30th March 2017
Charities Institute Ireland would like to thank you for the opportunity to make a submission regarding ‘Profiling’ under the upcoming General Data Protection Regulation (GDPR).
The GDPR contains several Recitals on profiling. The criteria of ‘legal effects and ‘significant effects’ does pose problems of interpretation. The data subject has the right not to be the subject of a decision based exclusively on automated processing. The definition of profiling provided for in the regulation raises questions about the cases involved in profiling. To determine whether it is profiling, two criteria must be taken into account:
- Automated processing
- A purpose for assessing certain aspects relating to a natural person.
Firstly, it is necessary to understand that if the decision is not fully automated, and if a person intervenes in the processing of the data, notably to make the decision, that this is not profiling? The legislation appears to go in this direction since it states that the person has the right not to be subjected to fully automated processing based solely on profiling and is not applicable where the interest of the recipient does not constitute a decision for ‘legal consequences’ or ‘not significantly’ affecting the person concerned, such as an automatically declined loan, mortgage, increase in an insurance policy etc.
Any classification of individuals according to specific segmentation criteria can be considered as profiling, assuming that it is actually performed by machines e.g., students ranked by grades to assess their performance, sales professionals in an organisation evaluated on the basis of ranking of sales figures etc. From our interpretation, we understand that none of these examples fall within the scope of the ‘profiling’ provision.
In our opinion, the main problem is not necessarily profiling but rather the way in which the profiling is actually used, its impact on the individual and the lack of human intervention.
Attention should first be paid to profiling activities:
- Based solely on automated processing
- May cause unfair, detrimental and significant effects to the persons concerned in relation to access to essential services (mortgages, loan Insurance) or to their dignity and freedoms.
Furthermore, the GDPR definition of profiling appropriately includes basic online business activities such as consumer segmentation to provide appropriate advice or advertising. This type of profiling is often referred to as ‘current’ profiling and is at the origin of a free internet for all. The GDPR distinguishes ‘current’ profiling from profiling associated with fully automated data processing that has ‘legal effects’ or ‘significantly affect’s the data subjects. ‘Current’ profiling is legitimate business interests and the data subjects have the right to object.
The right to object to profiling which is based on legitimate business interests of the controller is a reflection of the previous directives and an equitable way of offering individuals the ability to choose and control. GDPR rightly recognises that companies cannot offer users the main services on which they rely without ‘current’ profiling such as preference based advertising. Should it be considered that targeted advertising has legal effects or affects the person concerned significantly? If this is the case we would like to draw your attention to the fact that such a qualification could have serious economic consequences, since all sectors of activity today use targeted advertising.
Charities Institute Ireland calls on the Data Protection Commissioner to interpret these provisions in line with the original spirit of the GDPR – that is, by limiting decisions considered to have ‘legal effects’ or ‘significant effects’ to situations where these effects would have a real negative impact on the persons concerned e.g., the ability to obtain credit etc.
Charities Institute Ireland further calls on the Data Protection Commissioner to accept and confirm, with respect to the charitable, not-for-profit and the voluntary sector and their funding model that:
- Detailing profiling/development purposes within the Privacy Statement and Data Usage Statements of a charitable organisation is sufficient to adhere to this element of the GDPR.
- That the right of donors to oppose profiling is satisfied by allowing the person concerned to delete their information without any other conditions.
Charities Institute Ireland considers that donor profiling does not deprive the person concerned of a right but on the contrary fosters true engagement and giving as it is adopted to the donors values and interests and thus seen as an opportunity to express their support for a charity and not an intrusion on privacy.
Membership and Communications Manager.