EU Data Protection Reform: Guidance on Profiling

On 13 May 2013, the European Data Protection Authorities, assembled in the Article 29 Data Protection Working Party, have adopted an "Advice Paper on Essential Elements of a Definition and a Provision on
Profiling within the EU General Data Protection Regulation" arguing for clear limits to profiling.

Risk and Reward of Profiling

Connecting personal data to create and use profiles has become an important challenge for individuals’ rights and freedoms. Profiling enables companies as well as public authorities to determine, analyze or predict peoples’ personality or aspects of their personality – especially their behaviour, interests and habits. Furthermore, people usually do not know that and to what extent they are being profiled.

Profiling has found its way into many areas of life, for example in the form of consumer profiles, movement profiles, user profiles and social profiles. Due to the widespread availability of personal data on the internet, the increasing possibilities of linking such data and the fact that technical devices operating on the basis of processing personal data pervade our everyday lives, profiling has become one of the biggest challenges to privacy.

Need for a Clearer Definition

The European Data Protection Authorities deem it necessary to include a clear definition on profiling into the General Data Protection Regulation and propose concrete wording based on the Council of Europe’s recommendation on profiling of 2010. In addition, the Working Party makes some proposals to improve Article 20 of the General Data Protection Regulation which is the provision on profiling:

• Broader Scope: The scope of the provision should be broadened in order to include the collection and creation of profiles as such.
• Transparency: The lack of transparency has to be repaired by guaranteeing additional information rights and a higher level of control for individuals.
• Accountability and responsibility of data controllers have to be strengthened by establishing specific safeguards to protect data subjects’ rights like an obligation to anonymise or pseudonymise personal data.
• A balanced approach taking the different categories of profiling and the different risks for the individual’s rights into account is necessary; the European Data Protection Board should play a strong role by issuing guidelines on the interpretation and application of provisions on profiling.

"Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation" adopted on 13 May 2013 by the Article 29 Data Protection Working Party