What is automated decision-making under GDPR and is it the same thing as profiling?
What are the rights and obligations associated with profiling and automated decision-making activities under GDPR?
In this article, we will break down the concept of profiling as defined under GDPR along with automated decision-making.
Are you ready?
Let’s get started!
Table of Contents
What is profiling under GDPR?
Article 4 GDPR defines profiling as follows:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
The definition of profiling under GDPR comprises of the following aspects:
- Any form of automated processing
- Personal data
- To evaluate certain personal aspects
- Natural person
- Analyze or predict
As defined under GDPR, profiling relates to an automated data processing operation used to make decisions or predictions about individuals.
Automated processing
The definition of profiling refers to any form of automated processing activities intended to evaluate certain personal aspects of an individual.
As a result, profiling can be done either with the sole use of technological means or partly using technological means.
The notion of any form of automated processing allows for a larger interpretation of the automated processing activities.
Personal data
Profiling must necessarily involve personal data.
Data can be considered personal as it is linked directly to an individual.
In other cases, a combination of non-personal data can result in personal data when used in combination with one another.
When data is processed through automated means but where a person cannot be identified, then you will not satisfy the personal data aspect of the profiling definition.
For a processing activity to be considered as profiling, the data (or combination of data) processed must allow the identification of an individual or result in a possible identification of an individual.
To evaluate certain personal aspects
The personal aspects can be any type of information inferred about a person.
It can be objective aspects or even subjective aspects of a person.
To evaluate a personal aspect is to evaluate a characteristic of a person or a particular behaviour exhibited by the person to classify them in a group to analyze them or predict future outcomes.
Natural person
The GDPR profiling definition targets personal data of natural persons.
Legal persons such as companies and organizations do not fall under the definition of profiling.
Analyze or predict
The last component of the profiling definition under GDPR is to the effect that profiling is performed to analyze the data subjects or predict something about them.
For example, many industries perform profiling activities such as in the finance, healthcare, marketing and advertising spaces.
Using artificial intelligence and advanced technologies, significant volumes of data can be analyzed to predict future outcomes or make the most ‘optimal’ decision.
When personal data is used using any form of automated means of processing to analyze and predict aspects of a person, then the definition of profiling under GDPR is triggered.
You’ll then need to assess what is the consequence of your profiling activities in accordance with the obligations in GDPR.
Now, what is the difference between profiling and automated decision-making?
What is automated decision-making under GDPR?
Automated decision-making is the actual process of using technology to make decisions about a person.
While profiling is the process of evaluating aspects about a person, automated decision-making is the process of making decisions about the individual using technological means and without the involvement of a human.
You can have a variety of profiling and automated decision-making scenarios such as:
- Automated decision-making with profiling
- Automated decision-making without profiling
- Profiling without automated decision-making
The concepts of profiling and automated decision-making are close but have different scope and objectives.
What are the data subject rights related to profiling and automatic decision-making under GDPR?
Article 22 GDPR defines the data subject’s rights with respect to profiling and automated decision-making as follows:
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
The data subject’s rights related to profiling and automated decision-making is composed of a few aspects:
- Decisions based solely on automated processing
- Which produces legal effects or significantly affects the data subject
Based on this article, data subjects can exercise their right against data controllers to have them cease or any data processing activities involving them and based on decisions made solely on automated processing.
The general rule under GDPR is that a fully automated processing of personal data that may include profiling to make decisions about data subjects is prohibited.
Although Article 22 of GDPR expresses a data subject right, the interpretation of this article, along with Recital 71 of GDPR suggests rather that Article 22 imposes a prohibition on fully automated decision-making processes.
Recital 71 of GDPR states:
“However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent.”
Recital 71 refers to decision-making processes, including profiling, should be allowed where expressly authorized by EU member country laws.
By way of interpretation, you can conclude that if it’s not expressly allowed, then it is prohibited.
Decisions based solely on automated processing
When a decision is solely based on automated processing, it means that based on the data processed, a machine or a computer determined the consequence, outcome or decision relating a person.
For example, if a person completes an online questionnaire and is approved for credit or is rejected for credit, that is a process where a decision was based solely on automated processing of personal data.
At no point in time was there a human to validate the decision of the machine or interfere with the outcome.
Producing legal effects or significant effects on the data subject
For the prohibition to kick in, a decision, solely made by a machine, must produce legal effects on a person or produce significant effects on a person.
GDPR does not define legal effects or significant effects, so every case should be assessed based on its circumstances.
One thing is for sure, when GDPR says that the decision must produce legal effects or significant effects, the outcome of the decision must be serious.
For example, you can have a scenario where a person’s contract is cancelled or a person was denied something based on a purely automated decision-making process.
Also, for a decision to have a significant impact on a person, the outcome of the decision may affect the choices given to the person or their behaviour, either temporarily or permanently.
For example, a person will be a higher amount of money for the same product or service purely based on their personal characteristics.
This is a situation where an automatic decision-making process may significantly impact a person.
When can a company do profiling or make automated decisions?
Article 22 GDPR provides for the very specific scenarios when organizations can conduct profiling activities and make automated decisions about data subjects solely using automated means.
The exceptions are for the following situations:
- “is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.”
When a company can demonstrate that they use technology as means of entering into a contract with a data subject or allowing them to execute their obligations under a contract with a data subject, then they can benefit from the first exemption.
The other exemption relates to specific instances that may be authorized by the law of an EU member country such as to prevent fraud or for tax purposes.
The third exemption is when the data subject has given explicit consent.
For consent to be explicit, it must be freely given, be specific, be informed and unambiguous statement or action by the data subject demonstrating his or her acceptance or rejection of the data processing operation.
Takeaways
Profiling and automated decision-making are closely related to one another but mean different things.
For a processing operation to be considered as profiling under GDPR, we need to find the following components:
- Any form of automated processing
- Personal data
- To evaluate certain personal aspects
- Natural person
- Analyze or predict
As defined under GDPR, profiling relates to an automated data processing operation used to make decisions or predictions about individuals.
For a data processing operation to be considered as automated decision-making as defined under Article 22 of GDPR, we must find the following components:
- Decisions
- based solely on automated processing
- Producing legal effects or significantly affecting the data subject
Automated decision-making is the actual process of using technology to make decisions about a person.
You can have a variety of profiling and automated decision-making scenarios such as:
- Automated decision-making with profiling
- Automated decision-making without profiling
- Profiling without automated decision-making
Generally speaking, GDPR prohibits automatic decision-making solely based on automated means that may include profiling.
There are some specific exceptions to this prohibit.
For example, a company having received explicit consent from a data subject may solely use automated means to make decisions about a data subject.
Every company must consider its data processing activities and evaluate to what extent there is a human decision-making process.
If important decisions are made about data subjects without the intervention of a human, then organizations should closely analyze their obligations under GDPR to ensure that they remain in compliance with the law.
