Big data and its ability to drive sophisticated profiling of individuals has been in the EU regulatory spotlight of late. This week the EU's privacy guidance body, the Article 29 Working Party (A29WP) revisited the same topic in the context of the proposed EU-wide data protection reforms (expected to take effect in 2016 if the EU Parliament can ever agree its wording). We digest the A29WP's views and list out their potential implications for profiling in the near future.
What reforms are the EU currently proposing?
Article 20 of the EU's draft General Data Protection Regulation is intended to change the present, very generic regime to introduce specific rules around profiling of individuals for the first time.
The EU's specific proposals are summarised below:
- Profiling which "significantly affects" someone or has "legal effects" will only be lawful if necessary to enter into or perform a contract with that individual, or if the individual has given their consent.
- Privacy safeguards must be built in to any such profiling, e.g. to allow human intervention on request to vet automated decisions
- It would be illegal to profile people based solely on any of their sensitive personal data ie. health data, race or ethicity, sex life, trade union membership, political opinions, religious and similar beliefs, genetic data, or criminal convictions.
- People would have the right to stop any fully-automated profiling which "significantly affects" them or has "legal effects".
The wider provisions of the General Data Protection Regulation also have to be factored in. So for example:
- Tougher rules on "consent" are being proposed. Consent to profiling would have to be explicit to be lawful.
- An individual would have the right to a copy of their profile and underlying data in electronic form.
- An individual would also have the right to be "forgotten" by an organisation, i.e their profile and records deleted.
The A29WP'S view on these reforms
- A definition of "profiling" is required for certainty. This is sensible, but the wording they seek is broad, covering "any form of automated processing of personal data" to predict personal aspects of an individual. The proposals expressly cover analysis of a person's health, economic situation, performance at work, personal preferences, interests, reliability, behaviour, location and movements.
- Guidance on what is a "significant effect" is required. Again, this is sensible, otherwise organisations are going to be guessing where the Article 20 rules apply. The tone of the A29WP's comments and existing guidance implies that most sophisticated profiling e.g. for marketing segmentation and personalisation purposes, will be considered "significant" though.
- Rules should cover the sheer act of creating a profile, as well as the outcomes from it. Article 20 focuses entirely on profiling which creates legal effects or which significantly affects someone, but in the A29WP's view misses the fact that the act of creating a profile in itself is arguably intrusive and should be regulated.
- Building on point 3 above, organisations must comply with certain specific rules in creating any profile. They must inform an individual that their personal data will be used for profiling, the purposes for which the profiling is carred out, and the logic involved in any associated automated processing (so what you look at, how you rank different factors, and the segments that result). Individuals must have the right to access, modify and delete the profile information attributed to them. Individuals must also have the right to refuse any measure or decision based on their profile.
- Appropriate "safeguards" should include use of "data protection-friendly" technologies and default settings, use of data minimisation, anonymisation or pseudonymisation, and tough security measures.
What are the potential implications?
For the most part these are self-evident. The key takeaways are that:
- Organisations will have to be really transparent about the details of what they are doing, not just state that they are "profiling" or seeking to "personalise" services. This change will come as a real culture shock to most organisations, especially marketing teams who in our experience tend to shy away from openness and push the boundaries even when seeking marketing consents.
- Compliance will involve sophisticated IT development, to give individuals the requisite access and control over their profiles.
- Privacy compliance will have to be designed into systems and processes upfront, with decent timescales allowed for development, testing and implementation. This approach will be a complete sea change for many outside the largest or most regulated of organisations, where legal compliance activities are typically left to late on in project timelines, and not designed into business requirements up front.
The bigger picture
It is interesting to note the similarity between the position set out above, and the A29WP's existing guidance on what organisations should be doing as best practice in complying with the law as it presently stands.
Their existing guidance encourages a sophisticated and highly transparent approach to profiling that covers many of the same topics. Read together, it looks like the A29WP is trying to encourage organisations to take pro-active steps in this area now, before they are forced to do so by a toughening up of the underlying laws.
The A29WP is also implicitly reinforcing one of this blog's key mantras: privacy "compliance" is not simply a matter for lawyers.
Lawyers cannot design and build end-user web transparency tools or data download functionality. You won't want your lawyers writing all your copy "selling" your privacy stance to your customers, whether consumers or business people, let alone taking responsibility for devising creative ways of conveying this copy. Most fundamentally, lawyers cannot guarantee good privacy practices are maintained throughout your organisation; only your own staff can do this. Against this backdrop, privacy compliance has to be viewed as an organisation-wide, cultural issue as opposed to a purely legal one.
So where do we go from here?
Fundamentally, we all have to continue to "watch this space". The EU legislative process is still far from complete. The EU Parliament is reportedly struggling to agree the text it wants to put to a vote, and lobbying efforts seem to be disrupting things in general. In this climate, the final shape of the new rules (if any should emerge) are still far from certain.
That said, certain private enterprises are already reportedly building sophisticated end-user profile management tools, and in doing so appear to be running in front of the law. Should your organisation be doing likewise?