Data Is Power: Profiling and Automated Decision-Making in GDPR
In contrast to automated decision-making, profiling is a relatively novel concept in European data protection law. It is now explicitly defined in Article 4(4) of the EU General Data Protection Regulation (GDPR), and refers to the automated processing of data (personal and not) to derive, infer, predict or evaluate information about an individual (or group), in particular to analyse or predict an individual’s identity, their attributes, interests or behaviour.
Through profiling, highly sensitive details can be inferred or predicted from seemingly uninteresting data, leading to detailed and comprehensive profiles that may or may not be accurate or fair. Increasingly, profiles are being used to make or inform consequential decisions, from credit scoring, to hiring, policing and national security.
Ever since the approval of the regulation in 2016, debates have focussed on the GDPR’s potential to limit or offer protection against increasingly sophisticated means of processing data, in particular with regard to profiling and automated decision-making. While the GDPR offers new rights and protection, their scope and limits are open to debate, partly due to the clumsy syntax of the relevant articles and the lack of authoritative guidance concerning their interpretation.
The European Data Protection Board that will replace the Working Party on the Protection of Individuals with regard to the Processing of Personal Data is specifically tasked with publishing ‘guidelines, recommendations and best practices’ on the GDPR. In October 2017, the Working Party 29 has published draft guidance on profiling and automated decision- making. In this report we propose our suggestions to contribute to the development of guidelines which provide the strongest protections for data subjects.