Future of "user profiling" after the new European data protection rules, by Ignacio González Royo

The new European General Data Protection Regulation  (“GDPR”) will replace the Data Protection Directive and be fully effective as of May 25, 2018. It will be directly applicable in each Member State of the EU (without further implementation into domestic law) and will lead to a greater degree of harmonization. One of the many regimes the GDPR introduces is the one relating to “monitoring” and “profiling” users.
In a nutshell:
  • The GDPR creates jurisdiction over foreign companies: It establishes a broad reach, including jurisdiction over non-EU controllers (1) and/or non-EU processors (2) provided they are monitoring the behavior of European individuals and such behavior happens within the physical borders European Union. 
  • Scope: This new regime will apply when companies track and “profile” individuals on the Internet and subsequently use the data to take decisions concerning them (e.g. refuse a bank loan application, increase the insurance premium, or reject a job applicant). The GDPR defines profiling very broadly, as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to individuals, in particular to analyze or predict aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. This means that companies collecting this type of data with the intention of using them to take decisions concerning individuals (such as the examples mentioned above) are very likely to be affected by the new rules. The inclusion of the term “automated” suggests, however, that non-automated processing (e.g. manual profiling) may be implicitly excluded and exempted from the new obligations (set out below).
New regime and obligations
  • Information to individuals: Companies falling within the scope will have to provide individuals with information regarding the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual. This is required both when the personal data has or and has not been obtained from the individual. 
  • Right of access: Individuals will have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, they will have the right to access to their personal data and information on automated decision-making, including profiling. 
  • Right to object: 
- Where personal data is processed for the purposes of direct marketing, the individual will have the right to object, at any time and free of charge, to such processing, including profiling, to the extent that it is related to such direct marketing. In this case processing must cease and the controller is not authorized to continue under any circumstances. This right should be explicitly brought to the attention of the individual and presented clearly and separately from any other information.   

- The individual will also have the right not to be subject to a decision or measure evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.  In such case, the controller shall no longer continue the processing unless it demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims. For example, decision-making based on such processing, including profiling, should be allowed: (a) when expressly authorized by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of the European Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or (b) necessary for the entering or performance of a contract between the individual and a controller, or (c) when the individual has given his or her explicit consent.

- In any event, such processing should be subject to suitable safeguards, which should include (i) specific information to the individual, (ii) the right to request human intervention, (iii) to express his or her point of view, (iv) to obtain an explanation of the decision reached after such assessment and (v) to challenge such a decision. If profiling relates to children, special restrictions may apply. 

- Moreover, all permissible profiling has to comply with an additional requirement: the GDPR compels controllers to use appropriate mathematical or statistical procedures, implement technical and organizational measures to correct personal data inaccuracies and avoid errors, secure all personal data, and minimize the risk of discriminatory effects against individuals on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation.   

- Finally, automated decision-making and profiling based on special categories of sensitive personal data (e.g. racial, ethnic, or religious information) should be allowed only under specific and stringent conditions (explicit consent, public interest, etc).   
  • Data impact assessments for controllers engaged in profiling: Data controllers will be required to conduct data impact assessments when they engage in a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual. 
  • The European Data Protection Board: This body is created by the GDPR and empowered to issue guidelines, recommendations and best practices concerning decisions based on profiling.

(1) Controller: company which determines the means and purposes of the data processing (typically also the company that “collects” the data).
(2) Processor: company which processes personal data on behalf of a controller but does not determine the means or purposes of the data processing (e.g. hosting providers, service providers, etc.).

Ignacio González Royo, Senior associate at Meitar Liquornik Geva Leshem Tal's Technology and Intellectual Property Group. Currently based in Tel Aviv, Israel.  Prior to joining Meitar, he was a senior associate at J&A Garrigues S.L.P, in the Intellectual Property Department and the Telecom & Media and Sports & Entertainment industries. Degree in Law from Universidad Complutense de Madrid. Degree in Architecture from Universidad Politécnica de Madrid. Postgraduate studies in business law and business intelligence and security. Member of FIDE's Academic Council.


En la misma Sección
< >

Miércoles, 13 de Enero 2021 - 09:42 El futuro de los servicios legales

        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Semblanzas Fide

Síguenos en redes sociales
YouTube Channel