DATA ANALYTICS & PROFILING– WHAT SHOULD THE LAW DEMAND? PART II
The first part of this article discussed the concept of personal data and the nitty-gritty of data analytics and data profiling, both from an industry and legal perspective. This present part explored the current legal framework, its impacts, and the way forward for regulations on Data Analytics (DA) and Data Profiling (DP).
What are Data Analytics and Data Profiling?
The General Data Protection Regulation (GDPR) prohibits solely automated decision-making – including profiling [1] – which has legal or similar effects on the data subject.[2] Article 22(1) of the GDPR specifies the exceptions to the restriction, namely:
-necessary for entering, or performance of, a contract between the data subject and a data controller;
-authorised by the law; or
-where the data subject gives express consent[3]
The question is what type of profiling or decisions have legal or similarly significant effects?
Decisions have legal effects when they can affect the legal rights or benefits of the data subject. For example, a decision to provide accessibility to a government-insurance scheme. Decisions with similarly significant decisions are not close-ended, and they may affect the data subject’s reputation, recruitment opportunities, health, financial status (e.g., loan application, credit scores), and (predictions on) choices/behaviour.