Privacy & Information Security Law Blog

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

The Recommendation is the first international legal instrument laying down principles generally applicable to all forms of personal data processing using profiling techniques.  Although the Recommendation is non-binding, it encourages Members States that have endorsed Convention 108 to apply its principles.

The discussions were led by members of the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to automatic processing of personal data (“T-PD-Bureau”), and included national Data Protection Authorities and Ministry of Justice officials.  Accordingly, the Recommendation may indicate the direction the Article 29 Working Party is likely to take.

Below is a brief description of the adoption process, along with an overview of the Recommendation itself.

1.  Adoption Process

This Recommendation is the result of a process that was initiated by an expert’s report on the application of Convention 108 to the process of profiling commissioned by the T-PD-Bureau.  The report highlighted, among other things, that the combined use of numerous technologies (e.g., cookies, web bugs, RFIDs, video surveillance) could make it possible to monitor and trace individuals without their knowledge.

Following the report, the T-PD-Bureau decided to produce a recommendation on profiling.  In that context, a draft Recommendation was prepared and subsequently discussed during several rounds of meetings held by the T-PD-Bureau.  Upon the request of several stakeholders, including the International Chamber of Commerce (“ICC”), a public consultation was conducted in 2009.  However, the extent to which the comments made by the stakeholders were incorporated into the Recommendation is unclear.

2.  Overview of the Recommendation

The Convention 108 Member States’ governments are encouraged to: (i) apply the principles contained in the Recommendation’s Appendix to any processing of personal data used for profiling purposes (the scope of the Recommendation is applicable to both the private and public sector); (ii) take measures to ensure that the principles in the Appendix are reflected in their national legislation and practice; (iii) disseminate the contents of the Appendix to individuals, public authorities and public and private bodies, particularly those involved in the use of profiling techniques; and (iv) define and promote codes of conduct to ensure that privacy is respected.

The principles applicable to profiling activities are described in the Appendix and further explained in an Explanatory Memorandum.  In summary, the Recommendation:

• encourages the use of privacy-enhancing technologies and pleads in favor of sanctioning circumventing technological measures;
• restricts the legal bases available for profiling activities and provides that when consent is used as the legal basis, it is incumbent on the data controller to prove that the individual provided informed consent regarding profiling;
• provides that access to goods and services should, as much as possible, be available without the use of profiling by default;
• imposes strict requirements on data quality (for example, the data controller should take appropriate measures to correct inaccuracies in the data and limit the risk of error inherent in profiling, as well as re-evaluate the quality of the data and of the statistical inferences used periodically);
• limits the use of sensitive data for profiling; and
• enhances the rights of individuals by increasing the amount of information to be provided by data controllers and by reinforcing the rights of access, rectification, objection and deletion.

The ICC was instrumental in obtaining increased private-sector input during the drafting stage.  However, it should be noted that the ICC was quite critical of the Recommendation, which does not adequately reflect the business constraints faced by companies and lacks clarity on a number of key principles.