Diego Naranjo (EDRi) - Profiling: data subject rights, legal grounds

Access the slides now: http://edri.org/diego/

2
European Digital Rights (EDRi) is an association of civil and
human rights organisations from across Europe.
We defend rights and freedoms in the digital environment.

3
EU Rules on Data Protection & Privacy
Existing legislation:
● Data Protection Directive (1995)
● ePrivacy Directive (2002)
To be replaced respectively by
● General Data Protection Regulation –
GDPR (adopted in 2016, in force from May
2018)
● ePrivacy Regulation proposal (ongoing,
expected for 2018)

5
Profiling
1- Profiling: “Personalised” experiences and
discrimination
2- Profiling and automated-decision making in
the GDPR: Rights of individuals
3- Can profiling be done legally?

6
Profiling
1- Profiling: Algorithms and public policies
Algorithm is the new
magic potion:
– Predictive policing
(UK)
– Credit score
– Social services
applications (Poland)
– Illegal content
– Copyright
infringements

7
Profiling
1- Profiling: Algorithms and private policies

8
Profiling
1- Profiling: Access to social services
● Non-transparent rules of distributing public
services
● Algorithm no more efficient than the office
worker
● The new system of distributing labor
market programs, instead ofincreasing
efficiency, has led to the limitation of available
options and even exclusion from access to
such services.
● System based on the presumption of guilt:
Unemployment = not motivated to work

9
Profiling
2- Profiling: Profiling and automated-decision
making in the GDPR: Definitions and Rights
of individuals
a– Definition of profiling and automated
decision-making
b– General provisions on profiling and
automated decision making
c– Specific provisions on automated decision
making
d– Rights of the data subject

10
Profiling
making in the GDPR: Definitions and Rights of
individuals
a– Definition of profiling and automated decision-
making
Art. 4.4 GDPR
Profiling is composed of three elements:
● It is an automated form of processing
● It has to be carried out on personal data; and
● The objecive of the profiling must be to evaluate
personal aspects about a natural person
Note: Article 4(4) refers to any form of profiling, not
“solely” automated processing which is Article 22
GDPR
→ Human involvement does not take the processing
out of the protections

11
Profiling
individuals
a– Definition of profiling and automated
decision-making
Goals of the provisions on profiling in the GDPR
● transparency and fairness safeguards;
● increased accountability obligations;
● specified legal bases for the processing;
● rights for individuals to oppose profiling; and
● if certain conditions are met, a need to carry out a
data protection impact assessment.

12
Profiling
individuals
making
Art. 4.4 GDPR
Profiling is composed of three elements:
● It is an automated form of processing
● It has to be carried out on personal data; and
● The objecive of the profiling must be to evaluate
personal aspects about a natural person
Note: Article 4(4) refers to any form of profiling, not
“solely” automated processing which is Article 22
GDPR
→ Human involvement does not take the processing
out of the protections

13
Profiling
individuals
making
What does the definition mean? 1/2
Profiling as a “procedure which may involve a series of
statistical deductions”→ Therefore “simply assessing or
classifying individuals based on characteristics such as
their age, sex, and height could be considered
profiling, regardless of any predictive purpose”
(WP29 guidelines)

14
Profiling
individuals
making
What does the definition mean? 2/2
Inferences are usually done about how an
individual or group of individuals) can be placed
under a certain category. For example:
● Likely to incurr in certain behavior (driving
patterns for insurance companies)
● Interests (gender, political and other info for
advertisers on social platforms)
● Analysis of a past behaviour (algorithms deciding
about workers’ performance)

15
Profiling
individuals
Automated decision making
Automated-decision making is the ability to decide
using technological means.
Automated-decision making can lead to profiling
practices or not
Example: Random assignment of seats in a
theater → Can be just auomated, or you could get
better seats according to the asiduity you attend
expensive plays, your membership card
ownsership...

16
Profiling
individuals
How can profiling be used?
● Profiling
● Decision-making based on profiling
● Solely automated decision making,
including profiling (Art. 22)

17
Profiling
individuals
How can profiling be used?
Difference between:
● Decision-making based on profiling
–> a bank officer decides to agree to
a mortgage for a customer
● Solely automated decision making,
including profiling (Art. 22)
→ a machine decides this
authomatically

18
Profiling
individuals
Automated decision-making
● General prohibition on fully automated decision-
making, including profiling that has a legal or
similarly significant effect
● However, as any rule it has some exceptions
● Measures need to be put in place to safeguards
individuals’ rights and freedoms and legitimate
interests (recital 71)

19
Profiling
individuals
What does “legal” or “similarly significantly
effects him or her” mean?
● Legal effects: Social benefits, border crossing,
targeted surveillance or increased security
checks, breach of contracts…
● Similarly significantly effects him or her: Recital
71 mentions examples: credit applcations, e-
recruiting practices….

