What is a Profiling?
Profiling is automated processing to evaluate personal aspects of a person.
The GDPR defines profiling as follows: “‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” Article 4 (4), Definitions, GDPR. Profiling is very broad. Arguably, merely sorting a spread sheet for gender is profiling.
Extra-territorial Scope of the GDPR
Recital 24 of the GDPR explicitly makes the GDPR applicable to profiling done by organizations outside of the EU:
“The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” (emphasis added)
Generally speaking, tracking individuals online for purposes of creating profiles is considered monitoring. Monitoring specifically includes tracking of individuals online to create profiles (such as done with cookies by ad tech networks).
Power of Profiling
Profiles can be used to improve the social networking services, address security and fraud issues, provide better content or serve up more relevant advertisements. However, profiles can be used in harmful ways that violate privacy. Where decisions are made about people without human intervention (though automation), care must be taken to ensure privacy is not violated.
Profiling as Personal Information
Personal data includes any information relating to an identified or identifiable natural person. It includes any online identifier, such as IP address, cookie or radio frequency tag used to create a person’s profile and identify them demonstrating breadth of personal data content. Profiles of browsing habits do constitute personal data. See Vidal-Hall v. Google Inc. case.
Location data is explicitly included in the definition of “personal data” under the GDPR. Location data relates to an identifiable natural person, so it is personal data. Location data is also explicitly included and called out in the definition of “profiling”. The automated processing of personal data to evaluate someone’s location is regulated profiling. A data subject has the right, among others, to object to the automated processing of personal data to analyze or predict the data subject’s location or movements if the processing significantly affects the data subject. Profiling is not limited to cases where legal effects are produced.
See GDPR, Article 4 (1), (4); Recital (71).
Pseudonymous data is personal data. This would include pseudonymized profiles that can be connected to an individual even where the controller does not in fact intend to make this connection.
Lawful Basis for Profiling
Data subjects must consent to profiling. Automated individual decision-making, including profiling, requires explicit consent. Consent cannot be secured through a contract. In other words, a controller cannot justify building a profile on a customer if not necessary for the performance of a contract under GDPR, Article 6(1)(b). See page 20 of: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679
Controllers Must Inform Data Subjects about Profiling
In addition to the general requirements, when controllers are processing personal data, they must provide meaningful information about the logic involved. Instead of providing a complex mathematical explanation about how algorithms or machine-learning work, the controller should consider using clear and comprehensive ways to deliver the information to the data subject, for example:
· the categories of data that have been or will be used in the profiling or decision-making process;
· why these categories are considered pertinent
· how any profile used in the automated decision-making process is built, including any statistics used in the analysis;
· why this profile is relevant to the automated decision-making process; and
· how it is used for a decision concerning the data subject.
Such information will generally be more relevant to the data subject and contribute to the transparency of the processing. Controllers may wish to consider visualization and interactive techniques to aid algorithmic transparency.
See Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053
Data Subject Rights Regarding Profiling
Under the GDPR, when a controller creates a profile of a data subject, the rights to rectification and erasure apply to the ‘input personal data’ (the personal data used to create the profile) and the ‘output data’ (the profile itself or ‘score’ assigned to the person, which is personal data relating to the person concerned). A data subject also has a right, taking into account the purpose of the processing, to provide a supplementary statement to a profile. See: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679