Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Diego Naranjo (EDRi) - Profiling: data subject rights, legal grounds

19 views

Published on

Annual Conference on the EU Data Protection Law on 19-20 April in Brussels

Published in: Law
  • Be the first to comment

  • Be the first to like this

Diego Naranjo (EDRi) - Profiling: data subject rights, legal grounds

  1. 1. Access the slides now: http://edri.org/diego/
  2. 2. 2 European Digital Rights (EDRi) is an association of civil and human rights organisations from across Europe. We defend rights and freedoms in the digital environment.
  3. 3. 3 EU Rules on Data Protection & Privacy Existing legislation: ● Data Protection Directive (1995) ● ePrivacy Directive (2002) To be replaced respectively by ● General Data Protection Regulation – GDPR (adopted in 2016, in force from May 2018) ● ePrivacy Regulation proposal (ongoing, expected for 2018)
  4. 4. 4 Profiling
  5. 5. 5 Profiling 1- Profiling: “Personalised” experiences and discrimination 2- Profiling and automated-decision making in the GDPR: Rights of individuals 3- Can profiling be done legally?
  6. 6. 6 Profiling 1- Profiling: Algorithms and public policies Algorithm is the new magic potion: – Predictive policing (UK) – Credit score – Social services applications (Poland) – Illegal content – Copyright infringements
  7. 7. 7 Profiling 1- Profiling: Algorithms and private policies
  8. 8. 8 Profiling 1- Profiling: Access to social services ● Non-transparent rules of distributing public services ● Algorithm no more efficient than the office worker ● The new system of distributing labor market programs, instead ofincreasing efficiency, has led to the limitation of available options and even exclusion from access to such services. ● System based on the presumption of guilt: Unemployment = not motivated to work
  9. 9. 9 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals a– Definition of profiling and automated decision-making b– General provisions on profiling and automated decision making c– Specific provisions on automated decision making d– Rights of the data subject
  10. 10. 10 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals a– Definition of profiling and automated decision- making Art. 4.4 GDPR Profiling is composed of three elements: ● It is an automated form of processing ● It has to be carried out on personal data; and ● The objecive of the profiling must be to evaluate personal aspects about a natural person Note: Article 4(4) refers to any form of profiling, not “solely” automated processing which is Article 22 GDPR → Human involvement does not take the processing out of the protections
  11. 11. 11 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals a– Definition of profiling and automated decision-making Goals of the provisions on profiling in the GDPR ● transparency and fairness safeguards; ● increased accountability obligations; ● specified legal bases for the processing; ● rights for individuals to oppose profiling; and ● if certain conditions are met, a need to carry out a data protection impact assessment.
  12. 12. 12 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals a– Definition of profiling and automated decision- making Art. 4.4 GDPR Profiling is composed of three elements: ● It is an automated form of processing ● It has to be carried out on personal data; and ● The objecive of the profiling must be to evaluate personal aspects about a natural person Note: Article 4(4) refers to any form of profiling, not “solely” automated processing which is Article 22 GDPR → Human involvement does not take the processing out of the protections
  13. 13. 13 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals a– Definition of profiling and automated decision- making What does the definition mean? 1/2 Profiling as a “procedure which may involve a series of statistical deductions”→ Therefore “simply assessing or classifying individuals based on characteristics such as their age, sex, and height could be considered profiling, regardless of any predictive purpose” (WP29 guidelines)
  14. 14. 14 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals a– Definition of profiling and automated decision- making What does the definition mean? 2/2 Inferences are usually done about how an individual or group of individuals) can be placed under a certain category. For example: ● Likely to incurr in certain behavior (driving patterns for insurance companies) ● Interests (gender, political and other info for advertisers on social platforms) ● Analysis of a past behaviour (algorithms deciding about workers’ performance)
  15. 15. 15 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Automated decision making Automated-decision making is the ability to decide using technological means. Automated-decision making can lead to profiling practices or not Example: Random assignment of seats in a theater → Can be just auomated, or you could get better seats according to the asiduity you attend expensive plays, your membership card ownsership...
  16. 16. 16 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals How can profiling be used? ● Profiling ● Decision-making based on profiling ● Solely automated decision making, including profiling (Art. 22)
  17. 17. 17 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals How can profiling be used? Difference between: ● Decision-making based on profiling –> a bank officer decides to agree to a mortgage for a customer ● Solely automated decision making, including profiling (Art. 22) → a machine decides this authomatically
  18. 18. 18 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Automated decision-making ● General prohibition on fully automated decision- making, including profiling that has a legal or similarly significant effect ● However, as any rule it has some exceptions ● Measures need to be put in place to safeguards individuals’ rights and freedoms and legitimate interests (recital 71)
