Database Reference
In-Depth Information
concept of personal data as set forth by the Article 29 Working Party we may also
conclude that data protection law apply to many profiling practices.
The goal of profiling is to individualise and give a representation of a subject,
or to identify that subject as a member of a group or category (Hildebrandt 2008,
p. 17). For profiling to be effective it is unnecessary to know the data subjects ac-
tual identity. Furthermore, it is most often unnecessary to distinguish an individual
from other members of a group. Rather, profiling calls for categorising an individ-
ual, for instance by fitting that individual into a certain predetermined target
group. While it might be possible to identify an individual on the basis of a pro-
file, more often than not, the data controller is not interested in actually identifying
the data subject.
11
Nevertheless, as signalled by the Article 29 Working Party a
user can be singled out on the basis of a profile in combination with a unique iden-
tifier such as a cookie or an IP-address. The idea is that because a person can be
singled out and the information contained in the profile is used to make decisions
about the person, data protection law should apply. While this is understandable
from a privacy perspective, it is questionable whether data protection law is al-
ways the most effective mechanism for dealing with the risks posed by profiling.
This question is important, as there are possible drawbacks to applying the current
data protection law to profiling. Below I shall discuss several drawbacks that may
prompt us to rethink the current approach to data protection in the light of
profiling.
12
7.5.1 The 'Binary' Nature of Data Protection Law
The first drawback of current data protection law is its binary nature. The Data
protection directive only applies to the processing of personal data. While this
sounds logical, it leads to difficulties in practice. The difficulty with the binary na-
ture of data protection law is that it is oftentimes difficult to establish when data
should be considered personal data. A combination of different pieces of data may
all of a sudden become personal data when a referential piece of information is
added, or when the different pieces of data by themselves spontaneously identify
an individual. Moreover, while the profiling exercise itself may not be aimed at
identifying a data subject, the possibility of identification is always present. For
instance, pieces of information (oftentimes outside of the control of the data con-
troller) may be linked to the profile, enabling identification. The question then be-
comes: at what point are all the protection mechanisms and legal obligations of the
Data protection directive exactly to come into play. This leads to a great deal of
uncertainty for (potential) data controllers. But the binary nature of data protection
law is also problematic for data subjects, as it is unclear to whom they should turn
for redress when a profile is misused or abused.
11
While the data controller might not be interested in identifying or re-identifying the indi-
vidual other parties may wish to do so. However, given the limited space available, we
shall not address this issue in this chapter.
12
It is relevant to note that in this discussion the focus is mainly on the use of profiling for
commercial purposes.
Search WWH ::
Custom Search