Profiling under General Data Protection Regulation (GDPR): Stricter Regime?

While “profiling”, as an automated individual decision-making process, is not expressly stated under current directive 95/46[1], it is repeatedly (for 22 times) subject to GDPR. Under Article 4 (4) and Recital 71 of Regulation ‘profiling’ consists of “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

The significant attention, under Regulation, to “profiling” rather than to other forms of automated individual decision-making processes can be explained according, in one side, to the fact that the former is actively the best practice for prosperity of online business models based on direct marketing[2] and in the other side, profiling is increasing potential risk to personal data protection resulting eventually in discrimination against natural persons. This high risk is particularly through using by data controller[3] different methods of profiling including Big Data in a large extent in order to get much more user’s detailed profiles in the hope of increasing the probability of click-through rate (CTR) to get finally more profits. In this regard, as stated in Recital 72 of Regulation, profiling is subject to the rules of GDPR governing the processing of personal data, such as the legal grounds for processing or data protection principles.

Moreover, profiling-based decisions can be restricted in respect of data subject’s right not to be subject to a decision based solely on automated processing which produces legal effect concerning him or her or similarly significantly affects him or her.[4] The major purpose behind this right is related to a concern of the control of human being by 100% machine-based decisions. Furthermore, for automated machine-based decisions, it would be complicated to determine liability or responsibility resulting from unjustified adverse legal effects[5] related to lack of human intervention.

When profiling-based decisions are related to direct marketing, data subject “should have the right to object to such processing whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.”[6]

However this right is not absolute and is subject to three exceptions under Regulation which has also taken into account the interest of the data controller. Under these exceptions, data subject cannot enjoy this right when a decision based solely on automated processing is necessary for entering into or performance of a contract between the data subject and a controller[7], or authorized by applicable law[8], or is based on the explicit consent of data subject[9]. However, these three exceptions must be subject to suitable measures in order to safeguard the data subject’s rights and freedoms. These measures should include “specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.”[10].

According to Recital 71 for ensuring fair and transparent processing, specific circumstances and context of processing must be taken into account. The controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organizational measures appropriate to ensure accuracy and quality and security of personal data. Regarding the potential risk related to profiling, it shall be subject to data protection impact assessment.[11]

Except for the profiling authorized by law, the two other exceptions seems to have a limited implementation scope. Indeed, cases in which a profiling-base decision is necessary for entering into or performance of a contract between the data subject and a controller are not frequent. Particularly in the case related to the “consent” of data subject, strict “conditions of consent” must be fulfilled under Regulation[12]. According to the definition of “consent” under Article 4(11) GDPR “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. More specifically the condition of “freely given”[13] implies that an imbalanced power of the parties subject to the consent cannot be accepted as a freely given consent. In addition, consent must be collected prior to the processing. Already, according to the conditions of the consent, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.[14] Moreover, with an “explicit consent” expectation the burden of proof in the case of objection by data subject is on controller.

Throughout the Regulation, “explicit consent” is just expected either for processing of special category of data[15] under Article 9 GDPR or for automated individual decision-making processing. This implies the intention of Regulation for more protection of data subject and stricter condition to automated-based decisions including profiling.

The nature of the right “not to be subject to an automated-based decision”:

A not-absolute prohibition of automated-based decisions?

According to Recital 71 GDPR, automated individual decisions “should be allowed” in three cases mentioned in Article 22 (2). This wording implies that these three cases are considered as the sole legal grounds for such automated decisions.

However, in compare to the processing prohibition of special category of data under article 9, the wording in Article 21 is different. While under the former, processing of special category of personal data has been prohibited explicitly through a statutory provision[16], under Article 22(1), data subject just “shall have a right not to be subject to a decision based solely on automated processing, including profiling.” Relying, for the interpretation, just to this wording, would not help us to make the same conclusion as with the help of Recital 71.

