When the European Commission proposed its Data Protection Directive in 1995, it made the decision not to give the EU Member States the option to opt out of its profiling (“automated decision-making”) provisions. Even in the days before “big data” and rampant mass surveillance, the dangers of using personal data to make decisions based on profiling were clear.
In 2011 and 2012, however, when the European Commission was drafting its update of the legislation, something changed. At the same time as unequivocally promising that protections must not and cannot drop below the levels in existing legislation and including specific provisions on protection from profiling, the Commission proposed giving Member States the option not to implement protections against
profiling for a variety of different reasons such as “public security”, prevention and investigation of serious offences, “other” public interests and the protection of the “rights and freedoms of others”.
An exception that was not foreseen when profiling was done on a much smaller and narrower scale was proposed in an era of vast data collection and mass surveillance, where automated mapping of who we are – our moods, relationships, fears, health and financial situation – is increasingly possible. Today’s profiling increasingly permits data to be generated about us that we will often not have access to ourselves. A recent study by Cambridge and Stanford Universities discovered that, by analysing clicks on Facebook “like” buttons, it was possible to guess an individual’s answers on a personality test better than a work colleague (based on just 10 clicks), better than a parent or sibling (based on 150 clicks) and better than a spouse (based on 300 clicks). Researchers indicated that Facebook has records of 100 billion “likes”.
This information will be generated and stored in a perfect digital memory that creates a history of our likes, our feelings, our highs and lows. It is even possible to go back and discover new information that was not available at the time of the data collection. If you’ve clicked on more than 300 “likes”, no living person knows you as well as Facebook.
The dangers of profiling being used by law enforcement authorities were detailed in a European Parliament report adopted by an overwhelming majority (372 in favour, 12 against) in April 2013. That report warned, in particular, of such profiling “there are significant rates of ‘false positives’ whereby not only do wholly innocent people come under suspicion resulting in potential invasion of individual privacy but real suspects meanwhile remain unidentified”.
So, what is happening in the decision-making process now?
EDRi campaigned successfully – and with no noticeable opposition from the Commission – to persuade the Parliament to remove the right of Member States not to implement an exception on profiling protections, although the Parliament did significantly weaken the protections themselves.
Now, however, the latest proposals from the Council seek to further undermine protection from profiling. The draft text from the Council not only re-inserts profiling into the (absurdly long) list of measures in the Regulation that Member States can choose not to impose, it also increases the range of justifications for doing so.
It is inevitable that profiling measures availing of this exception will be implemented at least partly in cooperation with large online companies that operate in several EU Member States and that this will lead to calls for harmonisation and that this will lead to further legislation to achieve this. But, don’t worry, after seven or eight years, the Courts will catch up. Probably.
In addition, this Regulation that intends to harmonise the approach to data protection in 28 EU Member States also foresees national exceptions with regard to data processing principles, transparent information and communication, procedures for individuals to exercise their rights, rights of recipients of data, information to be provided to individuals, rights of access to one’s personal data, right to rectification of personal data, right to erasure, right to data portability, right to object and data breach notification… in legislation aimed at increasing harmonisation.
Analysis: The Proposed Data Protection Regulation: What has the Council agreed so far? (08.12.2014)
European Parliament recommendation to the Council of 24 April 2009 on the problem of profiling, notably on the basis of ethnicity and race, in counter-terrorism, law enforcement, immigration, customs and border control (2008/2020(INI)) (24.04.2009)
Facebook researchers are trying to predict when you and your spouse will break up (28.10.2013)
Ever liked a film on Facebook? You’ve given the security services a key to your soul (13.01.2015)
(Contribution by Joe McNamee, EDRi)