On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling. View the press release.
The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles. It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.” The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual. Interestingly, Members States may decide to exclude the public sector under certain conditions.
The Recommendation is the first international legal instrument laying down principles generally applicable to all forms of personal data processing using profiling techniques. Although the Recommendation is non-binding, it encourages Members States that have endorsed Convention 108 to apply its principles.
The discussions were led by members of the Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to automatic processing of personal data (“T-PD-Bureau”), and included national Data Protection Authorities and Ministry of Justice officials. Accordingly, the Recommendation may indicate the direction the Article 29 Working Party is likely to take.
Below is a brief description of the adoption process, along with an overview of the Recommendation itself.
1. Adoption Process
This Recommendation is the result of a process that was initiated by an expert’s report on the application of Convention 108 to the process of profiling commissioned by the T-PD-Bureau. The report highlighted, among other things, that the combined use of numerous technologies (e.g., cookies, web bugs, RFIDs, video surveillance) could make it possible to monitor and trace individuals without their knowledge.
Following the report, the T-PD-Bureau decided to produce a recommendation on profiling. In that context, a draft Recommendation was prepared and subsequently discussed during several rounds of meetings held by the T-PD-Bureau. Upon the request of several stakeholders, including the International Chamber of Commerce (“ICC”), a public consultation was conducted in 2009. However, the extent to which the comments made by the stakeholders were incorporated into the Recommendation is unclear.
2. Overview of the Recommendation
The Convention 108 Member States’ governments are encouraged to: (i) apply the principles contained in the Recommendation’s Appendix to any processing of personal data used for profiling purposes (the scope of the Recommendation is applicable to both the private and public sector); (ii) take measures to ensure that the principles in the Appendix are reflected in their national legislation and practice; (iii) disseminate the contents of the Appendix to individuals, public authorities and public and private bodies, particularly those involved in the use of profiling techniques; and (iv) define and promote codes of conduct to ensure that privacy is respected.
The principles applicable to profiling activities are described in the Appendix and further explained in an Explanatory Memorandum. In summary, the Recommendation:
- encourages the use of privacy-enhancing technologies and pleads in favor of sanctioning circumventing technological measures;
- restricts the legal bases available for profiling activities and provides that when consent is used as the legal basis, it is incumbent on the data controller to prove that the individual provided informed consent regarding profiling;
- provides that access to goods and services should, as much as possible, be available without the use of profiling by default;
- imposes strict requirements on data quality (for example, the data controller should take appropriate measures to correct inaccuracies in the data and limit the risk of error inherent in profiling, as well as re-evaluate the quality of the data and of the statistical inferences used periodically);
- limits the use of sensitive data for profiling; and
- enhances the rights of individuals by increasing the amount of information to be provided by data controllers and by reinforcing the rights of access, rectification, objection and deletion.
The ICC was instrumental in obtaining increased private-sector input during the drafting stage. However, it should be noted that the ICC was quite critical of the Recommendation, which does not adequately reflect the business constraints faced by companies and lacks clarity on a number of key principles.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- U.S. State Privacy
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Disclosure
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Legislature
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Online Behavioral Advertising
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Paul Tiao
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- WeProtect Global Alliance
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code