Episode 3: PART 2: Profiling & automated decisions explained
The third video in the series is a continuation of Episode 2 on profiling and automated decision-making. Our Policy Officer Martin Schmalzried goes into detail about the specific rights that citizen’s have by the GDPR when it comes to these processes which influence your everyday life.
Hi, I’m Martin, welcome to the second video on automated individual decision-making and profiling.
If you didn’t see the first video, I encourage you to look at it because it is a great introduction to the topic. See the link is below in the description.
In this video, we will be discussing, the new rules to be respected by data controllers and, the new rights granted by the GDPR to individual citizens. And all of this in relation to the automated individual decision making and profiling of course.
In the first video, we showed just how far reaching and impactful the consequences of online automated individual decision making and profiling could be on your everyday life. Being discriminated form certain vital services like financial service or being manipulated to act in a certain way, vote for a certain politician or buy a certain product.
So, how can citizens protect themselves?
So the General Data Protection Regulation sets obligations on controllers and grants EU citizens certain rights.
The controllers, the companies which are handling your data, have to ensure:
– Data minimization
– Legal basis for processing
– Storage limitations
But we will go through all of these individually.
Transparency is pretty straight forward. It is just informing you about automated decision-making and profiling. It will probably look like something you are familiar with. Like pop-up boxes or terms of service notifications. Things like this.
Data minimization is also easy. It is just using only the data which is strictly necessary that carry out the service that you are using.
The Accuracy requirement just means that there should be no mistakes in the data gathered by these services, because otherwise it might skew the profiling and automated decision making. But of course this is really problematic because we all know that we post inaccurate things about ourselves online. Like taking a selfie in front of a very expensive sports car which we don’t own or photoshopping for instance ourselves on top of Mount Everest. So of course the aim is not to force everyone to post only truthful things about themselves online, that should be anyone’s right to post whatever they want. But it’s really hard then to make sure that accuracy, this requirement, is respected.
The requirement which is really important is that they need to have a legal basis for processing your data for carrying out automated decision making or for profiling. And since as you’ll see the reasons for having that legal basis are quite vague, it really opens the door for using your data in ways which you might not expect. So some of these reasons include:
– Having your explicit consent,
– When it’s necessary for the performance of a contract. For instance, gathering your home address to deliver a good you’re buying online,
– Necessary to comply with certain legal obligations. For instance, for fraud or money laundering,
– Necessary to protect vital interests. For instance, monitoring the spread of a viral disease,
– And the last one is for the pursuit of the legitimate interests pursued by the controller. This last one is tricky since there is no clear definition of what a “legitimate interest” is. The GDPR simply states that whatever those “legitimate interests” are, they have to be balanced with your own legitimate interests, your own fundamental rights and freedoms. So just like many other provisions of the GDPR, this will most likely be clarified by courts and settled case by case.
Then there is storage limitations which means that data should be kept only as long as it is strictly necessary. But that of course is also very hard to verify. Just think of yourself and how easy it is to keep copies of data. So I hope you got all that checklist and now we are going to move on to the next section.
Let’s now see what rights are granted to you by the GDPR.
And your rights include:
– The right to information
– The right to access
– The right to rectification and erasure
– The right to object to use of your data
– The right to restrictions on processing
The right to information or the right to be informed about any profiling and automated individual decisions made by algorithms using your data. This right simply mirrors the obligations of the data controller of transparency.
Sketch: Meme with robotic voice saying “All your data are belong to us”.
The right to access: so going beyond information, you have the right to access the data that is being used and also you have the right to know in which way the profiling and automated decisions have been made.
Sketch: A sheet of paper saying: It’s a complex form of statistically significant correlation derived from your data, run through a neural network. In plain language… Shut up, it’s magic.
The right to rectification and erasure gives you the right to correct any inaccuracies in the data or to simply erase certain data.
Sketch: you’re handed a huge pile of papers with “raw” data about you and a red pen. The guy off camera says: “here is all the data from the past 2 years about your mouse input and clicks, your geolocation, your search terms, and the websites you visited, how long you stayed, please correct anything that’s inaccurate.
The right to object: you can object to any processing of your data on personal grounds. So far there is no clear way on how to exercise that right and the controller can override that right for “compelling reasons”. And since there is no clear definition, it’s going to be up to Member States on how they are going to transpose it and how courts are going to apply it. However, there is one right to object which cannot be overridden and that is objecting to the use of your data for advertising. Normally this should be as easy as going to whatever service you are using, finding the settings, finding advertising, and then ticking a box that says “And I don’t want you to use my personal data to show me ads.” So you’ll still see ads, but they just won’t be targeted based on your data.
Then there is the right to restrict processing: Instead of erasing or correcting data which can be quite tricky and nobody really knows how to do it as you’ve seen in the previous sketch, you also have the right to force a profiling and automated decision algorithm to “ignore” certain data in the way that it is working.
Sketch: Guy takes half of the pile of paper, and says “Just ignore this data”.
Finally there are the rights that concern automated decision and profiling that can have legal implications for you and these will require an actual person, a physical person, to review the decision that are being made.
Examples given for legal effects include:
– Denial of certain social benefits, like housing benefits or child benefits;
– Refusal of admission to a country.
– A decision which affects your financial situation. Like a denial of a loan.
– A decision which affects your access to healthcare. Like denial of a health insurance.
– A decision affecting your education. Like accessing University.
– A decision linked to employment. Like a fully automated recruitment process.
At the same time, there are exceptions which allow for a fully automated decision:
– If it’s necessary for the performance of the contract;
– If it’s authorised by EU or National law;
– If it’s based on explicit consent.
In any case, the controller should obtain ways for you to get a person to manually review the automated decision making process and also ways for you to express your point of view and contest the automated decisions that are being made. It’s also unclear how this will work in practice. The point is, it is really hard to make sure that a human manual decision has been made correctly. Also customers are not always in a good position to negotiate or to take advantage of these new rights
So in summary, these rights and obligations are definitely a step up from what it was before, but there is still no clear indication on the loopholes, how they are going to be closed and a lot of questions unanswered as to how this will be implemented in practice.
In the next video, we will conclude the topic and see how automated decisions can be used in in the best interest of citizens and also how the GDPR could be improved.
See you next time.