“The amount of data in our world has been exploding, and analysing large data sets — so-called Big Data — will become a key basis of competition, underpinning new waves of productivity growth, innovation and consumer surplus”. Not my words, but those of the McKinsey Global Institute (the business and economics research arm of McKinsey) in a report that evidences like no other the value of data for future economic growth. However, that value will be seriously at risk if the European Parliament accepts the proposal for a pan-European Regulation currently on the table.
Following the publication by the European Commission last year of a proposal for a General Data Protection Regulation aimed at replacing the current national data protection laws across the EU, at the beginning of 2013, Jan Philipp Albrecht (Rapporteur for the LIBE Committee, which is leading the European Parliament’s position on this matter) published his proposed revised draft Regulation.
Albrecht’s proposal introduces a wide definition of ‘profiling’, which was covered by the Commission’s proposal but not defined. Profiling is defined in Albrecht’s proposal as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour“.
Neither the Commission’s original proposal nor Albrecht’s proposal define “automated processing”. However, the case law of the European Court of Justice suggests that processing of personal data by automated means (or automated processing) should be understood by contrast with manual processing. In other words, automated processing is processing carried out by using computers whilst manual processing is processing carried out manually or on paper. Therefore, the logical conclusion is that the collection of information via the Internet or from transactional records and the placing of that information onto a database — which is the essence of Big Data — will constitute automated processing for the purposes of the definition of profiling in Albrecht’s proposal.
If we link to that the fact that, in a commercial context, all that data will typically be used first to analyse people’s technological comings and goings, and then to make decisions based on perceived preferences and expected behaviours, it is obvious that most activities involving Big Data will fall within the definition of profiling.
The legal threat is therefore very clear given that, under Albrecht’s proposal, any data processing activities that qualify as ‘profiling’ will be unlawful by default unless those are activities are:
* necessary for entering into or performing a contract at the request of the individual – bearing in mind that “contractual necessity” is very strictly interpreted by the EU data protection authorities to the point that if the processing is not strictly necessary from the point of view of the individuals themselves, it will not be regarded as necessary;
* expressly authorised by EU or Member State law – which means that a statutory provision has to specifically allow such activities; or
* with the individual’s consent – which must be specific, informed, explicit and freely given, taking into account that under Albrecht’s proposal, consent is not valid where the data controller is in a dominant market position or where the provision of a service is made conditional on the permission to use someone’s data.
In addition, there is a blanket prohibition on profiling activities involving sensitive personal data, discriminatory activities or children data.
So the outlook is simple: either the European Parliament figures out how to regulate profiling activities in a more balanced way or Big Data will become No Data.