The Article 29 Data Protection Working Party recently issued guidelines on how to handle profiling and automated decision making under the General Data Protection Regulation. Under GDPR, “profiling” means the automated collection of personal information in order to evaluate personal aspects about an individual. For example, companies may use profiling to predict individuals’ spending habits, targeting ads to individuals based on their internet browsing history.
“Automated decision making” may overlap with profiling. The guidelines provide the example of speed cameras that automatically generate a ticket to demonstrate automated decision making without profiling. In the guidelines, automated decision making is distinguished from “solely” automated decision making. Solely automated decision making is when decisions are made based on technology with no “meaningful” human involvement. Where this activity has a significant effect on the individual, it is prohibited under GDPR (with three very narrow exceptions). An example of a practice with a significant effect is an e-recruiting policy that automatically excludes individuals without any human involvement.
Putting it Into Practice: Companies subject to the GDPR should be mindful of practices involving profiling or automated decision making and, in many cases will want to incorporate a “human element” in these practices.