On October 18, the Article 29 Working Party released its draft of “Guidelines on Automated individual decision-making and Profiling for the Purpose of Regulation 2016/679” (“Guidelines on Automated individual decision-making and Profiling,” WP 251). The guidelines are not final yet and stakeholders may comment on these guidelines until November 28.
Guidelines on Automated Individual Decision-Making and Profiling
The GDPR introduces new provisions addressing profiling and automated decision-making. Such instruments are used in an increasing number of sectors such as banking and finance, healthcare, taxation, insurance, marketing, and advertising. The Article 29 Working Party recognizes the benefits of profiling and automated decision-making, such as increased efficiencies and resource savings, but also points to significant risks can arise to individuals’ rights and freedoms that require appropriate safeguards. The guidelines provide clarification regarding some core topics:
- Profiling and ‘solely’ automated processing. The Article 29 Working Party recognizes that there are three ways in which profiling can be used in practice: (i) general profiling (defined in Article 4(4) GDPR); (ii) decision-making based on profiling; and (iii) solely automated decision-making, including profiling according to Article 22 GDPR. Automated decisions can be made with or without profiling, which in turn can take place without making automated decisions. Only where the profiling is based on solely automated processing does Article 22 GDPR apply, and in all other cases of general profiling the ‘normal’ system of the GDPR applies.
- Processing activity that is wholly automated and leads to decisions that impact the individual in a sufficiently significant way is generally prohibited. The Article 29 Working Party interprets Article 22 of the GDPR as a prohibition on fully automated individual decision-making, including profiling that has a legal effect on, or similarly significantly affects, an individual. A decision is solely based on automated processing if there is no human involvement in the decision process. However, the key elements are the notions of ‘legal’ or ‘similarly significant’ effects, which the GDPR does not define. The Article 29 Working Party explains that “a legal effect suggests a processing activity that has an impact on someone’s legal rights, such as the freedom to associate with others, vote in an election, or take legal action. A legal effect can also be something that affects a person’s legal status or their rights under a contract.” And even where no legal (statutory or contractual) rights or obligations are specifically affected, the data subjects could still be impacted sufficiently to require the protections under this provision. According to the Article 29 Working Party, in many typical cases, targeted advertising does not have a significant effect on individuals; for example, an advertisement for a mainstream online fashion outlet based on a simple demographic profile for ‘women in the Brussels region.’ But the Article 29 Working Party takes the view that it is possible that targeted advertising can have a significant effect on an individual depending on his or her specific characteristics, and considering the following attributes:
- the intrusiveness of the profiling process;
- the expectations and wishes of the individuals concerned;
- the way the advertisement is delivered; or
- the specific vulnerabilities of the data subjects targeted.
In practice, this can be interpreted so that if data processing related to online advertising activities has a significant effect on an individual, this processing is prohibited and, to lawfully process the data, explicit consent by the data subject is required. Processing that might have little impact on individuals generally may in fact have a significant effect on certain groups of society, such as minority groups or vulnerable adults. Additionally, the Article 29 Working Party clarifies that automated decision-making that results in differential pricing could also have a significant effect if, for instance, prohibitively high prices effectively bar individuals from certain goods or services.
- Exceptions to the prohibition. For automated decision-making under Article 22 GDPR, only three exceptions apply to justify the processing: (i) the automated decision-making is necessary under Article 22(2)(a) for entering into, or the performance of, a contract; (ii) the data subjects give their explicit consent; and (iii) Union or Member State law provides a legal basis. Here, the Article 29 Working Party reiterates its view, already published in its Opinion on legitimate interests (WP217), that “necessity” should be interpreted narrowly. According to the Article 29 Working Party, the controller must be able to show that profiling is necessary, and that no less privacy-intrusive methods could be adopted. This requirement of necessity apparently constitutes a high hurdle for the controller. ‘Explicit consent’ is not defined in the GDPR, but the implication is that consent must be specifically confirmed by an express statement rather than some other affirmative action. The Article 29 Working Party announced that ‘explicit consent’ will be addressed in the forthcoming consent guidelines.
- Rights of the data subject. Given the potential risk and interference that profiling poses to the rights of data subjects, the Article 29 Working Party states that data controllers should be particularly mindful of their transparency obligations since the profiling process is often invisible to the data subjects. Profiling involves the creation of derived or inferred ‘new’ personal data about the data subjects, which they themselves have not directly provided. The Article 29 Working Party also clarified the importance of the other data subject rights, including the right to access.
- General provisions on profiling and automated decision-making. The Article 29 Working Party provides an overview of the provisions applied to both profiling and automated decision-making. To aid compliance, the Article 29 Working Party states that controllers should consider the following key areas:
- Transparency of the profiling process, as the process is often invisible to the data subject. The profiling process involves the creation of derived or inferred ‘new’ personal data about the data subjects, which they themselves have not directly provided.
- Compatibility of additional processing with the original purpose for which the data was collected.
- Data minimization and the ability to explain and justify the need to collect and hold the personal data. Controllers should consider accuracy at all stages of the profiling process, specifically when collecting and analyzing data, building a profile for an individual or applying a profile for making decisions affecting the individual.
- Storage limitation, because the long-term storage of information can conflict with the proportionality consideration.
The Annexes to the Guidelines, beginning on page 28, provide best practice recommendations built on the experience gained by EU Member States.