In what sometimes seems like a polarised debate on the draft Data Protection Regulation, it’s good to see the Article 29 Working Party trying to find the middle ground. The subject of their latest advice note is the contentious topic of profiling, which has been presented both as vital to the operation and development of Internet services and as an extreme violation of privacy. The problem is that with a wide definition of profiling, both those opinions may be correct.
Unlike the Cookie Directive, which required consent for both harmful and harmless cookies and left it to users to somehow work out which was which, the Working Party suggest that this time the law should make the distinction. While recognising that it is the collection of profiles, not just their use, that can present a threat to privacy, the Working Party suggest that there are some uses of profiling that do not significantly affect individuals’ privacy and should, subject to meeting the usual data protection principles, be permitted as routine. Requiring consent only for profiling where there is a significant risk of harm gives a signal to both users and service providers that such uses should be approached with caution.
This, of course, requires someone to distinguish between profiling that does and does not significantly affect privacy, and the Working Party offer to take on that task if the law is written to require it. Guidance from them on profiling and other activities that involve a wide range of potential effects on privacy would help service providers who wish to be innovative but not intrusive and users who want a good Internet experience without placing themselves at risk.
Out-law.com has articles on low-risk and high-risk profiling.