Clients who carry out profiling on the database of customer data, are asking the question – do we need to get consent for profiling? Read on, to find out…
The first question to ask: What is “profiling” under GDPR?
Here is the GDPR definition of profiling:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (Art 4(4)).
In short, profiling refers to using someone’s personal information in order to build up a picture of the type of person they are and the way they behave – whether for analytics reporting (e.g. “55% of the visitors to our website are male, in the 25-34 age bracket”), for some kind of evaluation (e.g. “This individual presents a low risk of defaulting on a loan”), or for targeting purposes (“Serve this ad to an audience of men aged between 35 – 44 and interested in sports”).
Next, let’s look at the difference between “profiling” and “automated decisions” – this is important
One word that is absent from the definition of profiling is “decision”. It’s important to distinguish between profiling and automated decision-making, to work out whether consent is needed before carrying out profiling.
To add complexity, the GDPR blurs the lines between the two concepts of “profiling” and “automated decision making” at Art 22 when it says that:
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.
Art 22 then goes on to say that this restriction against automated decisions does not apply if the individual has given “explicit consent” (amongst other grounds).
There you go: automatically having “profiling” and “consent” in the same Article, surely that means profiling requires consent, right?
Wrong – and here’s why:
1) First off, the Art 22 restriction applies to automated decision-making, not profiling per se. A controller might use an individual’s profile in order to make an automated decision, but profiling is not in and of itself an automated decision. Remember the word “decision” does not appear once in the definition of profiling. To give a real-world example, I might look at someone’s credit profile to decide whether or not to advance them a loan: the ‘decision’ here is whether or not to make the loan; the individual’s profile is what I use to inform that decision.
2) Building on that point, Art 22 restricts automated decision-making “based solely on automated processing, including profiling”. The words “including profiling” here relate solely to the concept of “automated processing” – profiling is an example of “automated processing”, not of “automated decision-making”.
3) Recital 71 makes this distinction slightly clearer, noting that “The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her… Such processing includes ‘profiling’”. Once again, note the distinction between the “decision” and the “processing” (profiling).
4) In the original version of GDPR, the profiling article said:
“Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour.”
Again, the focus here was on the “measures” produced by profiling, not the profiling itself.
A further draft of the GDPR stated:
“The processing of personal data for the purposes of profiling, including in relation to the offering of electronic information and communication services, shall only be lawful if” based on consent or one of the other proposed lawful grounds.
The final version of the GDPR was ultimately closer to the Commission’s initial proposal; namely, that profiling itself is not restricted, only automated decisions based on automated processing – with profiling being one example of automated processing.
5) Whatever your personal view on profiling, from a legal perspective it’s very hard to evidence that profiling in the context of, say, online advertising or analytics has a “significant” or “legal” effect on any individual.
6) Looking finally at Article 21, this gives individuals the right to object to processing of their personal data which is based on public interests grounds (under Art 6(1)(e)) or legitimate interests grounds (under Art 6(1)(f)) and expressly refers to “profiling based on those provisions”. This is an express acknowledgement, directly within the operative provisions of the GDPR, that profiling can be based upon these non-consent-based processing grounds – establishing objectively and definitively that, as a matter of law, consent is not required for all profiling.
Why does this matter?
Ultimately, what this means is that, if you are carrying out profiling activities, don’t assume that consent is always required.
Consent will generally be required only if:
1.you conduct profiling using an individual’s sensitive personal data (such as health, racial or other sensitive data); or
2.you conduct profiling that results in automated decision-making (i.e. no human review element in the decision-making) and:
•that decision-making results in a legal or significant effect on the individual (which by way of example includes: “automatic refusal of an online credit application or e-recruiting practices without any human intervention”); and
•no other legitimising ground applies under Art 22(2) (such as necessity to enter a contract or authorisation under EU or Member State law).
In all other cases, data controllers can potentially justify their profiling activities on non-consent-based grounds, such as legitimate interests under Art 6(1)(f) of the GDPR.
Remember, you’ll always have to take into account the nature, scope, context and purposes of the processing, including the transparency measures taken towards the individual, the potential privacy intrusions towards him or her, and his or her ability to decline (opt-out) of profiling. However, consent isn’t necessarily the be all and end all for profiling activities.
It requires some thought and analysis. Get in touch if you’re likely to be profiling, and we can help you go through the thought process.