The creation and application of profiles may affect individuals and their lives. The lack of transparency and accuracy that may result from these profiles can cause asymmetries of knowledge and unbalanced distribution of powers between business entities and individual subjects. As such, profiling challenges the protection of individuals and generates concerns over the individuals' privacy and data protection. In using profiling practices, every business entity must comply with data protection legislation.The purpose of the chapter is to examine the effectiveness of the GDPR to ensure protection for individuals within the context of profiling. It identifies and analyses, from a profiling point of view, a number of strengths and weaknesses associated with the general data protection principles as adopted under the Article 5 GDPR. The author argues that profiling contradicts the transparent nature of data protection principles, and thus of the GDPR. In practice, the law is ineffective to ensure fair, lawful, and transparent profiling activities to safeguard individuals and their rights.
TopIntroduction
New technological developments and the large amount of databases nowadays enable the use of profiling practices which collect, combine, analyse and automatically categorise data into groups. This automatic categorisation and identification of individuals’ data enables business entities to classify individuals into certain profiles. Although such resulting profiles can help business entities to identify current or potential targets for their own benefits and decision-makings (e.g. build their business models, improve their services or organise their marketing strategies), profiling is likely to generate certain prejudicial treatments for the individuals, which may threaten their privacy and data protection rights, as personal and sensitive information may be revealed.
The creation and application of profiles may affect individuals and their lives. This is because profiling enables business entities to discover new knowledge about their current or potential customers by creating new personal data about individuals (e.g. a customer’s previous purchases habits may reveal information about his/her economic situation), from data relating to other individuals (e.g. members of the group profiles to which the individuals belong), or even generating sensitive personal data from non-sensitive data (e.g. a customer’s home address may reveal information about his/her ethnicity or religion). By attributing to individuals personal data which in fact belong to other individuals with whom they share some common characteristics (e.g. same purchase habits), there is a possibility of classifying them in a category – profile – in which they do not belong (e.g. an individual may mistakenly be classified as a high income customer because he/she likes to view expensive watches). As a result, individuals are given new (incorrect) characteristics and values, based on which business entities decide whether to include or exclude them from certain services (e.g. receiving a low premium for insurance coverage or being hired for a job).
Consequently, the lack of transparency and accuracy that may result from these profiles can cause asymmetries of knowledge and unbalanced distribution of powers between business entities (who obtain new knowledge about individuals from the created profiles) and individual subjects (who are not aware of the profiles applied to them). Knowledge asymmetry may affect the level of power between business entities and customers (Schermer, 2011). The effect of this imbalance of powers may lead to unfair treatments for the customers (e.g. different prices for different types of customers) and unfair manipulation of a person’s future choices or actions (e.g. customers are forced to buy products that they are not initially interested in) (Schermer, 2013). As such, profiling challenges the protection of individuals’ fundamental rights and values and generates concerns over the individuals’ privacy and data protection.
As a result, these challenges exhibit the importance and the necessity of ensuring privacy and data protection rights and of questioning the applicability and effectiveness of the law to protect these rights within the context of profiling. Both these rights are necessary instruments for a democratic society. Privacy underpins human dignity and other key values of human life (i.e. autonomy, integrity, self-determination and identity) and has become one of the most important human rights of the modern age. Personal data refers to any kind of information that can be used to identify an individual, either directly or indirectly, using a combination of different information. For this reason, data protection encompasses also protection for other fundamental rights like freedom of expression, freedom of religion and conscience and the right to equality and non-discrimination (Ferraris, Bosco and D’Angelo, 2013a).
In order to protect individuals’ rights to privacy and data protection, every business entity (controller) must comply with data protection legislation. Data protection legislation has always been approached within the notion of transparency. This is why data protection legislation does not prohibit processing of personal data but regulates it. In this way, the law tries to defend personal data while, at the same time, it protects the legitimate interests of controllers in processing such data for social and economic purposes.