Plans unveiled by the European Commission to empower individuals to object to businesses creating profiles about them should be strengthened, the Article 29 Working Party said. However, those rules should only apply in cases where individuals' rights are significantly affected, it said.
The Working Party, a committee made up of representatives from each EU national data protection authority, said that the body that is due to replace it as the pre-eminent data protection watchdog in the EU – the European Data Protection Board – should be tasked with issuing guidelines that explain what 'significantly affect' means in practice.
"The Working Party therefore supports an approach ... which covers profiling or measures based on it to the extent only that they significantly affect the interests, rights or freedoms of the data subject," the Working Party said in a new paper it has published. "Where profiling does not significantly affect the interests, rights or freedoms of the data subject, [rules setting out individuals' right to object to profiling] does not apply and the lawfulness of processing is to be assessed in the light of the other provisions of the [General Data Protection] Regulation."
In January 2012 the European Commission unveiled plans to overhaul the current data protection law framework in the EU. It proposed the creation of a General Data Protection Regulation that would apply across the trading bloc, which it said would help improve the consistency of how EU data protection laws are currently applied by member states.
Under the Commission's plans individuals would have a general right "not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour" unless they consent to the profiling activity and subject to other "suitable safeguards".
Individuals could legitimately be subject to such profiling by businesses without their consent where the activity is "carried out in the course of the entering into, or performance of, a contract", subject to certain conditions, or where other EU or national laws permit the activity providing "suitable measures to safeguard the data subject's legitimate interests" are in place, under the Commission's plans.
The Working Party said that although "clear rules on the lawfulness and on the conditions for the processing of personal data in the context of profiling" should be set out in the final Regulation, the new framework should "leave a reasonable degree of discretion to assess the actual effects – positive and negative – and the degree of intrusiveness of a specific processing type or measures on data subjects".
The Working Party said it supported the legal grounds proposed by the Commission for personal data processing to take place for profiling purposes. It said in particular that it supported the idea that individuals' "explicit consent" should be required to be obtained by firms in order to build profiles about those people.
However, the watchdog said it wanted to introduce "additional elements" into the Regulation "in order to provide for a balanced approach on profiling and mitigate the risks for data subjects".
In cases where profiling would 'significantly affect' individuals' rights, the Commission said individuals should have a statutory right to "access, to modify or to delete the profile information attributed to them" that is held by businesses "and to refuse any measure or decision based on it or have any measure or decision reconsidered with the safeguard of human intervention", it said.
Businesses should also be required to provide information to consumers that explains that their personal data will be "used in the context of profiling", and which also outlines "the purposes for which the profiling is carried out and the logic involved in the automatic processing", the watchdog said.
The reformed data protection framework should also require firms to be more responsible and accountable in their "usage of profiling techniques", the Working Party said. Businesses should only be allowed to undertake profiling through "suitable measures" that "safeguard the data subject's rights and freedoms". This may necessitate that businesses conduct a data protection impact assessment before undertaking profiling, it said.
In addition, companies should use safeguards to ensure that the minimum amount of personal data is processed for the purposes of profiling, the privacy body said. This should involve using "data protection friendly technologies and standard default settings", whilst the reformed regime should at least offer incentives to firms to deploy anonymisation or pseudonymisation measures "in the context of profiling", it said.
The Working Party said that 'profiling' should be specifically defined under the new General Data Protection Regulation.
"'Profiling' [should mean] any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person's health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements," the watchdog's proposed definition said.