Will GDPR affect automated decision making and profiling?
Companies that use automatic decision making processes in order to profile consumers are taking note of GDPR. Article 22, Section 1 prohibits automatic decision making of personal data if such decision making produces “legal or similarly significant” effects on the consumer. The vagueness of this section has resulted in many interpretations, so where do companies that depend on automatic profiling stand?
The lack of clarity about Article 22, Section 1 should not cause alarm for companies that use automatic profiling when price matching. The ramifications that automated decision making can produce are neither legal nor significant because discriminatory practices that price-matching companies use do not greatly impact the lives of consumers. Consumers making purchases because of price matching are not making decisions that could critically change their lives, nor are they being denied any legal rights. In comparison to practices that could produce significant and legal effects, the practices involved in price-matching are trivially impactful.
Automatic profiling decisions that could be significantly or legally impactful are often made by companies that play crucial roles in people’s lives. These companies deal with financing, insurance, transportation, etc. An example would be if a company denies an individual’s request for a loan based solely on automated decision making, then the company is significantly impacting the welfare of the individual. While the company’s decision does not violate any pre-GDPR laws, the rejection does have the potential to greatly reduce the fortunes of the individual. Another example of a legal effect is the imposition of speeding fines based off camera evidence using solely automated decision making. Meanwhile, the profiling activities performed by a shopping-assistance company that selects products tailored to certain needs are, comparably, insignificant. Activities that could have legal or otherwise significant ramifications rightly merit human intervention. Yet companies that operate in a market of much less gravity should not need to encumber themselves by adding an unnecessary human element to a speedy and effective operation.
GDPR’s opacity can create skepticism and even uncertainty, even for companies that do not appear to be affected. But the wording can be used to companies’ advantage. For example, a shoe company that uses personal data to advertise directly to consumers does not seem like the target of Article 22, Section 1. However, a shopaholic may go on a shoe shopping spree upon the appearance of direct marketing advertisements from the shoe company, forcing the shopper to mortgage his house. The company has, thus, significantly impacted a data subject with automated decision making. According to this line of thinking, virtually every automated profiling process can affect data subjects significantly. Surely, the European Union did not implement GDPR only for companies to be unable to follow it. GDPR is meant to give data subjects more freedom over how their data is processed. It is not meant to prohibit companies from offering their services to consumers. While GDPR does rein in some practices of companies like loan institutions and insurance companies, it most likely does not affect the automatic profiling practices of other companies, like those that price-match.
Integrity can help your company to review its practices in order to fully comply with GDPR regulations.