Lawyer Vincenzo Colarocco
The Art. 29 Group recently adopted (on 6 February 2018) the new version of the “guidelines on the processing of personal data carried out by automated decision-makers” in which profiling is included, adapting them to the new EU rules on privacy. Profiling, as introduced by the guidelines, is a process applied to numerous sectors: banking, finance, healthcare, taxation, insurance, marketing and advertising are just some of the areas in which profiling is used more frequently in order to support decision-making processes.
Thanks to the technological increase, these processes, applying artificial intelligence and big data analytics capabilities, simplify the creation of individuals’ profiles and significantly affect people’s rights and freedoms. In this regard, the guidelines, in addition to clarifying the definition contained in the GDPR on the concepts of automated decision making and profiling, also contain general and more specific provisions, recommendations and good practices on profiling carried out against minors.
Let’s consider a minor who creates a personal account to subscribe himself to a social network. The form will collect his personal data: name, surname, address, telephone number and the social will use the online behaviour of this young user to offer him a personalized news feed or advertising images. At the same time the minor could visit a site to see the results of his favourite football team and the advertising cookies will record information on his navigation deducing his interests.
If on the one hand the legislation requires that minors’ data are not collected and treated to profile on the other how can the holder prove that the consent has been given by a minor or an adult? Most of the users do not clearly understand these concepts or even imagine the existence of an automated procedure that allows the browser -once visited the site and given its consent- to save the data related to the navigation and then reuse them later. It therefore follows that the demonstrability that consent has been acquired by an adult rather than a minor becomes really complex to justify for the Data Controller.
This latter must provide clear, complete and exhaustive information in such a way that the data subject provides a consent enabling the pursuit of profiling purposes.. Finally, all web pages attributable to the data controller should link to the dedicated area within which the user can exercise his rights with respect to the data, for example, by revoking the consent given.