The Article 29 Data Protection Working Party (WP29) has published draft guidelines on automated individual decision-making and profiling under the General Data Protection Regulation (GDPR).
Profiling is a form of automated processing of personal data used to evaluate individuals' personal aspects, such as analysing or predicting matters relating to individuals. WP29 clarifies that whilst profiling has to involve some form of automated processing, it does not necessarily preclude human involvement in the process.
Automated decision-making is the ability to make decisions by technological means without human involvement. Automated decisions can be based on any type of data, including:
Profiling and automated decision-making often overlap, a simple automated decision-making process could become one based on profiling. For example, a speeding fine imposed on the basis of speed camera evidence has the ability to become a decision based on profiling where the individuals' driving habits were monitored.
Article 22 of the GDPR provides that "the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her".
Individuals should not be subjected to decisions based solely on automated decision-making processing unless:
The WP29 clarifies that necessity for the purpose of performing a contract or entering into a contract is interpreted narrowly, and organisations must show that it is not possible to use less intrusive means to achieve the same goal. "Explicit consent" is not defined in the GDPR, but will be addressed in further consent guidelines expected in due course. The GDPR, however, suggests that explicit consent must be confirmed by an express statement (rather than some other affirmative action).
The WP29 recommends that when assessing the risk and interference with data subjects' rights as a result of automated decision-making, based solely on automated processing, including profiling, data controllers should be mindful of their transparency obligations under Articles 13, 14 and 15 of the GDPR.
These include the need to inform data subjects of their engagement in this type of activity and explain the significance and consequences of such activity. Data subjects must have the right to request a review of the decision (including an analysis of all relevant data), which should be conducted by a person with significant authority and competence to change the decision.
The WP29 clarifies how the data protection principles apply to profiling and automated decision making. Controllers should take account of the following areas:
Solely automated decision-making, including profiling, should not apply to children (Recital 71 of the GDPR), but the WP29 does not consider this an absolute prohibition as it is not included in the main text of the GDPR. There may be circumstances where controllers need to carry out processing involving children (such as to protect their welfare). In those circumstances, controllers should comply with Article 22 and implement safeguards appropriate to children.
The GDPR highlights the need for controllers to assess and address the risks involved in profiling and decisions that are based on automated decision-making through carrying out DPIAs (Article 35(3)). The WP29 considers that this provision extends to decisions not wholly taken by automated means which have legal or similarly significant effects. For more information on the WP29's draft guidelines on DPIAs, see our update.
The guidelines provide helpful clarification on automated decision-making and profiling under the GDPR and offer practical guidance on the new requirements in different scenarios. Organisations can submit comments on the guidelines until 28 November 2017 and should act early to ensure compliance with the GDPR by the time it comes into force.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.
The Information Commissioner's Office (ICO) has recently published an article providing some clarity on how the data processing registration and fee provisions under the current data protection regime will change with...