20
Profiling
individuals
Key aspect to ascertain if it “similarly
significantly effects him or her”:
● It must be sufficiently great to be worthy of
attention
● It must influence the circumstances, behaviour
or choices of the individials concerned
● Extreme: exclusion or discrimination

21
Profiling
individuals
Automated decision-making:
online advertising
Privacy International: “Targeted advertising has
the potential of exclusion or discrimination of
individuals”
→ 2015 Carnegie Mellon University research:
Google advertising showed ads for high-income
jobs to me more than to women

22
Profiling
individuals
Rights of the Data Subject
1- Right to be informed (Art. 13(2) and 14(2)
(g)
Controllers must:
● Tell the data subject that they are engaging in
automated-decision making and/or profiling
● Explain what is the logic behind the
algorithm/process
● Explain which are consequences expected from
such processing

23
Profiling
individuals
(g)
Meaningul information about the “logic
involved”
● Information provided by the individual
● Information about previous conducts taken into
consideratin (delay paying a monthly statement)
● Official public records (insolvency)

24
Profiling
individuals
(g)
“Significance” and “envisaged
consequences”
Example: monitoring purchase behavior in an
online platform to propose “premium” accounts
to users that engage in impulsive shopping

25
Profiling
individuals
2- Right of Access (Art. 15(1)(h)
Right to access the personal data in the context
of automated decision-making and profiling,
including the logic behind the practices and
significance and envisaged consquences

26
Profiling
individuals
3- Right not to be subject to a decision
based solely no automated decision-making
(Art. 22)
Even if Art. 22(2) provides exceptions to allow
automated decision-making, Art. 22(3) allows to
“obtain human intervention on the part of the
controller to express his or her point of view and
to contest de decision”

27
Profiling
individuals
4- Right to rectification (Art.16), Right to
erasure (Art. 17) and Right to restriction of
processing (Art. 18)
● WP29: Right to restriction of processing applies
to all stages of the profiling process

28
Profiling
individuals
● WP9: Right to rectification and right to erasure
applies to both “input” and “output”: Right to add
aditional information in order to correct an
algorithm concluding likelyhood to have a car
accident in the first two years after acquiring
driving license

29
Profiling
individuals
● WP29: Right to restriction of processing applies
to all stages of the profiling process

30
Profiling
individuals
5- Right to object (Art. 21)
● The data subject has the right to object unless
the cotroller “demonstrates compelling
legitimate grounds” (????) which overrides
the interests of the data subject
● But! Absolute right to object to direct
marketing processing activities

31
Profiling
Yes! When:
1-Data Protection Principles (Art. 5) are
respected
● Lawful, fair and transparent processing
● Further process and purpose limitation
● Data minimisatoin
● Accuracy
● Storage limitation

32
Profiling
Yes! When:
2-There is a lawful basis for processing (Art.
6)
● Consent → See WP29 guidelines for consent.
User needs to have a real choice and no
imbalance of power may exist
● Necessary for the performance of a contract
(Amazon shopping suggestions)
● Necessary for compliance with a legal
obligation (fraud prevention)

33
Profiling
Yes! When:
6)
● Necessary to protect vital interests (epidemic
prevention)
● Necessary for the performance of a task
carried out in the public interest or exercise of
official authority

34
Profiling
Yes! When:
6)
● Necessary for the “legitimate interests” (See
WP29 Guidelines) pursued by the controller
or by a third party (Art. 6(1)(f))
→ it does not apply automatically
→ balancing exercise required (detail of the
profile, comprehensiveness of the profile, impact
of the profiling, safeguards for fairness...)

35
Profiling
Yes! When:
3- Ensures data subject rights
4- Prepares a DPIA (Art. 35(3)(a)):
“a systematic and extensive evaluation of
personal aspects relating to natural persons
which is based on automated processing,
including profiling, and on which decisions are
based that produce legal effects concerning the
natural person or similarly significantly affect the
natural person;”

36
Profiling
Yes! When:
1-Data Protection Principles (Art. 5) are
respected
6)
3- Ensures data subject rights
4- Prepares a DPIA (Art. 35(3)(a))

37
We draw avery important
conclusion here with a merely
dark image behind it, so the text
is white...
Questions, comments?
@DNBSevilla
@edri
diego.naranjo@edri.org

Diego Naranjo (EDRi) - Profiling: data subject rights, legal grounds

Diego Naranjo (EDRi) - Profiling: data subject rights, legal grounds

Recommended

More Related Content

Recently uploaded

Recently uploaded(7)

Featured

Featured(20)

Diego Naranjo (EDRi) - Profiling: data subject rights, legal grounds