Decision-making and profiling are processes closely linked to artificial intelligence systems, as they are the ones that support their achievement. In this sense, the use of these systems for decision-making and profiling when they involve the processing of personal data often raises many doubts as to how to apply data protection regulations. In this article we will recall the principles, obligations and specificities that apply to these processing operations.
Distinction between AI system and processing of personal data
First of all, it should be noted that an artificial intelligence system (‘AI System’) is not ‘in itself’ a processing of personal data, as the Spanish Data Protection Agency (‘AEPD’)1 states: ‘ an Artificial Intelligence (AI) system in itself is only a means for the processing of personal data and not an ultimate purpose’.
Moreover, an AI system does not always imply automated decision-making either, as the results obtained through the use of such AI systems can be monitored by a person, who is the final decision-maker. Consequently, automated decisions are not inherent to the nature of an AI System. For example, an AI System may aim to sort or categorise personal data or to generate statistical reports. Both of these objectives would only support human decision making and would be a processing operation within a broader activity, such as personnel selection or improvement of the entity’s services.
Automated decisions and their relation to profiling
The Art. 29 Working Party (pre-dating the current European Data Protection Board) (‘WG29’) established2 that an automated decision involves the ability to make decisions with the use of technological means, and these can be carried out with or without profiling.
For profiling to take place, three elements must be present, in accordance with the GDPR definition: (i) the processing must be carried out, at least in part, by automated means; (ii) it must involve the processing of personal data; and (iii) its purpose must be to evaluate personal aspects about a natural person, in order to predict or deduce his or her behaviour, situation, performance, or other characteristics.
Taking into account the above, we can find data processing using AI systems involving automated decision-making without profiling, automated decision-making involving profiling, profiling without automated decision-making and, finally, decision-making based solely on automated processing, including profiling, which produces legal effects on the data subject or significantly affects him or her in a similar way.
As we can see, profiling or automated decision-making is an option within the use of AI Systems, which can occur jointly or separately. Moreover, neither of them constitutes a processing purpose in itself, but are carried out in connection with a specific broader purpose. For example, profiling and, where appropriate, decision making, will serve for the sending of personalised advertising, for the display of personalised results on the website, for credit assessment in the context of a loan application or for the granting of aid.
Specific cases of automated decision-making and profiling
The following are some cases of automated decision-making and/or profiling that would have particular characteristics or regulation and are worth dealing with specifically.
a) Profiling for commercial purposes
Profiling for commercial purposes is a practice commonly undertaken by companies to optimise their marketing and advertising efforts, ensuring that their campaigns are more effective and generate higher conversion rates.
In relation to this, the bases of legitimation that would allow it to be carried out would basically be consent or legitimate interest, the latter case being recognised by the GDPR itself in its Recital 47: ‘the processing of personal data for direct marketing purposes may be considered to be carried out for legitimate interest.’
However, it should be borne in mind that, depending on the medium used to carry out the advertising, the use of legitimate interest may not be possible. This would be the case, for example:
- When the advertising is subject to the regime of the Information Services Law (‘LSSI’) and consent is required, which would occur, firstly, in the case of sending communications by electronic means to persons who do not have a prior contractual relationship with the company or, on the other hand, in the case of behavioural advertising based on tracking techniques such as cookies.
- If, in profiling, special category data covered by Art. 9.1. GDPR, explicit consent is likely to be required in accordance with Art. 9.2. GDPR, as none of the other exceptions will apply.
- Where the profiling represents a significant intrusion into the privacy of the individual, or is complex, as in such a case, the interests and rights of the data subject are deemed to override the interest of the controller.
In the case where legitimate interest applies, Article 21 GDPR provides for the obligation to offer the data subject a right to object at any time, ‘including profiling in so far as it is related to such marketing’.
b) The specific protection regime of Article 22 GDPR
The GDPR establishes an enhancedprotection regime in Art. 22 GDPR for a specific type of automated decisions, which would entail a risk for individuals, as they may result in discrimination, adverse legal effects or other significant impacts on the individuals concerned. However, not all automated decisions, including profiling, fall directly within the scope of this article, but must meet the following characteristics:
- That the decision is ‘based solely on automated processing’, meaning that the result has been generated exclusively through the algorithms of the AI System, without having been reviewed or modified by a person prior to its implementation.
- That the decision ‘produces legal effects on him or her or significantly affects him or her in a similar way’.
Only when these two conditions are cumulatively met will Article 22 GDPR apply and , therefore, such processing may not generally be carried out, unless the exceptions provided therein apply (necessary for the conclusion or performance of a contract, authorised by law or based on the data subject’s explicit consent) and, if it can be carried out, the safeguards established to protect the rights and freedoms of data subjects (human intervention, to express their point of view and to challenge the decision, as well as reinforcement of the duty to inform) must be observed.
In relation to the first requirement (based solely on automated processing),this must be assessed on a case-by-case basis, but, in any event, human intervention cannot be merely incidental in order to rule out the application of Art. 22 GDPR, for example, by limiting it to a mere superficial review or direct acceptance of the decision taken by IA. The latter scenario is the one analysed in the judgment of the Court of Justice of the European Union of 7 December 2023, in case C-634/21, ‘SCHUFA’, which established that an automated decision will also be considered when a probability value automatically generated by an AI system is transmitted by the controller to another controller, and the latter uses this value in a decisive manner to take a decision on the data subject (the decision having a significant impact within the meaning of Art. 22 GDPR).
Transparency and compliance with GDPR obligations
As stated by WG29 in its guidelines3, it is important to stress that: ‘Where a processing operation involves decision-making based on profiling (whether or not they fall within the scope of the provisions of Article 22 GDPR), the data subject should be informed about the fact that the processing is for the purposes of both (a) profiling and (b) taking a decision on the basis of the generated profile. It will therefore be important that the wording of the information clauses or privacy policies are clear and understandable to the data subject in relation to the profiling and the decision-making made on the basis of the profile.
In relation to compliance with the other obligations, it will be necessary to verify which requirements and obligations must be fulfilled (e.g. assess the need to carry out an impact assessment). In this regard, the Spanish Data Protection Agency has published many resources on artificial intelligence to help companies, such as the ‘Guide to the Adaptation to the GDPR of processing operations that incorporate Artificial Intelligence’ dated February 2020.
___________________________________________________
1 Publication dated 10 April 2023.
2 Guidelines on automated individual decisions and profiling dated February 2018.
3 Guidelines on automated individual decision-making and profiling dated February 2018
Article written by
Privacy, intellectual property and technology procurement lawyer
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!