3 August, 2015
As the Dutch minister of Economic Affairs Kamp stipulated in his letter to the Parliament on the 20th of July there is still much uncertainty for companies on what are the exact legal boundaries when processing large amounts of personal data (big data). One of the issues regarding the processing of big data is the concept of profiling: creating a profile of someone on the basis of the data this person leaves behind, for instance, on the Internet.
Last October the chairman of the Dutch Data Protection Authority Jacob Kohnstamm gave a speech at the National Think Tank and talked about his concerns regarding profiling. According to Kohnstamm profiling goes against one of the fundamental values of our democratic society: the full and independent development of the individual. Such development is an illusion when many choices have been made for that individual on the basis of his profile. Kohnstamm makes a valid point: a profile of someone gives only a certain reflection of his being en does not have to be correct. Imagine that you are surfing the Internet and are typing in Google search the words ‘commit murder’, ‘axe’ and ‘hiding a dead body’. Are you then a murderer? Or are you one of the writers of the CSI series searching for inspiration for a new episode?
This is one of the reasons that profiling should be subject to suitable safeguards. The principle regarding profiling in the new EU General Data Protection Regulation states that it is not allowed to base decision-making that produces legal effect or significantly affects the data subject solely on the basis of his profile. There are some exceptions to this rule: decision-making based on profiling is allowed when authorized by law, necessary for the entering or performing of a contract with the data subject or when the data subject has gives his explicit consent. However, profiling always needs to subject to suitable safeguards. The data subject has to be informed about the profiling, has the right to obtain human intervention and to express his point of view. The data subject also has the right to get an explanation of the decision reached and the right to contest the decision.
As of June 2015 the trialogue consisting of the European Commission, the European Parliament and the Council of the European Union has started. The goal of this trialogue is to reach a decision on the final version of the EU General Data Protection Regulation before the end of this year. This implies that the time has come for companies that base their business model on profiling to start thinking about how to implement the necessary safeguards. Although the new Regulation will only take effect in late 2017 or early 2018 time passes quickly and non-compliance with the new Regulation may lead to fines up to 1 million euro or 2% of annual turnover.
Senior Legal Consultant
What are the consequences of a Brexit for the privacy and data protection obligations of your company?
Can I still transfer data to the United Kingdom? And is it still possible to transfer data from the...