[IUCC-GDPR] Art29 final on profiling and automated decision making
Hank Nussbacher
Hank at mail.iucc.ac.il
Tue Feb 20 20:49:49 IST 2018
Forwarding from JISC (UK NREN). Especially note the exclusion of " automated network defence and learning analytics now fall safely below the Art.22 threshold":
------------------------------
They've just published their final version of this guidance, at
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053
They do seem to have read our consultation response (or, at least, others
with the same messages):
a) although they still believe there's a "general prohibition" on automated
decision-making with legal or similar effect, they do now try to justify
that claim based on the wording of the Regulation (p19).
Much more importantly
b) they are *much* clearer on "legal or similar effect" - "only serious
impactful effects will be covered by Article 22" (p21). So they're now
looking for things at the level of cancellation of a contract, entitlement
or denial of a social benefit, refusal of entry to a country.
Then they have a wriggle to try to explain why targeted advertising could be
of that seriousness (p22)!
But it seems that, of the problem areas we highlighted in our response,
automated network defence and learning analytics now fall safely below the
Art.22 threshold. Fraud detection is given as an example of something that
may be permitted as a legal obligation (which seems a bit narrow to me).
Then, weirdly, they say on p 22 that "decisions that deny someone an
employment opportunity" may not be fully automated; but on p23 use
short-listing of a large pool of job applicants as an example that is
allowed (because "not practically possible" to do it manually)!
So although it's a lot clearer than the original, still lots of
inconsistencies and loopholes for those who don't care about data protection
to exploit. But at least our constituents who *do* care about data
protection, should find comfort here for most of the things they
legitimately need to do.
If others spot anything else interesting in the document, please let me
know. I may do a blog post on the network defence stuff, when I've a spare
hour.
Cheers
Andrew
--
Andrew Cormack
Chief Regulatory Adviser
T 01235 822302
Skype ancormack
Twitter @JanetLegReg
Blog https://community.jisc.ac.uk/blogs/regulatory-developments
Orcid.org/0000-0002-8448-2881
Lumen House, Library Avenue, Harwell Oxford, Didcot OX11 0SG
Jisc.ac.uk
More information about the GDPR
mailing list