right of human intervention,” and explain how the decision is reached).
Notice: These exceptions are interpreted narrowly and legitimate interest cannot be accepted as an exception to article 22 of the GDPR.
For targeted advertising, if you are creating profiles and you are taking solely automated decisions based on these profiles you have the responsibility to evaluate the impact of these decision on the rights of data subject based on the criteria’s of the WP51 Guidelines. In case of significant impact, legitimate interest is not accepted to derogate to the general prohibition in article 22 of the GDPR.
Questions on online marketing or data protection?
Please feel free to contact pur team at firstname.lastname@example.org or at 02 721 13 00