Supposing this right as a not-absolute prohibition, compared to the general legal grounds of processing under article 6 of GDPR, the legal grounds under Article 22 are more limited which can be sum up to a need to an “explicit consent” as well as legal requirement, thus no reference to the “legitimate interest of the controller” which implies that this ground would not be a safe legal ground for automated-based decisions including profiling.

A special form of opt-out?

Generally, as one of the conditions of the consent, data subject has a general right to opt-out, when (s)he has already given her/his consent as the legal base of processing. This right to opt-out explicitly means that “data subject shall have the right to withdraw his or her consent at any time”[17]. In this regard, not only the withdrawal of the consent shall not affect the lawfulness of processing based on consent before its withdrawal, but also this opt-out cannot be considered necessarily as the end of the processing as long as the data controller can find another legal grounds under article 6 GDPR for legitimating his or her processing.

Regardless of Recital 71, we could consider the right “not to be subject to an automated-based decision” as a special form of opt-out[18], by which automated decision making processing can be done by or in behalf of a controller based on all legal grounds of processing including legitimate interest of the data controller unless the data subject[19] does not agree with the processing and wants to exercise his or her right to “not to be subject to automated-base decisions”, which implies then that the data subject could not be any more subject of the decision. In this regard, this opt-out must be necessarily considered as the end of processing.

We consider, the right not to be subject to an automated-based decision is more a special form of opt-out than a not-absolute prohibition of automated-based decisions.

Exercise of the right by data subject

Regarding data subject, it seems that enjoying of this right is somehow challenging. First of all, the preliminary condition for exercise of this right is that the data subject must be informed of the existence of such automated based decisions. According to the Regulation “the principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.”[20] There is a general obligation of information on data controller under Regulation by which the data subject shall be informed prior to giving consent[21]. Moreover, as we mentioned above, the data subject has a right to a specific information. In this way, regardless of the fact that the information has been obtained from the data subject or not, “the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the purpose and the significance and the envisaged consequences of such processing for the data subject”[22] is needed to be provided for data subject. However, the implementation of this obligation in practice remains a matter of concern.

Moreover, data subject should demonstrate that such decision based on solely automated individual decision making has produced legal effect concerning him or her or similarly significantly affects him or her. The term “significantly” would be open to further interpretation.

[1] It is covered under « automated individual decision-making »: Article 15 Dir. 95-46.

[2] Behavioral marketing based on which targeted advertisement related to the user need is provided for him or her.

[3] Especially online advertising providers and the other intermediary companies in direct marketing.

[4] Article 22(1) GDPR ; Article 15(1) Directive 95/46.

[5] Recital 71 GDPR: “(…) automatic refusal of an online credit application or e-recruiting practices without any human intervention.”

[6] Recital 70 GDPR.

[7] Article 22(2) (a) GDPR ; Article 15(2) (a) Directive 95/46.

[8] I.e. by Union or Member State law to which the controller is subject: Article 22(2) (b) GDPR; Article 15(2) (b) Directive 95/46. E.g. “fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller.” (Recital 71).

[9] Article 22(2) (c) GDPR, new under Regulation.

[10] Recital 71 GDPR.

[11] Article 35(3) (a) GDPR.

[12] Article 4(11), Article 7-8 GDPR.

[13] Article 7(4) GDPR.

[14] Article 7(1) GDPR.

[15] Special category of data (sensitive data) cannot be subject to such automated decisions unless based on either explicit consent of data subject or public interest necessity of processing.

[16] Article 9 (1) « ..shall be prohibited.. ».

[17] Article 7(3) GDPR.

[18] Three conditions as stated in Article 22 (2).

[19] who is informed of the existence of this decision as the decision has affected him or her legally or significantly.

[20] Recital 60 GDPR.

[21] Article 7(3), 13, 14 GDPR.

[22] Recital 60, Article 13 (2) (f), Article 14 (2) (g) GDPR; Right to access: article 15 GDPR.

DPOINFO-AVOCATS (DIA) vous conseille pour toute question en matière de profilage.

Pour un devis ou pour toute autre question :