U.K. Privacy Office Seeks Feedback on European Profiling Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The U.K. privacy office April 7 issued a discussion paper on automated programs that profile individuals for targeted advertising and other messages based on their online information.

The Information Commissioner’s Office said the paper is intended to prompt public comments on the profiling provisions in the new European Union privacy regime, the General Data Protection Regulation (GDPR). The ICO wants the feedback to help it workwith other EU privacy regulators to craft formal GDPR guidance on profiling in advance of the new law’s May 2018 effective date.

The prospective guidelines, particularly a possible explicit consent requirement, will have a huge impact on how advertisers and online services that provide consumer recommendations, such as Netflix Inc., structure their business models.

The GDPR requires companies that use personal data with a significant effect on an individual to get their explicit consent. The question for automated profiling is whether it meets the significant effect threshold.

Profiling is a hot-button issue, Rafi Azim-Khan, a data privacy partner at Pillsbury Winthrop Shaw Pittman LLP in London, told Bloomberg BNA April 7. Privacy regulators will be shining “a greater spotlight” on profiling under the GDPR, he said.

Profiling involves a variety of data—such as internet browsing history, financial data, education and professional data—about individuals to build a digital picture for use in targeted marketing and advertising. Profiling is also used in custom services, such as video on demand recommendations.

“The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics mean that profiling is becoming a much wider issue,” the ICO said in the discussion paper.

The U.S. Federal Trade Commission has long been concerned about the effects of using big data to profile consumers, specifically whether algorithm biases could exacerbate the exclusion of low-income and under-served communities from credit and employment opportunities.

Advertising Models Hang in the Balance

The ICO seems to be considering a very low threshold for what types of profiling may be considered to have a significant effect on data subjects, Nicola Cain, legal director at Reynolds Porter Chamberlain LLP in London, told Bloomberg BNA April 7.

The ICO discusssion paper suggests that effects on individuals from profiling that should be considered significant include “loss or distress to individuals” and effects on individuals’ "well-being or peace of mind.”

The ICO’s consideration of such a subjective standard is notable, Cain said.

If behavioral-based advertisers are required to obtain explicit consent to engage in profiling , “it could change peoples’ business models,” Cain said. For example a video on demand provider that makes movie recommendations might have to gain explicit consent, she said.

Azim-Khan said that the pressure to maximize the payoff from using big data analytics may push companies to “cross the line” about whether they need consent. But companies may want to think twice about rushing ahead, given the significantly increased fines in the GDPR of up to 20 million euros ($21.4 million) or up to 4 percent of a company’s global revenue, he said.

Shannon Yavorsky, a data privacy partner at Venable LLP in San Francisco, told Bloomberg BNA April 7 that the ICO’s feedback request hopefully will “result in guidance that organizations need to continue adapting offers of goods and services to align with individual consumer demand and promote a vibrant digital marketplace.”

Public comments on the discussion paper are due by April 28.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The full discussion paper can be found at http://src.bna.com/nKS.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security