  19. 19. 19 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Automated decision-making What does “legal” or “similarly significantly effects him or her” mean? ● Legal effects: Social benefits, border crossing, targeted surveillance or increased security checks, breach of contracts… ● Similarly significantly effects him or her: Recital 71 mentions examples: credit applcations, e- recruiting practices….
  20. 20. 20 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Automated decision-making Key aspect to ascertain if it “similarly significantly effects him or her”: ● It must be sufficiently great to be worthy of attention ● It must influence the circumstances, behaviour or choices of the individials concerned ● Extreme: exclusion or discrimination
  21. 21. 21 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Automated decision-making: online advertising Privacy International: “Targeted advertising has the potential of exclusion or discrimination of individuals” → 2015 Carnegie Mellon University research: Google advertising showed ads for high-income jobs to me more than to women
  22. 22. 22 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 1- Right to be informed (Art. 13(2) and 14(2) (g) Controllers must: ● Tell the data subject that they are engaging in automated-decision making and/or profiling ● Explain what is the logic behind the algorithm/process ● Explain which are consequences expected from such processing
  23. 23. 23 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 1- Right to be informed (Art. 13(2) and 14(2) (g) Meaningul information about the “logic involved” ● Information provided by the individual ● Information about previous conducts taken into consideratin (delay paying a monthly statement) ● Official public records (insolvency)
  24. 24. 24 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 1- Right to be informed (Art. 13(2) and 14(2) (g) “Significance” and “envisaged consequences” Example: monitoring purchase behavior in an online platform to propose “premium” accounts to users that engage in impulsive shopping
  25. 25. 25 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 2- Right of Access (Art. 15(1)(h) Right to access the personal data in the context of automated decision-making and profiling, including the logic behind the practices and significance and envisaged consquences
  26. 26. 26 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 3- Right not to be subject to a decision based solely no automated decision-making (Art. 22) Even if Art. 22(2) provides exceptions to allow automated decision-making, Art. 22(3) allows to “obtain human intervention on the part of the controller to express his or her point of view and to contest de decision”
  27. 27. 27 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 4- Right to rectification (Art.16), Right to erasure (Art. 17) and Right to restriction of processing (Art. 18) ● WP29: Right to restriction of processing applies to all stages of the profiling process
  28. 28. 28 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 4- Right to rectification (Art.16), Right to erasure (Art. 17) and Right to restriction of processing (Art. 18) ● WP9: Right to rectification and right to erasure applies to both “input” and “output”: Right to add aditional information in order to correct an algorithm concluding likelyhood to have a car accident in the first two years after acquiring driving license
  29. 29. 29 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 4- Right to rectification (Art.16), Right to erasure (Art. 17) and Right to restriction of processing (Art. 18) ● WP29: Right to restriction of processing applies to all stages of the profiling process
  30. 30. 30 Profiling 2- Profiling: Profiling and automated-decision making in the GDPR: Definitions and Rights of individuals Rights of the Data Subject 5- Right to object (Art. 21) ● The data subject has the right to object unless the cotroller “demonstrates compelling legitimate grounds” (????) which overrides the interests of the data subject ● But! Absolute right to object to direct marketing processing activities
  31. 31. 31 Profiling 3- Can profiling be done legally? Yes! When: 1-Data Protection Principles (Art. 5) are respected ● Lawful, fair and transparent processing ● Further process and purpose limitation ● Data minimisatoin ● Accuracy ● Storage limitation
  32. 32. 32 Profiling 3- Can profiling be done legally? Yes! When: 2-There is a lawful basis for processing (Art. 6) ● Consent → See WP29 guidelines for consent. User needs to have a real choice and no imbalance of power may exist ● Necessary for the performance of a contract (Amazon shopping suggestions) ● Necessary for compliance with a legal obligation (fraud prevention)
  33. 33. 33 Profiling 3- Can profiling be done legally? Yes! When: 2-There is a lawful basis for processing (Art. 6) ● Necessary to protect vital interests (epidemic prevention) ● Necessary for the performance of a task carried out in the public interest or exercise of official authority
  34. 34. 34 Profiling 3- Can profiling be done legally? Yes! When: 2-There is a lawful basis for processing (Art. 6) ● Necessary for the “legitimate interests” (See WP29 Guidelines) pursued by the controller or by a third party (Art. 6(1)(f)) → it does not apply automatically → balancing exercise required (detail of the profile, comprehensiveness of the profile, impact of the profiling, safeguards for fairness...)
  35. 35. 35 Profiling 3- Can profiling be done legally? Yes! When: 3- Ensures data subject rights 4- Prepares a DPIA (Art. 35(3)(a)): “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;”
  36. 36. 36 Profiling 3- Can profiling be done legally? Yes! When: 1-Data Protection Principles (Art. 5) are respected 2-There is a lawful basis for processing (Art. 6) 3- Ensures data subject rights 4- Prepares a DPIA (Art. 35(3)(a))
  37. 37. 37 We draw avery important conclusion here with a merely dark image behind it, so the text is white... Questions, comments? @DNBSevilla @edri diego.naranjo@edri.org

×