The EU has always maintained strong regard in protecting the individual’s privacy about the processing of their data. This fundamental right is enshrined in many EU human rights legislation, and now, after great endeavours, this right is enforced throughout Europe and enforced by Europe rather than national legislation. As per Article 99, GDPR is “mandatory in all its elements and directly applicable in each Member State”.
The European Data Privacy Directive of 1995, received overwhelming support in 2014 by the European Parliament. This has been tweaked and fine-tuned to impose and establish a wide range of rights for individuals, including the following:
Improved Data Portability
Allowing individuals to practice the right of accessing “my data,” i.e. personal data held by organisations such as businesses and consumer groups.
In particular, this information can be used to compare on the various money-saving websites to provide clear information to assist in decision-making processes about comparing such consumables as:
- Bank accounts
- Credit cards
- Credit reports
- Utility suppliers
- Mobile phones
The regulation establishes that individuals can enjoy the right to receive the requested personal data in a structured format and with the ability to transmit this data to another data controller.
Extra Protection on Profiling and Automated Decision Making
An impartial and independent body known as “Article 29 Working Party” has been working alongside the EU Commission since 1995, providing and publishing opinions and guidance throughout the journey. Their advice and guidelines on automated decision making and profiling of individuals are strict due to the genuine need to safeguard the rights and freedoms of individuals.
What exactly constitutes Profiling and Automated Decision Making, and when would they ever be legitimately utilised?
Organisations will use the data to predict online behaviour; generally within the context of marketing purposes, for example, email marketing campaigns use profiling with the view to assist with the targeting of goods and services. The purpose is to predict an individual’s’ online behaviour and make “automated decisions” regarding this behaviour which leads onto the second issue of Automated Decision Making.
The Working Party advice on automated decision making is clear, while it recognises the benefits of these activities, it also points out that significant risks may arise for the rights and freedoms of individuals. This Law stipulates that individuals “have the right not to be the subject of a decision based solely on profiling or automated methods” when this is based on direct marketing.
It will be an interesting GDPR obligation journey in this respect to witness the reactions of big data-driven organisations and popular social networking organisations when it becomes the norm for individuals objecting at every turn to the processing of their data, including the creation of profiles to the extent that it is related to unwanted marketing.