Industry vows to fight GDPR clampdown on data profiling
The DMA has pledged to submit a "robust" response to new EU draft guidance on the use of profiling and automated decision-making under GDPR, which if passed in their current form would outlaw the process unless companies can show they have explicit consent or that it is necessary for fulfilling a contract.
The guidance, which has been published by the Article 29 Working Party, has had extensive input from the UK Information Commissioner’s Office, which led the process.
It defines profiling as "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person". The guidance does not allow for fully automated individual decision-making except in certain cases.
Companies cannot swerve this by fabricating human involvement, according to the guidance, and the human’s oversight of a decision must be "meaningful", rather than token, and have the authority and competence to change the algorithm’s decision if necessary.
There are exceptions but only when it is necessary for the performance of or entering into a contract; when authorised by the EU or the member state or when it is based on consumers' explicit consent.
DMA head of external affairs Zac Thornton said: "The DMA will be submitting a robust response to the Article 29 Working Party and we rely on contributions from members to bolster our arguments."