UK ICO Publishes Discussion Paper on Profiling and Automated Decision-Making under GDPR

The UK Information Commissioner's Office (ICO) continues to play an active role in shaping data protection law in the EU, notwithstanding the UK's decision to leave the EU in the aftermath of Brexit. On April 6, 2017, the ICO issued a discussion paper containing its "initial thoughts" on profiling and automated decision-making under the General Data Protection Regulation (GDPR). The deadline for submitting comments is April 28, 2017.

As profiling continues to increase in importance and scope for many businesses, companies may look to the ICO's discussion paper as an early indication of its views and concerns on key profiling issues. In addition, companies may want to submit comments to the ICO to address specific profiling issues raised by their businesses and to influence how the GDPR is ultimately interpreted and implemented in practice.

The ICO's discussion paper is part of its continuing efforts to help businesses prepare for the GDPR, which takes effect on May 25, 2018. For example, the ICO recently finished accepting comments on its draft guidance on the meaning of "consent" under the GDPR, and it intends to publish additional guidance in the future.

Discussion Paper on Profiling and Automated Decision-Making Under the GDPR

The GDPR introduced several new rights and obligations with respect to "profiling" and automated decision-making. The ICO's discussion paper highlights some of the key areas of profiling that the ICO felt needed further consideration. Although the ICO states that its discussion paper "should not be interpreted as guidance," the ICO indicates that it is taking a leading role on this issue as part of the Article 29 Working Party (the collective group of EU data protection authorities that is charged with issuing guidance on EU privacy laws). The Article 29 Working Party's guidelines on profiling are due to be published later this year.

Definition and Scope of Profiling

The ICO appears to view the definition and scope of profiling—and the corresponding rights and obligations that go with it—broadly. Article 4(4) of the GDPR defines profiling as "[a]ny form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements." The ICO states that, broadly speaking, it considers profiling to mean "gathering information about an individual or group of individuals and analysing their characteristics or behaviour patterns in order to place them into a certain category or group, and/or to make predictions or assessments about their: ability to perform a task; interests; or likely behaviour."

The ICO notes that the "widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics mean that profiling is becoming a much wider issue, reflected in the more detailed provisions of the GDPR." In particular, the ICO notes that the types of data used to build profiles may include, but are not limited to:

• internet search and browsing history;
• education and professional data;
• data derived from existing customer relationships;
• data collected for credit-worthiness assessments;
• financial and payment data;
• consumer complaints or queries;
• driving and location data;
• property ownership data;
• information from store cards and credit cards;
• consumer buying habits;
• wearable tech, such as fitness trackers;
• lifestyle and behavior data gathered from mobile phones;
• social network information;
• video surveillance systems;
• biometric systems;
• internet of things; and
• telematics.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.