Privacy & Information Security Law Blog

On May 13, 2013, the Article 29 Working Party (the “Working Party”) adopted an Advice Paper on profiling (the “Advice Paper”). The Advice Paper serves as the national data protection authorities’ contribution to the ongoing legislative debate before the European Parliament and the Council of the European Union on the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

The Advice Paper sets forth the Working Party’s position that the Proposed Regulation should include a clear definition on profiling as “any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person’s health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.”

In addition, the Advice Paper proposes to broaden the scope of Article 20 of the Proposed Regulation on measures based on profiling to cover the collection of personal data for profiling purposes and the creation of profiles. The Working Party welcomes the proposal made by Jan Philipp Albrecht, lead rapporteur of European Parliament’s Committee on Civil Liberties, Justice and Home Affairs with respect to this issue.

The Advice Paper also proposes to include in Article 20 of the Proposed Regulation the following additional elements in order to mitigate the privacy risks for individuals:

• Additional disclosure requirements for data controllers, including disclosing to individuals that personal data will be used for profiling, the purposes for which the profiling is carried out and the logic involved in the automatic processing; and
• Additional accountability obligations for data controllers; in particular, the obligation to adopt suitable safeguards, such as “the usage of data protection friendly technologies and standard default settings,” as well as “specific measures for data minimization, including obligations or incentives for data controllers for anonymization or pseudonymization in the context of profiling, and data security and human intervention in defined cases.”

According to the Working Party, Article 20 of the Proposed Regulation and the additional elements listed above should only apply to the extent profiling “significantly affects” the interests, rights or freedom of individuals. In the Working Party’s view, the European Data Protection Board should be empowered to issue guidelines on what the phrase “significantly affect” means and, more generally, Article 20 in its entirety.