Author: Olivia Tambou

(4) ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

I. General overview

Profiling is a kind of processing usually trough algorithms aiming at predicting a person’s future conditions, decisions, or behaviour. Entirely absent from the DPD, the term ‘profiling’ is twenty-three times expressly mentioned in the GDPR.[1] Among these references, Art. 4 no. 4 GDPR provides for a harmonised definition[2] of profiling in EU law. This definition aims at clarifying the scope of such processing, which can involve specific risks for the data subject. Behind profiling, the GDPR attempts to address crucial issues related to potential misuses of Big Data leading to disproportionate surveillance and tracking, loss of self-determination of the individual with predictability technologies and new forms of discrimination due to scoring. Profiling could violate fundamental rights of the data subject, such as the right to private life (Art. 7 EU CFR), the right to the protection of personal data (Art. 8 EU CFR) or the right to non-discrimination (Art. 21 EU CFR). Furthermore, profiling, which is closely linked to Rouvroy’s “algorithmic governmentality”,[3] can prejudice human dignity, especially when algorithms are an integral part of decision-making processes in both the private and the public realm. The GDPR aims to establish an adequate legal regime tackling profiling-related risks.

  II. Legislative history

The definition of profiling was introduced by the Parl-R;[4] it was then subjected to minor amendments.

III.      The three elements of the EU-harmonised definition of profiling

A form of automated processing. Firstly, Art. 4 no. 4 GDPR describes profiling as a form of automated processing. This broad approach includes both solely automated processing (Art. 22 GDPR) and other kinds of automated processing with human involvement.[5] The concept of processing, as defined in Art. 4 no. 2 GDPR, applies to a set of operations or a single operation performed on personal data. Profiling may then be seen as a procedure, where personal data are processed and analysed via algorithms. Whereas the EU definition of profiling excludes manual processing of personal data, it does not clarify whether profiling always implies processing on a large scale. Art. 4 no. 4 GDPR does not detail the different stages and categories of profiling.[6]

A processing of personal data. Secondly, profiling is limited to the processing of personal data. In practice, the creation of profiles often requires combining non-personal data, such as statistical or anonymous data, with personal data. However, under the GPDR, the concept of profiling only applies, where the processing leads to direct or indirect identification of the data subject. This is the reason why profiling can be seen as an important dimension of the legal framework on artificial intelligence, which is under construction in the EU.

A purposive approach: evaluating personal aspects about an individual. The third feature seems to be the determinative factor distinguishing between profiling and other forms of processing. Profiling is about evaluating and, in particular, analysing or predicting personal dimensions. Analysing seems to be looking at the past and could be treated as “reactive profiling”;[7] whereas predicting appears future-looking and could be seen as “proactive profiling”. However, the boundaries seem blurred; for instance, behaviours predicted may be subject to analysis or analysis of past behaviours may be used to predict future patterns.

 

 

[…]

 

 

 

[1]In eight recitals (24, 60, 63, 70, 71, 72, 73, 91) and nine Articles (4, 13, 14, 15, 21, 22, 35, 47, 70).

[2]Before the GDPR, the Recommendation (2010) 13 of the Council of Europe had referred to the concept of profiling. See Council of Europe, ‘The protection of individuals with regard to automatic processing of personal data in the context of profiling’ (Recommendation CM/Rec (2010)13 and explanatory memorandum, Council of Europe Publishing 2011) <https://rm.coe.int/16807096c3> accessed 22 February 2021. See also Art. 3 no. 4 of the LED and Art. 3 no. 5 of the Regulation 2018/1725 on the protection of natural persons regarding the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. For an analysis of profiling, see FRA, ‘Preventing unlawful profiling today and in the future: a guide’ (European Union Agency for Fundamental Rights 2018) <https://fra.europa.eu/sites/default/files/fra_uploads/fra-2018-preventing-unlawful-profiling-guide_en.pdf> accessed 22 February 2021.

[3]Rouvroy/Berns (2013). Algorithmic governmentality and prospects of emancipation: Disparateness as a precondition for individuation through relationships? Réseaux, 1(1), 163-196.

[4]Art. 4 no. 3a Parl-R: ‘‘profiling’ means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour’.

[5]Bygrave, ‘Arti. 4(4)’ in Kuner/Bygrave/Docksey, 127, p. 130.

[6]For example, the Council of Europe has proposed the following categories: ‘Profiling in a precontractual context’ (for instance, profiling for advertising purposes or dynamic pricing profiling, profiling for selecting customers or employees); ‘Profiling in the context of contract performance’ (e.g. evaluation of the performance of a bank customer); ‘Profiling carried out by public authorities’ (except police and judicial authorities responsible for prosecuting criminal offences). See Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Convention 108, ‘Profiling and Convention 108+: Report on developments after the adoption of Recommendation (2010)13 on profiling’ (T-PD (2019)07rev, Council of Europe 2019), pp. 46-49 <http://www.crid.be/pdf/public/8546.pdf> accessed 22 February 2021.

[7]Ibid, p. 21.