There’s a reason the GDPR specifically addresses automated individual decision-making – profiling and automated decision-making can pose significant risks to individuals’ rights and freedoms. Given its increasing prominence in both private and public sectors – banking and finance, healthcare and marketing, just to name a few – in combination with the inherent risk this processing comes with, organisations are required to take specific steps before they proceed to this type of processing. In this article, you’ll find everything you need to know!
Automated decision-making has a different scope and may partially overlap with or result from profiling. Automated decision making is the ability to make decisions by technological means without any human intervention For example, imposing speeding fines purely on the basis of evidence from speed cameras is an automated decision-making process. It can be based on any type of data, such as:
- data provided directly by individuals
- observed data
- derived or inferred data
Profiling on the other hand, is a procedure that consists of three “elements”:
- it is wholly or partially automated form of processing
- it has to be carried out on personal data
- it’s purpose is to evaluate and predict personal aspects, using data from various sources, to infer something or make a judgement about an individual. These predictions can be related to someone’s performance at work, economic situation, health, personal preferences or interests, behavior, location or movement
Note that a simple classification of individuals based on known characteristics such as their age, sex, and height does not necessarily lead to profiling. The decisive criterion to understand whether a classification constitutes profiling or not is the purpose of the classification. For instance, a business may wish to classify its customers according to their age or gender for statistical purposes without making any predictions or drawing any conclusion about an individual. In this case, the purpose is not assessing individual characteristics and is therefore not profiling.
When does the GDPR take heed of automated decision-making and profiling?
Article 22(1) says
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
According to the EDPB, the term “right” in the provision above, does not mean that Article 22 applies only when actively invoked by the data subject. This article establishes a general prohibition for decision-making based solely on automated processing that has a legal or similarly significant effect. This prohibition applies whether or not the data subject takes an action regarding the processing of their personal data.
In summary, Article 22 provides that:
(i) as a rule of thumb, there is a general prohibition on fully automated individual decision-making, including profiling that has a legal or similarly significant effect;
- A legal effect requires that the decision affects someone’s legal rights, or something that affects a person’s legal status or their rights under a contract, such as cancellation of a contract or denial of citizenship.
- A similar effect does not change the rights or obligations of an individual, but still the data subject could be affected sufficiently. The decision must have the potential to:
- significantly affect the circumstances, behaviour or choices of the individuals concerned;
- have a prolonged or permanent impact on the data subject;
- Or at its most extreme, lead to the exclusion or discrimination of individuals. Typical examples here can include an automatic refusal of an online credit application or e-recruiting practices without any human intervention.
(ii) there are exceptions to the rule (contractual necessity, legal authorisation or data subject’s explicit consent);
(iii) where one of these exceptions applies, there must be measures in place to safeguard the data subject’s rights and freedoms and legitimate interests.
What to consider when applying automated decision-making and profiling?
As we mentioned in the beginning, automated decision making including profiling that has legal or similar effects to data subjects, is a processing activity with an inherent risk. What do we mean by that? According to the EDPB, this type of processing is a risk identifier and in combination with one or more risk identifiers can cause high risk to the freedoms and rights of a data subject (and by that triggering the obligation also to carry out a DPIA).
This means that automated decision making could affect someone’s legal rights, legal status or any other similar situation worthy of attention (for example decisions that affect someone’s financial circumstances, employment opportunities, access to health services to education etc). In order to eliminate those risks and comply with the GDPR, here are some safeguards and practical tips to take into account, when your processing activity is based on automated decision making:
- Make sure to inform clearly and in a transparent way that automated decision making, including profiling, takes place and let the data subject know about your purposes and the means of the processing activity.
This requirement has also been confirmed by the Danish DPA which ruled that the controller must answer clearly if automated decision making takes place in the context of an access request.
- Ensure that you have procedures in place that make it easy for data subjects to exercise their data protection rights. You should specifically consider making it easy for data subjects to express their will not to be subject to automated decision making, including profiling.
- Make sure that you meet all the GDPR principles when applying automated decision making, including profiling. For example, you have a valid legal basis, a specific retention time, specific purposes for processing, you justify the need to collect and hold personal data, verify that the data that you have collected are accurate and up to date, etc.
- Automated decision making as a processing activity has an inherent risk in it. In combination with other risk factors, the requirement to carry out a DPIA may be triggered. Therefore, assess the level of risk and consider whether a DPIA is needed. (link to DPIA article).
- In case you will process special categories of personal data for automated decisions making, confirm that an additional condition of article 9(2) applies. Remember that in order to process special categories of personal data, you need both a legal basis (article 6 GDPR) and an additional condition of article 9(2) GDPR. The most appropriate additional condition for automated decision making could be the data subject’s explicit consent.
- Last but not least, if your core business activity is the regular and systematic monitoring and tracking of individuals (and therefore profiling and/or automated decision making takes place) make sure to designate a DPO.
Automated decision making is a processing activity that comes with an inherent risk to individuals rights and freedoms. As the GDPR has adopted a risk-based approach, applying automated decision making, including profiling, which has legal or similar effects might trigger specific GDPR obligations. It is also important that you question if you actually did take all the abovementioned appropriate measures to eliminate any possible risk deriving from this processing activity to the individuals before you start applying automated decision making (including profiling).