In a post last week, I said that “There’s a perpetuated misconception that all profiling needs consent. It doesn’t, end of.” Since this seems to have been an area of much confusion under the GDPR, I thought it worth taking the time to elaborate on this point.
What is “profiling”?
To start with, it’s important to understand what profiling means. The GDPR defines profiling as follows:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements” (Art 4(4)).
In simple terms, profiling refers to using someone’s personal information in order to build up a picture of the type of person they are and the way they behave - whether for analytics reporting (e.g. “15% of the visitors to our website are female, in professional jobs, and in the 25-34 age bracket”), for some kind of evaluation (e.g. “This individual presents a high risk of defaulting on a loan”), or for targeting purposes (“Serve this ad to an audience of men aged between 35 - 44 and interested in sports”).
The difference between “profiling” and “automated decisions”
One word that is conspicuously absent from the definition of profiling, though, is “decision”. This is very important for reasons I'll explain below. Many commentators have failed to distinguish the concepts of profiling and automated decision-making, and this has resulted in confusion about whether consent requirements apply for profiling.
To be fair, this confusion is understandable, because the GDPR seemingly blurs the lines between the two concepts at Art 22 when it says that:
“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” (emphasis added).
Art 22 then goes on to say that this restriction against automated decisions does not apply if the individual has given “explicit consent” (in addition to a couple of other grounds).
So there you have it: in a single article of the GDPR you have the words “profiling” and “consent”, ergo all profiling requires consent, right?
No, no, and no!
Wrong - and here’s why:
1) First off, the Art 22 restriction applies to automated decision-making, not profiling per se. A controller might use an individual’s profile in order to make an automated decision, but profiling is not in and of itself an automated decision. Remember the word “decision” does not appear once in the definition of profiling. To give a real-world example, I might look at someone’s credit profile to decide whether or not to advance them a loan: the ‘decision’ here is whether or not to make the loan; the individual’s profile is what I use to inform that decision.
2) Building on that point, Art 22 restricts automated decision-making “based solely on automated processing, including profiling”. The words “including profiling” here relate solely to the concept of “automated processing” - profiling is an example of “automated processing”, not of “automated decision-making”.
3) Recital 71 makes this distinction slightly clearer, noting that “The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her… Such processing includes ‘profiling’” (emphasis added). Once again, note the distinction between the “decision” and the “processing” (profiling).
4) You don’t have to take my word for it though. Look at the evidence in the textual development of this provision as the GDPR passed through the legislative process. In the Commission’s original 2012 proposal, the then-article 20 said:
“Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.”
Again, the focus here was on the “measures” produced by profiling, not the profiling itself.
There were, however, quarters in Europe that did want consent for all processing, including the European Parliament which, in its review of the draft GDPR, proposed the following:
“The processing of personal data for the purposes of profiling, including in relation to the offering of electronic information and communication services, shall only be lawful if” based on consent or one of the other proposed lawful grounds.
In this draft, the European Parliament clearly aimed to restrict all forms profiling. However, the European Parliament’s approach did not make it into the final version of the GDPR and this itself is telling. The final version of the GDPR was ultimately closer to the Commission’s initial proposal; namely, that profiling itself is not restricted, only automated decisions based on automated processing - with profiling being one example of automated processing.
5) Even if you disagree with this interpretation, it’s worth noting that automated decisions are not, as a whole, restricted - only decisions which produce “legal effects” or which have “similarly significant effects” on the individual. Whatever your personal view on profiling, from a legal perspective it’s very hard to evidence that profiling in the context of, say, online advertising or analytics has a “significant” or “legal” effect on any individual.
6) If after that, you’re still not convinced, then have a look at Art 21 of the GDPR. Among other things, this article gives individuals the right to object to processing of their personal data which is based on public interests grounds (under Art 6(1)(e)) or legitimate interests grounds (under Art 6(1)(f)) and expressly refers to “profiling based on those provisions”. This is an express acknowledgement, directly within the operative provisions of the GDPR, that profiling can be based upon these non-consent-based processing grounds - establishing objectively and definitively that, as a matter of law, consent is not required for all profiling.
Why this matters
Ultimately, what this means is that, if you are carrying out profiling activities, you shouldn’t jump to the assumption that consent is always required. Consent will generally be mandated only if:
- you conduct profiling using an individual’s sensitive personal data (such as health, racial or other sensitive data); or
- you conduct profiling that results in automated decision-making (i.e. no human review element in the decision-making) and:
- that decision-making results in a legal or significant effect on the individual (which, according to Recital 71 of the GDPR, includes: “automatic refusal of an online credit application or e-recruiting practices without any human intervention”); and
- no other legitimising ground applies under Art 22(2) (such as necessity to enter a contract or authorisation under EU or Member State law).
In all other cases, data controllers can potentially justify their profiling activities on non-consent-based grounds, such as legitimate interests under Art 6(1)(f) of the GDPR.
Of course, this isn't the same as saying you will always be able to justify your profiling on non-consent-based grounds - you do still have to take into account the nature, scope, context and purposes of the processing, including the transparency measures taken towards the individual, the potential privacy intrusions towards him or her, and his or her ability to decline (opt-out) of profiling. However, it does mean that consent doesn’t need to be your first, last, and only resort for profiling activities - so don't mistakenly assume that's the case.