• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

WP29 issues Guidelines on Automated Individual Decision-Making and Profiling in the GDPR

October 31, 2017 By Privacy & Data Security Team

On October 18, 2017, the Article 29 Working Party (the “WP29”) published Guidelines clarifying the new profiling and automated decision-making provisions of the General Data Protection Regulation (“GDPR”).  European Union regulatory authorities and the WP29 consider that technological developments that facilitate the creation of individual profiles, such as big data analytics, AI and machine learning, have created new risks to data protection.  As the majority of industries (insurance, marketing and finance, and even healthcare) already apply and use these new techniques today, the WP29 Guidelines are very much welcomed to help understand the applicable legal framework in the EU.

The first clarification in the Guidelines is the distinction between “profiling” and “automated decision-making”.  “Automated decision-making” concerns the scenario where a decision is purely based on automated processing techniques – in simple terms, this is processing carried out with no human intervention.  The decision must also have a legal or similarly “significant” effect.  For instance, a person who is imposed a speeding fine purely on the basis of results generated by speed cameras with number-plate recognition technology would be subject to automated decision-making.

“Profiling” on the other hand concerns (i) some sort of automated processing of personal data that (ii) allows companies to analyze personal aspects of a specific individual.  Essentially, profiling means you are analyzing an individual’s personal data with the aim of categorizing and/or predicting the characteristics or preferences of the individual.  The WP29 rightfully points out that profiling and automated decision-making can overlap, and the former could evolve into the latter.  Returning to our speeding ticket example, WP29 specifies that there would be profiling when, for instance, driving habits of individuals are analyzed over time and consequently used to decide on the amount of a specific person’s speeding ticket (e.g. was this driver involved in any recent traffic violations, is the driver a repeat offender, etc.).

In the GDPR, profiling is subject to a right “to object” (or opt-out), whereas the deployment of automated decision-making is subject to a principled prohibition. WP29 provided the following insights into understanding the scope of the legal provision applicable only to automated decision-making:

It confirms that “human intervention” must be interpreted as an intervention in the decision-making process by a person who is able to exercise a real influence over the decision (meaning he or she considers all input and data, and has the authority and competence to change the decision);

It – rather obscurely – elaborates on the residual category of “similarly significantly affecting an individual”, which in essence amounts to a case-by-case assessment.  To illustrate, some of WP29’s examples include the following: a customer of a credit card company who sees his credit card limit automatically reduced based on profiling (comparing him to customers who have similar spending habits) is deprived of specific opportunities based and is considered to be significantly affected. In the same way, targeted advertising is generally not considered to significantly affect individuals, except in specific situations. For example, targeted advertising where an individual is shown advertisements for online gambling based on particular vulnerabilities of the individual concerned, and as such could potentially incurs further debts for the individual, would be considered a similarly significant event.  In sum, it will be difficult for companies to determine with absolute certainty that their business falls under this provision;

WP29 provides the heavily discussed confirmation that the legal framework, as a rule, contains a prohibition by default on solely automated decision-making.  As such, it settles the discussions that started already in the context of Directive 95/46, which contained similar language on automated decision-making and which suggested the language in the provision could both imply a principled prohibition or a (more lenient) opt-out; and

It provides limited guidance that the prohibition on automated decision-making can only be lifted by three specific exceptions.  One example of permitted use of automated decision-making concerns solutions to prevent fraud and tax evasion, or to ensure the security and reliability of a service provided by the controller.  Automated decision-making will also still be allowed when companies obtain explicit consent from the individual(s).

In sum, questions still remain with regard to the specific scope of the legal frameworks, but the WP29 has recognized the need to clarify these provisions for businesses and has provided these Guidelines on specific aspects in response, which is a good start.

The new WP29 Guidelines are available here.

Alston & Bird is closely following significant developments in the fields of privacy, data protection and technology. For more information, contact Jan Dhont, Jim Harvey, or David Keating.

Filed Under: Behavioral Advertising, GDPR Tagged With: Behavioral Tracking, EU Data Protection, EU Privacy, EU Regulation, European Union (EU), GDPR, Regulatory Enforcement

Reader Interactions

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Countdown to CCPA Effective Date


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


PRIVACY MAILINGS
Click Here to Sign Up

FOLLOW US
on Twitter Click Here


Secondary Sidebar

Categories

Recent Posts

  • Alston & Bird Expands Privacy and Cybersecurity Capabilities with Former FTC Veteran
  • Treasury Announces Sanctions Against Cybercriminal Group Behind ‘Dridex’ Malware, Offering Mitigation Strategies for Businesses
  • Critical Audit Matters Disclosure Implicates Information Technology and Security
  • SHIELD Act Overhauls New York’s Data Breach Notification Framework
  • Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations
Copyright © 2019 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy