Updated: Apr 13, 2020
We have recently discussed in a previous article, the rights to access and rectification of data subjects upon the implementation of the European Union’s GDPR. Let us now talk about another aspect of GDPR, profiling and data portability which is a form of automated decision making.
With regards to ‘Profiling’, GDPR’s Article 22 is devoted to automated individual decision-making which includes profiling. It says in the article that:
THE DATA SUBJECT SHALL HAVE THE RIGHT NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED PROCESSING, INCLUDING PROFILING, WHICH PRODUCES LEGAL EFFECTS… OR SIMILARLY SIGNIFICANT EFFECTS.
Strict as it is, the prohibition regarding automated decision making, is more uptight in children.
Before we dive deeper into profiling, let us first have its definition. Profiling is the automated processing of personal data to be used for evaluation, analysis, and prediction of the personal aspects of an individual. Examples of behavioural profiling include web cookies, adware, web and, even digital fingerprints.
For companies that are worried about how this can affect the productivity of their business, the rules have exceptions that can allow business organizations to conduct profiling. Businesses can have conduct profiling legally through given consent form data subjects. But even then, the controller has to ensure that human intervention is attainable at any given time. Furthermore, data subjects should be able to express their perspective regarding the matter and should be allowed to oppose the decision.
In another case, the exception is also allowed when the profiling is done to meet the terms in contracts. Like for example, when a company would need to profile their potential customer’s insurance and/or credit risk to avoid accepting fraud accounts. Again, controllers have to make sure that the data subjects will always have the right to interfere or oppose the decision. Members of the state law or the European Union can also give permission for companies to perform business profiling.
Now let us proceed to Data Portability. The rights of Data Portability are covered under first paragraph of Article 29 of the GDPR which states:
THE DATA SUBJECT SHALL HAVE THE RIGHT TO RECEIVE THE PERSONAL DATA CONCERNING HIM OR HER, WHICH HE OR SHE HAS PROVIDED TO A CONTROLLER, IN A STRUCTURED, COMMONLY USED AND MACHINE-READABLE FORMAT AND HAVE THE RIGHT TO TRANSMIT THOSE DATA TO ANOTHER CONTROLLER WITHOUT HINDRANCE FROM THE CONTROLLER TO WHICH THE PERSONAL DATA HAVE BEEN PROVIDED […]
The second paragraph of Article 20 elaborated further that data subjects have the freedom to allow their data to be transferred from one controller to another. The processing cannot, however, be allowed if it is done for the benefit of the public interest. This is because the data portability, although allows individual data subjects, it is however forbidden when another person’s rights will be affected and/or suppressed.
The Article 29 working Party, also known as the WP-29, provided guidelines regarding the matter. On April 5, 2017, the WP-29 finalized the guidelines on data portability under the implementation of the General Data and Protection Regulation. The guidelines implied that the right to data portability goes way beyond than just the data provided eagerly to a controller. It also includes data that can be generated through a data subject’s activity like their heartbeat, number of steps via step tracker, internet history, and the traffic or the location of data.
The European Commission however contested with the perspective of the Article 29 Working Party regarding data portability. Although these guidelines provided by WP-29 is completely beneficiary to the data subjects, the main dilemma here however is for the companies that could face large penalties due to the complex requirements for compliance.
There is no greater emphasis by now that the main goal of the existence of the GDPR is to protect the rights of the data subjects and to give them power over their personal which includes profiling and the right to data probability.